Analysis
-
max time kernel
108s -
max time network
115s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
24-06-2021 06:02
Static task
static1
Behavioral task
behavioral1
Sample
Report.vbs
Resource
win7v20210410
General
-
Target
Report.vbs
-
Size
2KB
-
MD5
a8f586a5d679762297d619757ee0b3d4
-
SHA1
f7957547bba9c521db2714bcd2f30d446444ed14
-
SHA256
4c9598c117cec5c9638aedfb48b1c8b18181f2e5265b723ff0210f9f79ef3419
-
SHA512
9253e310755262e16d90075f1507ecc9cf5c720af53f9f286f4a439163fda7187d400ad939ebf6afaf79cdf0926439cc6672f6421b39319e7c4e7e1cf1b50e2c
Malware Config
Extracted
https://ia601503.us.archive.org/2/items/bypass_xca/bypass_xca.TXT
Extracted
https://ia601502.us.archive.org/24/items/server-lxx/Server_lxx_.txt
Extracted
netwire
185.19.85.172:1723
-
activex_autorun
false
- activex_key
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
- install_path
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
- mutex
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
- startup_name
-
use_mutex
false
Signatures
-
NetWire RAT payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2988-180-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/2988-181-0x000000000040242D-mapping.dmp netwire behavioral2/memory/2988-185-0x0000000000400000-0x0000000000433000-memory.dmp netwire -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exepowershell.exeflow pid process 8 2108 powershell.exe 17 1828 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 1828 set thread context of 2988 1828 powershell.exe aspnet_compiler.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exepid process 2108 powershell.exe 2108 powershell.exe 2108 powershell.exe 1828 powershell.exe 1828 powershell.exe 1828 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2108 powershell.exe Token: SeDebugPrivilege 1828 powershell.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
WScript.exepowershell.exeWScript.exepowershell.exedescription pid process target process PID 904 wrote to memory of 2108 904 WScript.exe powershell.exe PID 904 wrote to memory of 2108 904 WScript.exe powershell.exe PID 2108 wrote to memory of 3556 2108 powershell.exe WScript.exe PID 2108 wrote to memory of 3556 2108 powershell.exe WScript.exe PID 3556 wrote to memory of 1828 3556 WScript.exe powershell.exe PID 3556 wrote to memory of 1828 3556 WScript.exe powershell.exe PID 1828 wrote to memory of 2988 1828 powershell.exe aspnet_compiler.exe PID 1828 wrote to memory of 2988 1828 powershell.exe aspnet_compiler.exe PID 1828 wrote to memory of 2988 1828 powershell.exe aspnet_compiler.exe PID 1828 wrote to memory of 2988 1828 powershell.exe aspnet_compiler.exe PID 1828 wrote to memory of 2988 1828 powershell.exe aspnet_compiler.exe PID 1828 wrote to memory of 2988 1828 powershell.exe aspnet_compiler.exe PID 1828 wrote to memory of 2988 1828 powershell.exe aspnet_compiler.exe PID 1828 wrote to memory of 2988 1828 powershell.exe aspnet_compiler.exe PID 1828 wrote to memory of 2988 1828 powershell.exe aspnet_compiler.exe PID 1828 wrote to memory of 2988 1828 powershell.exe aspnet_compiler.exe PID 1828 wrote to memory of 2988 1828 powershell.exe aspnet_compiler.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Report.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass &'C:\Users\Public\Downloads\Run.ps1'2⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\Run\.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass &'C:\Users\Public\.ps1'4⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logMD5
ea6243fdb2bfcca2211884b0a21a0afc
SHA12eee5232ca6acc33c3e7de03900e890f4adf0f2f
SHA2565bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8
SHA512189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
d4b10e424ba24aadc007780734b09997
SHA1a6c753b804678aecadd7e896cc91d23696810ef5
SHA2560346846bad2e2945283a47de0a3eb6cd998ed0b6b36b84bdda74fd1a889ed936
SHA51214c6a7f549130143eef8ca18f9c4f74cd0b7aabd3522deacdfe5195bafd8908994deb708dc68fd7ea6a0efc8d00834bd27eb9448c6448b1688b39a55c4a5475d
-
C:\Users\Public\.ps1MD5
311019951fab6b50122cf893b6f9c739
SHA18f43f1fd691ce476d7d00f6ed89faccc192f7ba0
SHA256d5533e273a52a62223a6c9aa7dc4c3b1c2feba447b525ff1eeed8da646a8d9ce
SHA51280586f0fa6f588d715473362a584cd93094d5030b22f8c383c24f224a01d46f50acb9a8be4287a522cf43380f5f8bcd59bd3e5eb8adcd38736ab4da08e6702b6
-
C:\Users\Public\Downloads\Run.ps1MD5
b8bc64b57cf34bc5e4d8b7ba0380da81
SHA100b43eed0b84ae25ddd251c0d813e3cef26bec2f
SHA2569a5a102789547906b8c11ddb4ad42033ba4f80430474811a50543fe08a50c78b
SHA512863bb84c3cb1a525a31242dcef926a1026eae8c226a4f5d4ef24aa22dfb606c0bd31c111b591e327f13c8fbb11377c484983d3583ad5bad92fbc33c97103c751
-
C:\Users\Public\Run\.vbsMD5
17ebb4c06e80f056a5ac11aaa2b1010c
SHA1d3421c4cd4b204583068996c1849188238a6cd22
SHA256a05ef5de2d8063812442ec091bcef0d33e66d94ca54feb8744038552e1284489
SHA512d9f9412d65d1ffee143fb9395a33569c66817940636c89e07f00099e0ce1d8b3d866438cb59641b16d7f9aa628be5e0c2b4264899b87cbb2a88abdf691759401
-
memory/1828-178-0x000001FDD0FD6000-0x000001FDD0FD8000-memory.dmpFilesize
8KB
-
memory/1828-174-0x000001FDD0FD0000-0x000001FDD0FD2000-memory.dmpFilesize
8KB
-
memory/1828-179-0x000001FDD0FC0000-0x000001FDD0FCE000-memory.dmpFilesize
56KB
-
memory/1828-176-0x000001FDD0FD3000-0x000001FDD0FD5000-memory.dmpFilesize
8KB
-
memory/1828-157-0x0000000000000000-mapping.dmp
-
memory/2108-120-0x0000021D801E0000-0x0000021D801E1000-memory.dmpFilesize
4KB
-
memory/2108-125-0x0000021D80390000-0x0000021D80391000-memory.dmpFilesize
4KB
-
memory/2108-133-0x0000021DFDF16000-0x0000021DFDF18000-memory.dmpFilesize
8KB
-
memory/2108-129-0x0000021DFDF10000-0x0000021DFDF12000-memory.dmpFilesize
8KB
-
memory/2108-130-0x0000021DFDF13000-0x0000021DFDF15000-memory.dmpFilesize
8KB
-
memory/2108-114-0x0000000000000000-mapping.dmp
-
memory/2988-180-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/2988-181-0x000000000040242D-mapping.dmp
-
memory/2988-185-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/3556-154-0x0000000000000000-mapping.dmp