Overview

overview

10

Static

static

Report.vbs

windows7_x64

10

Report.vbs

windows10_x64

10

Analysis

  • max time kernel
    114s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    24-06-2021 06:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Report.vbs

  • Size

    2KB

  • MD5

    a8f586a5d679762297d619757ee0b3d4

  • SHA1

    f7957547bba9c521db2714bcd2f30d446444ed14

  • SHA256

    4c9598c117cec5c9638aedfb48b1c8b18181f2e5265b723ff0210f9f79ef3419

  • SHA512

    9253e310755262e16d90075f1507ecc9cf5c720af53f9f286f4a439163fda7187d400ad939ebf6afaf79cdf0926439cc6672f6421b39319e7c4e7e1cf1b50e2c

Score
10/10
netwirebotnetratstealer

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://ia601503.us.archive.org/2/items/bypass_xca/bypass_xca.TXT

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://ia601502.us.archive.org/24/items/server-lxx/Server_lxx_.txt

Extracted

Family

netwire

C2

185.19.85.172:1723

Attributes
  • activex_autorun

    false

  • activex_key

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    false

  • startup_name

  • use_mutex

    false

Signatures

  • NetWire RAT payload 3 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Blocklisted process makes network request 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Report.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass &'C:\Users\Public\Downloads\Run.ps1'
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1660
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Public\Run\.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1488
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass &'C:\Users\Public\.ps1'
          4⤵
          • Blocklisted process makes network request
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1628
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
            5⤵
              PID:1392

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
      MD5

      a54419dc284ad72b6fafdb428b3b61db

      SHA1

      29ebcc82365e1c01b0412bf201bd3671efc6d074

      SHA256

      caea25a011de18f1d422646803d5aa519c3441af574b5c9978f567eec6af2058

      SHA512

      0ac7d7eb39202e27c54b4e57b5e7b6d9a97fbb5997455cf14919c47056f8d40163177a5764c814ccd5aa6abf056425f8437dcd72953c1748317d2091ee63ce12

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      MD5

      82ea4f83a1065ea90f1cf4fd42f7260c

      SHA1

      128474574b1fcd9bf8c2961985274d508d2dabc0

      SHA256

      7d5364e7bff8db717f2114ba20bc24617c7eae7734da2843b2f6c1ed33074460

      SHA512

      b55c8fb0f5f734c6259e0d0283e160c92b18a1a4933b047d69119e6bcace48102917617f43931485a5f24d3e379e7205d3c86a88b58fc51859a84d7288ef03f7

      Download Submit
    • C:\Users\Public\.ps1
      MD5

      311019951fab6b50122cf893b6f9c739

      SHA1

      8f43f1fd691ce476d7d00f6ed89faccc192f7ba0

      SHA256

      d5533e273a52a62223a6c9aa7dc4c3b1c2feba447b525ff1eeed8da646a8d9ce

      SHA512

      80586f0fa6f588d715473362a584cd93094d5030b22f8c383c24f224a01d46f50acb9a8be4287a522cf43380f5f8bcd59bd3e5eb8adcd38736ab4da08e6702b6

      Download Submit
    • C:\Users\Public\Downloads\Run.ps1
      MD5

      b8bc64b57cf34bc5e4d8b7ba0380da81

      SHA1

      00b43eed0b84ae25ddd251c0d813e3cef26bec2f

      SHA256

      9a5a102789547906b8c11ddb4ad42033ba4f80430474811a50543fe08a50c78b

      SHA512

      863bb84c3cb1a525a31242dcef926a1026eae8c226a4f5d4ef24aa22dfb606c0bd31c111b591e327f13c8fbb11377c484983d3583ad5bad92fbc33c97103c751

      Download Submit
    • C:\Users\Public\Run\.vbs
      MD5

      17ebb4c06e80f056a5ac11aaa2b1010c

      SHA1

      d3421c4cd4b204583068996c1849188238a6cd22

      SHA256

      a05ef5de2d8063812442ec091bcef0d33e66d94ca54feb8744038552e1284489

      SHA512

      d9f9412d65d1ffee143fb9395a33569c66817940636c89e07f00099e0ce1d8b3d866438cb59641b16d7f9aa628be5e0c2b4264899b87cbb2a88abdf691759401

      Download Submit
    • memory/1392-91-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/1392-88-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/1392-90-0x0000000075161000-0x0000000075163000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1392-89-0x000000000040242D-mapping.dmp
      Download
    • memory/1488-72-0x0000000000000000-mapping.dmp
      Download
    • memory/1628-79-0x000000001ACE0000-0x000000001ACE1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1628-78-0x00000000024B0000-0x00000000024B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1628-87-0x0000000002530000-0x000000000253E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/1628-75-0x0000000000000000-mapping.dmp
      Download
    • memory/1628-83-0x00000000022F0000-0x00000000022F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1628-82-0x000000001AC64000-0x000000001AC66000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1628-86-0x000000001B9B0000-0x000000001B9B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1628-80-0x0000000002400000-0x0000000002401000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1628-81-0x000000001AC60000-0x000000001AC62000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1660-70-0x000000001B980000-0x000000001B981000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1660-65-0x0000000002550000-0x0000000002551000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1660-61-0x0000000000000000-mapping.dmp
      Download
    • memory/1660-71-0x000000001B870000-0x000000001B871000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1660-64-0x000000001AB00000-0x000000001AB01000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1660-68-0x000000001A954000-0x000000001A956000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1660-67-0x000000001A950000-0x000000001A952000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1660-66-0x00000000024B0000-0x00000000024B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1660-63-0x0000000002270000-0x0000000002271000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1724-60-0x000007FEFB571000-0x000007FEFB573000-memory.dmp
      Filesize

      8KB

      Download