Analysis
-
max time kernel
106s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
24-06-2021 05:52
General
-
Target
Report.vbs
-
Size
2KB
-
MD5
a8f586a5d679762297d619757ee0b3d4
-
SHA1
f7957547bba9c521db2714bcd2f30d446444ed14
-
SHA256
4c9598c117cec5c9638aedfb48b1c8b18181f2e5265b723ff0210f9f79ef3419
-
SHA512
9253e310755262e16d90075f1507ecc9cf5c720af53f9f286f4a439163fda7187d400ad939ebf6afaf79cdf0926439cc6672f6421b39319e7c4e7e1cf1b50e2c
Malware Config
Extracted
https://ia601503.us.archive.org/2/items/bypass_xca/bypass_xca.TXT
Extracted
https://ia601502.us.archive.org/24/items/server-lxx/Server_lxx_.txt
Extracted
netwire
185.19.85.172:1723
-
activex_autorun
false
- activex_key
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
- install_path
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
- mutex
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
- startup_name
-
use_mutex
false
Signatures
-
NetWire RAT payload 3 IoCs
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Blocklisted process makes network request 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Report.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass &'C:\Users\Public\Downloads\Run.ps1'2⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\Run\.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass &'C:\Users\Public\.ps1'4⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logMD5
010c219c46b4439bc787644989e20389
SHA1f3a63066ab4446458bd6417386777e39e09b9b25
SHA2562a7c264d94398912c720de578b6d959b2457582182b8f2cc98281f27ef6701aa
SHA512c6967d2a37b9a45f491138b638d99e5fa09ef38f680c887bfbc2336c683deae86f4d6626f6defc8c0aabccf545923a708df05825de8102086a8f333a58e74963
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
eaaebb36b0e558ad1fd24d57681ab216
SHA133e99247d218a22d1c13fdaac4a5408b5145fbf9
SHA25669802684d6b92de32bb10ca8b4f927a975a63d3f51fa79e74394b256b1042798
SHA512b24478eb6e90c79176ad23180d283bd75bac66793ef28dde1196bca455e72b557cfc0de3610eb0f00c6c1296fd926ef2853e79fbfceed4977123161dc88edbf0
-
C:\Users\Public\.ps1MD5
311019951fab6b50122cf893b6f9c739
SHA18f43f1fd691ce476d7d00f6ed89faccc192f7ba0
SHA256d5533e273a52a62223a6c9aa7dc4c3b1c2feba447b525ff1eeed8da646a8d9ce
SHA51280586f0fa6f588d715473362a584cd93094d5030b22f8c383c24f224a01d46f50acb9a8be4287a522cf43380f5f8bcd59bd3e5eb8adcd38736ab4da08e6702b6
-
C:\Users\Public\Downloads\Run.ps1MD5
b8bc64b57cf34bc5e4d8b7ba0380da81
SHA100b43eed0b84ae25ddd251c0d813e3cef26bec2f
SHA2569a5a102789547906b8c11ddb4ad42033ba4f80430474811a50543fe08a50c78b
SHA512863bb84c3cb1a525a31242dcef926a1026eae8c226a4f5d4ef24aa22dfb606c0bd31c111b591e327f13c8fbb11377c484983d3583ad5bad92fbc33c97103c751
-
C:\Users\Public\Run\.vbsMD5
17ebb4c06e80f056a5ac11aaa2b1010c
SHA1d3421c4cd4b204583068996c1849188238a6cd22
SHA256a05ef5de2d8063812442ec091bcef0d33e66d94ca54feb8744038552e1284489
SHA512d9f9412d65d1ffee143fb9395a33569c66817940636c89e07f00099e0ce1d8b3d866438cb59641b16d7f9aa628be5e0c2b4264899b87cbb2a88abdf691759401
-
memory/220-178-0x0000020D3F180000-0x0000020D3F18E000-memory.dmpFilesize
56KB
-
memory/220-176-0x0000020D3F1F3000-0x0000020D3F1F5000-memory.dmpFilesize
8KB
-
memory/220-177-0x0000020D3F1F6000-0x0000020D3F1F8000-memory.dmpFilesize
8KB
-
memory/220-175-0x0000020D3F1F0000-0x0000020D3F1F2000-memory.dmpFilesize
8KB
-
memory/220-156-0x0000000000000000-mapping.dmp
-
memory/2364-124-0x0000026258F43000-0x0000026258F45000-memory.dmpFilesize
8KB
-
memory/2364-132-0x0000026258F46000-0x0000026258F48000-memory.dmpFilesize
8KB
-
memory/2364-120-0x0000026258EE0000-0x0000026258EE1000-memory.dmpFilesize
4KB
-
memory/2364-122-0x0000026258F40000-0x0000026258F42000-memory.dmpFilesize
8KB
-
memory/2364-114-0x0000000000000000-mapping.dmp
-
memory/2364-126-0x000002625B0A0000-0x000002625B0A1000-memory.dmpFilesize
4KB
-
memory/2824-153-0x0000000000000000-mapping.dmp
-
memory/3884-179-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/3884-180-0x000000000040242D-mapping.dmp
-
memory/3884-184-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB