Overview

overview

10

Static

static

Report..vbs

windows7_x64

10

Report..vbs

windows10_x64

10

Analysis

  • max time kernel
    27s
  • max time network
    122s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    23-06-2021 07:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Report..vbs

  • Size

    2KB

  • MD5

    f24e48ec7d58c08b9077f143f05ede7e

  • SHA1

    5f8723bc7e331960ac047c169f020d5d5448cc12

  • SHA256

    983c60c5a0fe10b28dab87e0198bf44fc2db030c6ad68d013b1f1310be4e2067

  • SHA512

    2b768025d6c59ecb2642a716eedb1d6c948fdc56da29175f6eec8c8ca7e845abdff5368f5d6b635dee8b70d395decda220012220f24ce94b1857a8a68fa109d1

Score
10/10
netwirebotnetratstealer

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://ia601409.us.archive.org/32/items/bypass1sd/bypass1sd.TXT

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://ia601503.us.archive.org/32/items/Serverne/Serverne.txt

Extracted

Family

netwire

C2

185.19.85.172:1723

Attributes
  • activex_autorun

    false

  • activex_key

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    false

  • startup_name

  • use_mutex

    false

Signatures

  • NetWire RAT payload 3 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Blocklisted process makes network request 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Report..vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3560
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass &'C:\Users\Public\Downloads\Run.ps1'
      2⤵
      • Blocklisted process makes network request
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1160
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Public\Run\.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2184
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass &'C:\Users\Public\.ps1'
          4⤵
          • Blocklisted process makes network request
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2820
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
            5⤵
              PID:2232

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      MD5

      ea6243fdb2bfcca2211884b0a21a0afc

      SHA1

      2eee5232ca6acc33c3e7de03900e890f4adf0f2f

      SHA256

      5bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8

      SHA512

      189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      MD5

      585c7fa70a95e35a5e8bae474eb37189

      SHA1

      d952fc98b37d624602ebe0481387c715ea8c78bf

      SHA256

      a1ba0aec1f5ec1b812e8a0db6cf79c811f6eb032f5c62fb01b47d6eb1c5683f8

      SHA512

      70357c722fa7ae52a0b96fa46e9222448150b03d0f9ead361e0b853cc46904177f36841d6786aad0a94a120bed64667c203181e55f8611d0066bd2cd014e5636

      Download Submit
    • C:\Users\Public\.ps1
      MD5

      49ed3a79ad1d1fd9a62d213f4a97f3a7

      SHA1

      b03c6b1b5936f6600e346e4e94d0e164e72dbedc

      SHA256

      12a00f0af753d217cf68a32e549304bf6df86414b6a5b47a37b44cd91f36fe11

      SHA512

      a26632debef68c8db7efd48650c72cbef16b7fba3760490dffd7f0c03aa7331a48f00d6d30ac89126a6f42cfe2d53e6c6ec08a3cee9ee8d4cab47790cc9b824f

      Download Submit
    • C:\Users\Public\Downloads\Run.ps1
      MD5

      40d30e0b7df0d993a4ccd0b89c77f3fe

      SHA1

      20229279d9d1b3d38da9f23b3969036747ecb741

      SHA256

      91224a3d13c8ff4be2f2150a9751f82fb6dd3797851537e449447aaad0788c81

      SHA512

      1ba11344b63642f41cd418fa31f3b7984a1a7712392a5b3951838d0e3b8d75955bf2a2e27cc20b01e1c5ad632cd8dc66b91a15b9f19a703b42bf72741f4a0805

      Download Submit
    • C:\Users\Public\Run\.vbs
      MD5

      17ebb4c06e80f056a5ac11aaa2b1010c

      SHA1

      d3421c4cd4b204583068996c1849188238a6cd22

      SHA256

      a05ef5de2d8063812442ec091bcef0d33e66d94ca54feb8744038552e1284489

      SHA512

      d9f9412d65d1ffee143fb9395a33569c66817940636c89e07f00099e0ce1d8b3d866438cb59641b16d7f9aa628be5e0c2b4264899b87cbb2a88abdf691759401

      Download Submit
    • memory/1160-131-0x0000015D01993000-0x0000015D01995000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1160-114-0x0000000000000000-mapping.dmp
      Download
    • memory/1160-133-0x0000015D01996000-0x0000015D01998000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1160-129-0x0000015D01990000-0x0000015D01992000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1160-125-0x0000015D1C170000-0x0000015D1C171000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1160-120-0x0000015D1BFC0000-0x0000015D1BFC1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2184-154-0x0000000000000000-mapping.dmp
      Download
    • memory/2232-180-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/2232-185-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/2232-181-0x000000000040242D-mapping.dmp
      Download
    • memory/2820-157-0x0000000000000000-mapping.dmp
      Download
    • memory/2820-179-0x000002616E270000-0x000002616E27E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/2820-178-0x000002616C066000-0x000002616C068000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2820-176-0x000002616C060000-0x000002616C062000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2820-177-0x000002616C063000-0x000002616C065000-memory.dmp
      Filesize

      8KB

      Download