Overview

overview

10

Static

static

Report.vbs

windows7_x64

10

Report.vbs

windows10_x64

10

Analysis

  • max time kernel
    115s
  • max time network
    163s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    24-06-2021 05:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Report.vbs

  • Size

    2KB

  • MD5

    a8f586a5d679762297d619757ee0b3d4

  • SHA1

    f7957547bba9c521db2714bcd2f30d446444ed14

  • SHA256

    4c9598c117cec5c9638aedfb48b1c8b18181f2e5265b723ff0210f9f79ef3419

  • SHA512

    9253e310755262e16d90075f1507ecc9cf5c720af53f9f286f4a439163fda7187d400ad939ebf6afaf79cdf0926439cc6672f6421b39319e7c4e7e1cf1b50e2c

Score
10/10
netwirebotnetratstealer

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://ia601503.us.archive.org/2/items/bypass_xca/bypass_xca.TXT

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://ia601502.us.archive.org/24/items/server-lxx/Server_lxx_.txt

Extracted

Family

netwire

C2

185.19.85.172:1723

Attributes
  • activex_autorun

    false

  • activex_key

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    false

  • startup_name

  • use_mutex

    false

Signatures

  • NetWire RAT payload 3 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Blocklisted process makes network request 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Report.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1916
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass &'C:\Users\Public\Downloads\Run.ps1'
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1760
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Public\Run\.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1124
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass &'C:\Users\Public\.ps1'
          4⤵
          • Blocklisted process makes network request
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1904
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
            5⤵
              PID:1868

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
      MD5

      56043cb56c1899ec0743ee307652ade3

      SHA1

      df46550ee12929c134ea428e2d249d8bb89c350b

      SHA256

      381b86512f3b21982e0cb2ed46a9df661c13845b05b097cd82878d0c4690a67a

      SHA512

      b5cc1af6ef192172bf6d3de5bd10f63990cf19f425f4e08ab9986ea9dec856b421fbee97b371c9132cbc4d215d4d472cfcb32708bca1e85f5458bfc208388ad8

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      MD5

      365811a4f802dfcf929ef3e4d8a096ea

      SHA1

      4f503ed1f8732966ed8cdba05c7dcc7417c7c6b2

      SHA256

      3fd24cd27c8d79de67d8620e2b9693eda0f052a87cc81183a63225a720d721ab

      SHA512

      cfc1ed7a2c8cc6f215150c7f0bf267e6126e921976acf685f2e6de2f8d468890f07d9619485c0bf7df46fd3a046b42890a58094d02ce638957dfc0deb2670666

      Download Submit
    • C:\Users\Public\.ps1
      MD5

      311019951fab6b50122cf893b6f9c739

      SHA1

      8f43f1fd691ce476d7d00f6ed89faccc192f7ba0

      SHA256

      d5533e273a52a62223a6c9aa7dc4c3b1c2feba447b525ff1eeed8da646a8d9ce

      SHA512

      80586f0fa6f588d715473362a584cd93094d5030b22f8c383c24f224a01d46f50acb9a8be4287a522cf43380f5f8bcd59bd3e5eb8adcd38736ab4da08e6702b6

      Download Submit
    • C:\Users\Public\Downloads\Run.ps1
      MD5

      b8bc64b57cf34bc5e4d8b7ba0380da81

      SHA1

      00b43eed0b84ae25ddd251c0d813e3cef26bec2f

      SHA256

      9a5a102789547906b8c11ddb4ad42033ba4f80430474811a50543fe08a50c78b

      SHA512

      863bb84c3cb1a525a31242dcef926a1026eae8c226a4f5d4ef24aa22dfb606c0bd31c111b591e327f13c8fbb11377c484983d3583ad5bad92fbc33c97103c751

      Download Submit
    • C:\Users\Public\Run\.vbs
      MD5

      17ebb4c06e80f056a5ac11aaa2b1010c

      SHA1

      d3421c4cd4b204583068996c1849188238a6cd22

      SHA256

      a05ef5de2d8063812442ec091bcef0d33e66d94ca54feb8744038552e1284489

      SHA512

      d9f9412d65d1ffee143fb9395a33569c66817940636c89e07f00099e0ce1d8b3d866438cb59641b16d7f9aa628be5e0c2b4264899b87cbb2a88abdf691759401

      Download Submit
    • memory/1124-71-0x0000000000000000-mapping.dmp
      Download
    • memory/1760-63-0x000000001AB60000-0x000000001AB61000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1760-62-0x00000000024A0000-0x00000000024A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1760-64-0x000000001AAE0000-0x000000001AAE2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1760-66-0x00000000024E0000-0x00000000024E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1760-67-0x0000000002400000-0x0000000002401000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1760-69-0x000000001C440000-0x000000001C441000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1760-70-0x000000001AA40000-0x000000001AA41000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1760-60-0x0000000000000000-mapping.dmp
      Download
    • memory/1760-65-0x000000001AAE4000-0x000000001AAE6000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1868-90-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/1868-88-0x000000000040242D-mapping.dmp
      Download
    • memory/1868-89-0x0000000074FB1000-0x0000000074FB3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1868-87-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/1904-81-0x000000001A9A4000-0x000000001A9A6000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1904-82-0x0000000002400000-0x0000000002401000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1904-74-0x0000000000000000-mapping.dmp
      Download
    • memory/1904-78-0x000000001AA20000-0x000000001AA21000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1904-86-0x000000001B430000-0x000000001B43E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/1904-85-0x000000001C280000-0x000000001C281000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1904-80-0x00000000026A0000-0x00000000026A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1904-79-0x000000001A9A0000-0x000000001A9A2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1904-77-0x000000001A850000-0x000000001A851000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1916-59-0x000007FEFB741000-0x000007FEFB743000-memory.dmp
      Filesize

      8KB

      Download