Analysis
-
max time kernel
27s -
max time network
122s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
23-06-2021 07:08
Static task
static1
Behavioral task
behavioral1
Sample
Report..vbs
Resource
win7v20210410
General
-
Target
Report..vbs
-
Size
2KB
-
MD5
f24e48ec7d58c08b9077f143f05ede7e
-
SHA1
5f8723bc7e331960ac047c169f020d5d5448cc12
-
SHA256
983c60c5a0fe10b28dab87e0198bf44fc2db030c6ad68d013b1f1310be4e2067
-
SHA512
2b768025d6c59ecb2642a716eedb1d6c948fdc56da29175f6eec8c8ca7e845abdff5368f5d6b635dee8b70d395decda220012220f24ce94b1857a8a68fa109d1
Malware Config
Extracted
https://ia601409.us.archive.org/32/items/bypass1sd/bypass1sd.TXT
Extracted
https://ia601503.us.archive.org/32/items/Serverne/Serverne.txt
Extracted
netwire
185.19.85.172:1723
-
activex_autorun
false
- activex_key
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
- install_path
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
- mutex
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
- startup_name
-
use_mutex
false
Signatures
-
NetWire RAT payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2232-180-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/2232-181-0x000000000040242D-mapping.dmp netwire behavioral2/memory/2232-185-0x0000000000400000-0x0000000000433000-memory.dmp netwire -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exepowershell.exeflow pid process 9 1160 powershell.exe 18 2820 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 2820 set thread context of 2232 2820 powershell.exe aspnet_compiler.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exepid process 1160 powershell.exe 1160 powershell.exe 1160 powershell.exe 2820 powershell.exe 2820 powershell.exe 2820 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1160 powershell.exe Token: SeDebugPrivilege 2820 powershell.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
WScript.exepowershell.exeWScript.exepowershell.exedescription pid process target process PID 3560 wrote to memory of 1160 3560 WScript.exe powershell.exe PID 3560 wrote to memory of 1160 3560 WScript.exe powershell.exe PID 1160 wrote to memory of 2184 1160 powershell.exe WScript.exe PID 1160 wrote to memory of 2184 1160 powershell.exe WScript.exe PID 2184 wrote to memory of 2820 2184 WScript.exe powershell.exe PID 2184 wrote to memory of 2820 2184 WScript.exe powershell.exe PID 2820 wrote to memory of 2232 2820 powershell.exe aspnet_compiler.exe PID 2820 wrote to memory of 2232 2820 powershell.exe aspnet_compiler.exe PID 2820 wrote to memory of 2232 2820 powershell.exe aspnet_compiler.exe PID 2820 wrote to memory of 2232 2820 powershell.exe aspnet_compiler.exe PID 2820 wrote to memory of 2232 2820 powershell.exe aspnet_compiler.exe PID 2820 wrote to memory of 2232 2820 powershell.exe aspnet_compiler.exe PID 2820 wrote to memory of 2232 2820 powershell.exe aspnet_compiler.exe PID 2820 wrote to memory of 2232 2820 powershell.exe aspnet_compiler.exe PID 2820 wrote to memory of 2232 2820 powershell.exe aspnet_compiler.exe PID 2820 wrote to memory of 2232 2820 powershell.exe aspnet_compiler.exe PID 2820 wrote to memory of 2232 2820 powershell.exe aspnet_compiler.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Report..vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass &'C:\Users\Public\Downloads\Run.ps1'2⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\Run\.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass &'C:\Users\Public\.ps1'4⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logMD5
ea6243fdb2bfcca2211884b0a21a0afc
SHA12eee5232ca6acc33c3e7de03900e890f4adf0f2f
SHA2565bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8
SHA512189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
585c7fa70a95e35a5e8bae474eb37189
SHA1d952fc98b37d624602ebe0481387c715ea8c78bf
SHA256a1ba0aec1f5ec1b812e8a0db6cf79c811f6eb032f5c62fb01b47d6eb1c5683f8
SHA51270357c722fa7ae52a0b96fa46e9222448150b03d0f9ead361e0b853cc46904177f36841d6786aad0a94a120bed64667c203181e55f8611d0066bd2cd014e5636
-
C:\Users\Public\.ps1MD5
49ed3a79ad1d1fd9a62d213f4a97f3a7
SHA1b03c6b1b5936f6600e346e4e94d0e164e72dbedc
SHA25612a00f0af753d217cf68a32e549304bf6df86414b6a5b47a37b44cd91f36fe11
SHA512a26632debef68c8db7efd48650c72cbef16b7fba3760490dffd7f0c03aa7331a48f00d6d30ac89126a6f42cfe2d53e6c6ec08a3cee9ee8d4cab47790cc9b824f
-
C:\Users\Public\Downloads\Run.ps1MD5
40d30e0b7df0d993a4ccd0b89c77f3fe
SHA120229279d9d1b3d38da9f23b3969036747ecb741
SHA25691224a3d13c8ff4be2f2150a9751f82fb6dd3797851537e449447aaad0788c81
SHA5121ba11344b63642f41cd418fa31f3b7984a1a7712392a5b3951838d0e3b8d75955bf2a2e27cc20b01e1c5ad632cd8dc66b91a15b9f19a703b42bf72741f4a0805
-
C:\Users\Public\Run\.vbsMD5
17ebb4c06e80f056a5ac11aaa2b1010c
SHA1d3421c4cd4b204583068996c1849188238a6cd22
SHA256a05ef5de2d8063812442ec091bcef0d33e66d94ca54feb8744038552e1284489
SHA512d9f9412d65d1ffee143fb9395a33569c66817940636c89e07f00099e0ce1d8b3d866438cb59641b16d7f9aa628be5e0c2b4264899b87cbb2a88abdf691759401
-
memory/1160-131-0x0000015D01993000-0x0000015D01995000-memory.dmpFilesize
8KB
-
memory/1160-114-0x0000000000000000-mapping.dmp
-
memory/1160-133-0x0000015D01996000-0x0000015D01998000-memory.dmpFilesize
8KB
-
memory/1160-129-0x0000015D01990000-0x0000015D01992000-memory.dmpFilesize
8KB
-
memory/1160-125-0x0000015D1C170000-0x0000015D1C171000-memory.dmpFilesize
4KB
-
memory/1160-120-0x0000015D1BFC0000-0x0000015D1BFC1000-memory.dmpFilesize
4KB
-
memory/2184-154-0x0000000000000000-mapping.dmp
-
memory/2232-180-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/2232-185-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/2232-181-0x000000000040242D-mapping.dmp
-
memory/2820-157-0x0000000000000000-mapping.dmp
-
memory/2820-179-0x000002616E270000-0x000002616E27E000-memory.dmpFilesize
56KB
-
memory/2820-178-0x000002616C066000-0x000002616C068000-memory.dmpFilesize
8KB
-
memory/2820-176-0x000002616C060000-0x000002616C062000-memory.dmpFilesize
8KB
-
memory/2820-177-0x000002616C063000-0x000002616C065000-memory.dmpFilesize
8KB