Overview

overview

10

Static

static

Report.vbs

windows7_x64

10

Report.vbs

windows10_x64

10

Analysis

  • max time kernel
    108s
  • max time network
    115s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    24-06-2021 06:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Report.vbs

  • Size

    2KB

  • MD5

    a8f586a5d679762297d619757ee0b3d4

  • SHA1

    f7957547bba9c521db2714bcd2f30d446444ed14

  • SHA256

    4c9598c117cec5c9638aedfb48b1c8b18181f2e5265b723ff0210f9f79ef3419

  • SHA512

    9253e310755262e16d90075f1507ecc9cf5c720af53f9f286f4a439163fda7187d400ad939ebf6afaf79cdf0926439cc6672f6421b39319e7c4e7e1cf1b50e2c

Score
10/10
netwirebotnetratstealer

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://ia601503.us.archive.org/2/items/bypass_xca/bypass_xca.TXT

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://ia601502.us.archive.org/24/items/server-lxx/Server_lxx_.txt

Extracted

Family

netwire

C2

185.19.85.172:1723

Attributes
  • activex_autorun

    false

  • activex_key

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    false

  • startup_name

  • use_mutex

    false

Signatures

  • NetWire RAT payload 3 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Blocklisted process makes network request 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Report.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:904
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass &'C:\Users\Public\Downloads\Run.ps1'
      2⤵
      • Blocklisted process makes network request
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2108
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Public\Run\.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3556
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass &'C:\Users\Public\.ps1'
          4⤵
          • Blocklisted process makes network request
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1828
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
            5⤵
              PID:2988

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      MD5

      ea6243fdb2bfcca2211884b0a21a0afc

      SHA1

      2eee5232ca6acc33c3e7de03900e890f4adf0f2f

      SHA256

      5bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8

      SHA512

      189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      MD5

      d4b10e424ba24aadc007780734b09997

      SHA1

      a6c753b804678aecadd7e896cc91d23696810ef5

      SHA256

      0346846bad2e2945283a47de0a3eb6cd998ed0b6b36b84bdda74fd1a889ed936

      SHA512

      14c6a7f549130143eef8ca18f9c4f74cd0b7aabd3522deacdfe5195bafd8908994deb708dc68fd7ea6a0efc8d00834bd27eb9448c6448b1688b39a55c4a5475d

      Download Submit
    • C:\Users\Public\.ps1
      MD5

      311019951fab6b50122cf893b6f9c739

      SHA1

      8f43f1fd691ce476d7d00f6ed89faccc192f7ba0

      SHA256

      d5533e273a52a62223a6c9aa7dc4c3b1c2feba447b525ff1eeed8da646a8d9ce

      SHA512

      80586f0fa6f588d715473362a584cd93094d5030b22f8c383c24f224a01d46f50acb9a8be4287a522cf43380f5f8bcd59bd3e5eb8adcd38736ab4da08e6702b6

      Download Submit
    • C:\Users\Public\Downloads\Run.ps1
      MD5

      b8bc64b57cf34bc5e4d8b7ba0380da81

      SHA1

      00b43eed0b84ae25ddd251c0d813e3cef26bec2f

      SHA256

      9a5a102789547906b8c11ddb4ad42033ba4f80430474811a50543fe08a50c78b

      SHA512

      863bb84c3cb1a525a31242dcef926a1026eae8c226a4f5d4ef24aa22dfb606c0bd31c111b591e327f13c8fbb11377c484983d3583ad5bad92fbc33c97103c751

      Download Submit
    • C:\Users\Public\Run\.vbs
      MD5

      17ebb4c06e80f056a5ac11aaa2b1010c

      SHA1

      d3421c4cd4b204583068996c1849188238a6cd22

      SHA256

      a05ef5de2d8063812442ec091bcef0d33e66d94ca54feb8744038552e1284489

      SHA512

      d9f9412d65d1ffee143fb9395a33569c66817940636c89e07f00099e0ce1d8b3d866438cb59641b16d7f9aa628be5e0c2b4264899b87cbb2a88abdf691759401

      Download Submit
    • memory/1828-178-0x000001FDD0FD6000-0x000001FDD0FD8000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1828-174-0x000001FDD0FD0000-0x000001FDD0FD2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1828-179-0x000001FDD0FC0000-0x000001FDD0FCE000-memory.dmp
      Filesize

      56KB

      Download
    • memory/1828-176-0x000001FDD0FD3000-0x000001FDD0FD5000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1828-157-0x0000000000000000-mapping.dmp
      Download
    • memory/2108-120-0x0000021D801E0000-0x0000021D801E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2108-125-0x0000021D80390000-0x0000021D80391000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2108-133-0x0000021DFDF16000-0x0000021DFDF18000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2108-129-0x0000021DFDF10000-0x0000021DFDF12000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2108-130-0x0000021DFDF13000-0x0000021DFDF15000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2108-114-0x0000000000000000-mapping.dmp
      Download
    • memory/2988-180-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/2988-181-0x000000000040242D-mapping.dmp
      Download
    • memory/2988-185-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/3556-154-0x0000000000000000-mapping.dmp
      Download