Overview

overview

10

Static

static

Report..vbs

windows7_x64

10

Report..vbs

windows10_x64

10

Analysis

  • max time kernel
    39s
  • max time network
    90s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    23-06-2021 07:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Report..vbs

  • Size

    2KB

  • MD5

    f24e48ec7d58c08b9077f143f05ede7e

  • SHA1

    5f8723bc7e331960ac047c169f020d5d5448cc12

  • SHA256

    983c60c5a0fe10b28dab87e0198bf44fc2db030c6ad68d013b1f1310be4e2067

  • SHA512

    2b768025d6c59ecb2642a716eedb1d6c948fdc56da29175f6eec8c8ca7e845abdff5368f5d6b635dee8b70d395decda220012220f24ce94b1857a8a68fa109d1

Score
10/10
netwirebotnetratstealer

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://ia601409.us.archive.org/32/items/bypass1sd/bypass1sd.TXT

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://ia601503.us.archive.org/32/items/Serverne/Serverne.txt

Extracted

Family

netwire

C2

185.19.85.172:1723

Attributes
  • activex_autorun

    false

  • activex_key

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    false

  • startup_name

  • use_mutex

    false

Signatures

  • NetWire RAT payload 3 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Blocklisted process makes network request 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Report..vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1308
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass &'C:\Users\Public\Downloads\Run.ps1'
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:108
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Public\Run\.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:804
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass &'C:\Users\Public\.ps1'
          4⤵
          • Blocklisted process makes network request
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:992
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
            5⤵
              PID:2016

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
      MD5

      381e352ecb79401b421d9d6efcb7a1ba

      SHA1

      c9ee63d6fc3bcc8b6447219edea477e106269d91

      SHA256

      7c8df2ff672f7638053af56cf1362b135aea37762b15e25d09a09f08651e0e67

      SHA512

      0df28e320d45ab99a54a9c73ffeb87f55aaea8805980dccd26d7477975016d60512080d2f1fb7d2644be3c2eb2e89b9581d9246c65eddd0db6d8338dc89793b3

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      MD5

      cf58fabcc2c6c71fc48f85afc11f985d

      SHA1

      1cc6b13afc9f0fbec43fe8017b33e2789fee14a3

      SHA256

      472fb3b7412a076754aca47ea265277f47a3452c15a44c8eb23270a62b867003

      SHA512

      7cbd3d4e8c0fb09f7c4ca53334b1d17aff5a4de5f8cbcd324962c464e33bf37c09500463e1f717d9065cf35cd71ad9ab5f3d8ce3b939aa50b201382aea8a5bd6

      Download Submit
    • C:\Users\Public\.ps1
      MD5

      49ed3a79ad1d1fd9a62d213f4a97f3a7

      SHA1

      b03c6b1b5936f6600e346e4e94d0e164e72dbedc

      SHA256

      12a00f0af753d217cf68a32e549304bf6df86414b6a5b47a37b44cd91f36fe11

      SHA512

      a26632debef68c8db7efd48650c72cbef16b7fba3760490dffd7f0c03aa7331a48f00d6d30ac89126a6f42cfe2d53e6c6ec08a3cee9ee8d4cab47790cc9b824f

      Download Submit
    • C:\Users\Public\Downloads\Run.ps1
      MD5

      40d30e0b7df0d993a4ccd0b89c77f3fe

      SHA1

      20229279d9d1b3d38da9f23b3969036747ecb741

      SHA256

      91224a3d13c8ff4be2f2150a9751f82fb6dd3797851537e449447aaad0788c81

      SHA512

      1ba11344b63642f41cd418fa31f3b7984a1a7712392a5b3951838d0e3b8d75955bf2a2e27cc20b01e1c5ad632cd8dc66b91a15b9f19a703b42bf72741f4a0805

      Download Submit
    • C:\Users\Public\Run\.vbs
      MD5

      17ebb4c06e80f056a5ac11aaa2b1010c

      SHA1

      d3421c4cd4b204583068996c1849188238a6cd22

      SHA256

      a05ef5de2d8063812442ec091bcef0d33e66d94ca54feb8744038552e1284489

      SHA512

      d9f9412d65d1ffee143fb9395a33569c66817940636c89e07f00099e0ce1d8b3d866438cb59641b16d7f9aa628be5e0c2b4264899b87cbb2a88abdf691759401

      Download Submit
    • memory/108-64-0x000000001AD40000-0x000000001AD41000-memory.dmp
      Filesize

      4KB

      Download
    • memory/108-63-0x0000000001DC0000-0x0000000001DC1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/108-66-0x000000001ACC0000-0x000000001ACC2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/108-67-0x000000001ACC4000-0x000000001ACC6000-memory.dmp
      Filesize

      8KB

      Download
    • memory/108-68-0x00000000024F0000-0x00000000024F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/108-70-0x000000001C490000-0x000000001C491000-memory.dmp
      Filesize

      4KB

      Download
    • memory/108-71-0x000000001C6E0000-0x000000001C6E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/108-61-0x0000000000000000-mapping.dmp
      Download
    • memory/108-65-0x0000000002430000-0x0000000002431000-memory.dmp
      Filesize

      4KB

      Download
    • memory/804-72-0x0000000000000000-mapping.dmp
      Download
    • memory/992-75-0x0000000000000000-mapping.dmp
      Download
    • memory/992-86-0x000000001C160000-0x000000001C161000-memory.dmp
      Filesize

      4KB

      Download
    • memory/992-80-0x000000001AAA0000-0x000000001AAA2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/992-82-0x0000000002670000-0x0000000002671000-memory.dmp
      Filesize

      4KB

      Download
    • memory/992-81-0x000000001AAA4000-0x000000001AAA6000-memory.dmp
      Filesize

      8KB

      Download
    • memory/992-83-0x0000000002380000-0x0000000002381000-memory.dmp
      Filesize

      4KB

      Download
    • memory/992-78-0x00000000024C0000-0x00000000024C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/992-87-0x00000000026A0000-0x00000000026AE000-memory.dmp
      Filesize

      56KB

      Download
    • memory/992-79-0x000000001AB20000-0x000000001AB21000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1308-60-0x000007FEFC141000-0x000007FEFC143000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2016-88-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/2016-89-0x000000000040242D-mapping.dmp
      Download
    • memory/2016-90-0x0000000076281000-0x0000000076283000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2016-91-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download