Overview

overview

10

Static

static

report..vbs

windows7_x64

10

report..vbs

windows10_x64

10

Analysis

  • max time kernel
    42s
  • max time network
    170s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    23-06-2021 07:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    report..vbs

  • Size

    2KB

  • MD5

    70308f16ec6aed9b2bb1de2b95c954fc

  • SHA1

    72650195a77260155859baa82f82f1b292e5ecff

  • SHA256

    699f259d3ca7ab69da25404cdcf081233a956203ea995dff657f8c2114dba50c

  • SHA512

    0bc476523ae086734f33c74db1ab6fc1e581818c985973e219120b40a950c51c6737e538e68f7bfd6e4b5258a6ce2a682356287af155ef549dae5e794c6ed162

Score
10/10
netwirebotnetratstealer

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://ia601401.us.archive.org/25/items/bypass_obbv/bypass_obbv.TXT

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://ia601505.us.archive.org/17/items/server-uybb/Server_uybb.txt

Extracted

Family

netwire

C2

185.19.85.172:1723

Attributes
  • activex_autorun

    false

  • activex_key

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    false

  • startup_name

  • use_mutex

    false

Signatures

  • NetWire RAT payload 3 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Blocklisted process makes network request 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\report..vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:604
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass &'C:\Users\Public\Downloads\Run.ps1'
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1780
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Public\Run\.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:652
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass &'C:\Users\Public\.ps1'
          4⤵
          • Blocklisted process makes network request
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1132
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
            5⤵
              PID:1704

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
      MD5

      c5d7e9bb8e626d47c1fb7ddfe8eda82c

      SHA1

      23410b69be259bee5658c3a9e8b665cfaea9dd37

      SHA256

      fcd69e113ccab66ecab01e48f3c73a40b0dcbed97b595375b353cc3e4b8ac295

      SHA512

      81e84b53a34b13caa44cc40d14e453a736918d2757ad6930750bf4852efd6aa1e4435cf6499bf35fed5ccc44f1736534b27b94129ac2d2c6c3a071ad392088d1

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      MD5

      499f280bd6a507b8b5b13f93254c707e

      SHA1

      e40354df7cbc16bb01a21ff15ee533fb2ff4b907

      SHA256

      176293719260e2c91ca451d6fcdcecffffc23442afc3ecef9f95382ffcefe70c

      SHA512

      027b447e3821bda312589a33d5705acf111a9d90270fa66d6acb2beb73189522fb2d47a1b9a2a848079104eabf397fc76a34fdc49f21a9115cdd4f638177da06

      Download Submit
    • C:\Users\Public\.ps1
      MD5

      cf97a3b233badaea5e5f76e1e3cedc9d

      SHA1

      3392098ebe94be6318fa25c9100c5418056b3654

      SHA256

      296711508c0f8f0e4d31593f5995ee4cc03b1d759d4a372fba77a169318f6d21

      SHA512

      47a098883bf7ef896493012da0131fb1643f7af45f31b718fb94d170964ef1d2cd3b2bf3a7ea87166e781d73943e3fadac01dad8843f29a774d4ed557425acbe

      Download Submit
    • C:\Users\Public\Downloads\Run.ps1
      MD5

      cdcd549275cb60156bdd3f689d8858ea

      SHA1

      6c46777d3f4fc3a2d18c0b378b7edcde5d9c502c

      SHA256

      62324fff798253265e04d2f6bb12cb36eb5faa35273322ecef726a2c73d86dc0

      SHA512

      4e02fff95fc763370c6d38e9192de6e0bf62e4383fb89c082df51bc6436afb852e2e95f54982769d02c8f834c111a9b7a40dec26810f784e77b4d535d0920f22

      Download Submit
    • C:\Users\Public\Run\.vbs
      MD5

      17ebb4c06e80f056a5ac11aaa2b1010c

      SHA1

      d3421c4cd4b204583068996c1849188238a6cd22

      SHA256

      a05ef5de2d8063812442ec091bcef0d33e66d94ca54feb8744038552e1284489

      SHA512

      d9f9412d65d1ffee143fb9395a33569c66817940636c89e07f00099e0ce1d8b3d866438cb59641b16d7f9aa628be5e0c2b4264899b87cbb2a88abdf691759401

      Download Submit
    • memory/604-59-0x000007FEFBAE1000-0x000007FEFBAE3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/652-71-0x0000000000000000-mapping.dmp
      Download
    • memory/1132-78-0x000000001AB10000-0x000000001AB11000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1132-85-0x000000001B6C0000-0x000000001B6C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1132-82-0x0000000002780000-0x0000000002781000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1132-81-0x00000000027D4000-0x00000000027D6000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1132-86-0x00000000027C0000-0x00000000027CE000-memory.dmp
      Filesize

      56KB

      Download
    • memory/1132-77-0x00000000024E0000-0x00000000024E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1132-74-0x0000000000000000-mapping.dmp
      Download
    • memory/1132-80-0x00000000027D0000-0x00000000027D2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1132-79-0x0000000002530000-0x0000000002531000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1704-90-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/1704-87-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/1704-88-0x000000000040242D-mapping.dmp
      Download
    • memory/1704-89-0x0000000075211000-0x0000000075213000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1780-63-0x000000001ABE0000-0x000000001ABE1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1780-64-0x00000000024E0000-0x00000000024E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1780-70-0x000000001AAD0000-0x000000001AAD1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1780-69-0x000000001C590000-0x000000001C591000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1780-67-0x0000000002070000-0x0000000002071000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1780-60-0x0000000000000000-mapping.dmp
      Download
    • memory/1780-66-0x000000001AB64000-0x000000001AB66000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1780-65-0x000000001AB60000-0x000000001AB62000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1780-62-0x0000000002030000-0x0000000002031000-memory.dmp
      Filesize

      4KB

      Download