Analysis
-
max time kernel
106s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
24-06-2021 05:52
Static task
static1
Behavioral task
behavioral1
Sample
Report.vbs
Resource
win7v20210410
General
-
Target
Report.vbs
-
Size
2KB
-
MD5
a8f586a5d679762297d619757ee0b3d4
-
SHA1
f7957547bba9c521db2714bcd2f30d446444ed14
-
SHA256
4c9598c117cec5c9638aedfb48b1c8b18181f2e5265b723ff0210f9f79ef3419
-
SHA512
9253e310755262e16d90075f1507ecc9cf5c720af53f9f286f4a439163fda7187d400ad939ebf6afaf79cdf0926439cc6672f6421b39319e7c4e7e1cf1b50e2c
Malware Config
Extracted
https://ia601503.us.archive.org/2/items/bypass_xca/bypass_xca.TXT
Extracted
https://ia601502.us.archive.org/24/items/server-lxx/Server_lxx_.txt
Extracted
netwire
185.19.85.172:1723
-
activex_autorun
false
- activex_key
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
- install_path
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
- mutex
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
- startup_name
-
use_mutex
false
Signatures
-
NetWire RAT payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3884-179-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/3884-180-0x000000000040242D-mapping.dmp netwire behavioral2/memory/3884-184-0x0000000000400000-0x0000000000433000-memory.dmp netwire -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exepowershell.exeflow pid process 7 2364 powershell.exe 16 220 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 220 set thread context of 3884 220 powershell.exe aspnet_compiler.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exepid process 2364 powershell.exe 2364 powershell.exe 2364 powershell.exe 220 powershell.exe 220 powershell.exe 220 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2364 powershell.exe Token: SeDebugPrivilege 220 powershell.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
WScript.exepowershell.exeWScript.exepowershell.exedescription pid process target process PID 652 wrote to memory of 2364 652 WScript.exe powershell.exe PID 652 wrote to memory of 2364 652 WScript.exe powershell.exe PID 2364 wrote to memory of 2824 2364 powershell.exe WScript.exe PID 2364 wrote to memory of 2824 2364 powershell.exe WScript.exe PID 2824 wrote to memory of 220 2824 WScript.exe powershell.exe PID 2824 wrote to memory of 220 2824 WScript.exe powershell.exe PID 220 wrote to memory of 3884 220 powershell.exe aspnet_compiler.exe PID 220 wrote to memory of 3884 220 powershell.exe aspnet_compiler.exe PID 220 wrote to memory of 3884 220 powershell.exe aspnet_compiler.exe PID 220 wrote to memory of 3884 220 powershell.exe aspnet_compiler.exe PID 220 wrote to memory of 3884 220 powershell.exe aspnet_compiler.exe PID 220 wrote to memory of 3884 220 powershell.exe aspnet_compiler.exe PID 220 wrote to memory of 3884 220 powershell.exe aspnet_compiler.exe PID 220 wrote to memory of 3884 220 powershell.exe aspnet_compiler.exe PID 220 wrote to memory of 3884 220 powershell.exe aspnet_compiler.exe PID 220 wrote to memory of 3884 220 powershell.exe aspnet_compiler.exe PID 220 wrote to memory of 3884 220 powershell.exe aspnet_compiler.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Report.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass &'C:\Users\Public\Downloads\Run.ps1'2⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\Run\.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass &'C:\Users\Public\.ps1'4⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logMD5
010c219c46b4439bc787644989e20389
SHA1f3a63066ab4446458bd6417386777e39e09b9b25
SHA2562a7c264d94398912c720de578b6d959b2457582182b8f2cc98281f27ef6701aa
SHA512c6967d2a37b9a45f491138b638d99e5fa09ef38f680c887bfbc2336c683deae86f4d6626f6defc8c0aabccf545923a708df05825de8102086a8f333a58e74963
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
eaaebb36b0e558ad1fd24d57681ab216
SHA133e99247d218a22d1c13fdaac4a5408b5145fbf9
SHA25669802684d6b92de32bb10ca8b4f927a975a63d3f51fa79e74394b256b1042798
SHA512b24478eb6e90c79176ad23180d283bd75bac66793ef28dde1196bca455e72b557cfc0de3610eb0f00c6c1296fd926ef2853e79fbfceed4977123161dc88edbf0
-
C:\Users\Public\.ps1MD5
311019951fab6b50122cf893b6f9c739
SHA18f43f1fd691ce476d7d00f6ed89faccc192f7ba0
SHA256d5533e273a52a62223a6c9aa7dc4c3b1c2feba447b525ff1eeed8da646a8d9ce
SHA51280586f0fa6f588d715473362a584cd93094d5030b22f8c383c24f224a01d46f50acb9a8be4287a522cf43380f5f8bcd59bd3e5eb8adcd38736ab4da08e6702b6
-
C:\Users\Public\Downloads\Run.ps1MD5
b8bc64b57cf34bc5e4d8b7ba0380da81
SHA100b43eed0b84ae25ddd251c0d813e3cef26bec2f
SHA2569a5a102789547906b8c11ddb4ad42033ba4f80430474811a50543fe08a50c78b
SHA512863bb84c3cb1a525a31242dcef926a1026eae8c226a4f5d4ef24aa22dfb606c0bd31c111b591e327f13c8fbb11377c484983d3583ad5bad92fbc33c97103c751
-
C:\Users\Public\Run\.vbsMD5
17ebb4c06e80f056a5ac11aaa2b1010c
SHA1d3421c4cd4b204583068996c1849188238a6cd22
SHA256a05ef5de2d8063812442ec091bcef0d33e66d94ca54feb8744038552e1284489
SHA512d9f9412d65d1ffee143fb9395a33569c66817940636c89e07f00099e0ce1d8b3d866438cb59641b16d7f9aa628be5e0c2b4264899b87cbb2a88abdf691759401
-
memory/220-178-0x0000020D3F180000-0x0000020D3F18E000-memory.dmpFilesize
56KB
-
memory/220-176-0x0000020D3F1F3000-0x0000020D3F1F5000-memory.dmpFilesize
8KB
-
memory/220-177-0x0000020D3F1F6000-0x0000020D3F1F8000-memory.dmpFilesize
8KB
-
memory/220-175-0x0000020D3F1F0000-0x0000020D3F1F2000-memory.dmpFilesize
8KB
-
memory/220-156-0x0000000000000000-mapping.dmp
-
memory/2364-124-0x0000026258F43000-0x0000026258F45000-memory.dmpFilesize
8KB
-
memory/2364-132-0x0000026258F46000-0x0000026258F48000-memory.dmpFilesize
8KB
-
memory/2364-120-0x0000026258EE0000-0x0000026258EE1000-memory.dmpFilesize
4KB
-
memory/2364-122-0x0000026258F40000-0x0000026258F42000-memory.dmpFilesize
8KB
-
memory/2364-114-0x0000000000000000-mapping.dmp
-
memory/2364-126-0x000002625B0A0000-0x000002625B0A1000-memory.dmpFilesize
4KB
-
memory/2824-153-0x0000000000000000-mapping.dmp
-
memory/3884-179-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/3884-180-0x000000000040242D-mapping.dmp
-
memory/3884-184-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB