Analysis
-
max time kernel
104s -
max time network
119s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
23-06-2021 06:45
General
-
Target
report..vbs
-
Size
2KB
-
MD5
70308f16ec6aed9b2bb1de2b95c954fc
-
SHA1
72650195a77260155859baa82f82f1b292e5ecff
-
SHA256
699f259d3ca7ab69da25404cdcf081233a956203ea995dff657f8c2114dba50c
-
SHA512
0bc476523ae086734f33c74db1ab6fc1e581818c985973e219120b40a950c51c6737e538e68f7bfd6e4b5258a6ce2a682356287af155ef549dae5e794c6ed162
Malware Config
Extracted
https://ia601401.us.archive.org/25/items/bypass_obbv/bypass_obbv.TXT
Extracted
https://ia601505.us.archive.org/17/items/server-uybb/Server_uybb.txt
Extracted
netwire
185.19.85.172:1723
-
activex_autorun
false
- activex_key
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
- install_path
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
- mutex
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
- startup_name
-
use_mutex
false
Signatures
-
NetWire RAT payload 3 IoCs
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Blocklisted process makes network request 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\report..vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass &'C:\Users\Public\Downloads\Run.ps1'2⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\Run\.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass &'C:\Users\Public\.ps1'4⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"5⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"5⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logMD5
ea6243fdb2bfcca2211884b0a21a0afc
SHA12eee5232ca6acc33c3e7de03900e890f4adf0f2f
SHA2565bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8
SHA512189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
6f2d6c337f9a025092b2ca3f021c7c57
SHA168e3aa03c165404a8a23533e528c3bdddb665266
SHA256686b106a8e0be7501063313ba45dc52e69af8116640e0c2a3a6e914bd9ad2194
SHA5127cc7c72d17d7f0a8c300ec2f79b56bd59d78fc09466421deab85941a8b6cb19a7700f777e433ef5b8d71a7f84f165ed9b87dddf97b30bbb218585cf781f28856
-
C:\Users\Public\.ps1MD5
cf97a3b233badaea5e5f76e1e3cedc9d
SHA13392098ebe94be6318fa25c9100c5418056b3654
SHA256296711508c0f8f0e4d31593f5995ee4cc03b1d759d4a372fba77a169318f6d21
SHA51247a098883bf7ef896493012da0131fb1643f7af45f31b718fb94d170964ef1d2cd3b2bf3a7ea87166e781d73943e3fadac01dad8843f29a774d4ed557425acbe
-
C:\Users\Public\Downloads\Run.ps1MD5
cdcd549275cb60156bdd3f689d8858ea
SHA16c46777d3f4fc3a2d18c0b378b7edcde5d9c502c
SHA25662324fff798253265e04d2f6bb12cb36eb5faa35273322ecef726a2c73d86dc0
SHA5124e02fff95fc763370c6d38e9192de6e0bf62e4383fb89c082df51bc6436afb852e2e95f54982769d02c8f834c111a9b7a40dec26810f784e77b4d535d0920f22
-
C:\Users\Public\Run\.vbsMD5
17ebb4c06e80f056a5ac11aaa2b1010c
SHA1d3421c4cd4b204583068996c1849188238a6cd22
SHA256a05ef5de2d8063812442ec091bcef0d33e66d94ca54feb8744038552e1284489
SHA512d9f9412d65d1ffee143fb9395a33569c66817940636c89e07f00099e0ce1d8b3d866438cb59641b16d7f9aa628be5e0c2b4264899b87cbb2a88abdf691759401
-
memory/2364-154-0x0000000000000000-mapping.dmp
-
memory/3060-177-0x000002218B5B0000-0x000002218B5BE000-memory.dmpFilesize
56KB
-
memory/3060-174-0x0000022189CA0000-0x0000022189CA2000-memory.dmpFilesize
8KB
-
memory/3060-176-0x0000022189CA6000-0x0000022189CA8000-memory.dmpFilesize
8KB
-
memory/3060-157-0x0000000000000000-mapping.dmp
-
memory/3060-175-0x0000022189CA3000-0x0000022189CA5000-memory.dmpFilesize
8KB
-
memory/3100-125-0x0000016664480000-0x0000016664482000-memory.dmpFilesize
8KB
-
memory/3100-119-0x0000016664490000-0x0000016664491000-memory.dmpFilesize
4KB
-
memory/3100-123-0x000001667D400000-0x000001667D401000-memory.dmpFilesize
4KB
-
memory/3100-132-0x0000016664486000-0x0000016664488000-memory.dmpFilesize
8KB
-
memory/3100-114-0x0000000000000000-mapping.dmp
-
memory/3100-126-0x0000016664483000-0x0000016664485000-memory.dmpFilesize
8KB
-
memory/3828-182-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/3828-183-0x000000000040242D-mapping.dmp
-
memory/3828-187-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB