Overview

overview

10

Static

static

4.vbs

windows7_x64

10

4.vbs

windows10_x64

10

Analysis

  • max time kernel
    134s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    02-07-2021 14:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4.vbs

  • Size

    2KB

  • MD5

    7eb0c3e8d56bd16f621cf7cb7b28043c

  • SHA1

    906d0a06d1274c9e1805ccffa9119f1ddfc9bac9

  • SHA256

    423927640b464a7d3ecbe5e923f42f0808f38f35bf47c3134ef5bf4581821b98

  • SHA512

    3071cfaabcf59ccde2e036a16ccf01a422f551fbb7144e33a4eb7b2f845a5522a3ef9720bb2670b718f968c1bbe044fe99893dabf1cad753b6cc94e379e59646

Score
10/10
netwirebotnetratstealer

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://ia601409.us.archive.org/32/items/bypass1sd/bypass1sd.TXT

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://ia601503.us.archive.org/32/items/Serverne/Serverne.txt

Extracted

Family

netwire

C2

185.19.85.172:1723

Attributes
  • activex_autorun

    false

  • activex_key

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    false

  • startup_name

  • use_mutex

    false

Signatures

  • NetWire RAT payload 3 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Blocklisted process makes network request 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:308
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass &'C:\Users\Public\Downloads\Run.ps1'
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1736
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Public\Run\.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1612
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass &'C:\Users\Public\.ps1'
          4⤵
          • Blocklisted process makes network request
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1668
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
            5⤵
              PID:1552
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
              5⤵
                PID:868

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
        MD5

        2f8ed438dd8b683dda7b749cac9dc0e1

        SHA1

        c8534424e9b29e4470b3209c7d47375105501703

        SHA256

        b442212f6169068629774fcc587129423bc5213b3c1104e1ef714ed5fd2360ac

        SHA512

        660ac1fcc98ddf62ea2d8304fcd265028e57d808ebec847db5f03d007b010da7370ac2ed3c2c1782c4be392d54216db172b0fff4f4c0fe27c7c5a7d884beed4e

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        MD5

        72255931e44d27a02d1b04a39db1ebd6

        SHA1

        7b266b4d4adbcf3110702f497541de5d70aa6948

        SHA256

        58e8b80c3252378145c309162c4facc4f078b5b4bdbecdf4c194ffaceb29a62c

        SHA512

        b7d7095866c2e214c8292b1cc3d074e8b069d24b454e889188f44704a2eebaee393a7fdab86a3070d444fffce7cf7f2b6b479482a6432b253b09e96a19656b29

        Download Submit
      • C:\Users\Public\.ps1
        MD5

        49ed3a79ad1d1fd9a62d213f4a97f3a7

        SHA1

        b03c6b1b5936f6600e346e4e94d0e164e72dbedc

        SHA256

        12a00f0af753d217cf68a32e549304bf6df86414b6a5b47a37b44cd91f36fe11

        SHA512

        a26632debef68c8db7efd48650c72cbef16b7fba3760490dffd7f0c03aa7331a48f00d6d30ac89126a6f42cfe2d53e6c6ec08a3cee9ee8d4cab47790cc9b824f

        Download Submit
      • C:\Users\Public\Downloads\Run.ps1
        MD5

        40d30e0b7df0d993a4ccd0b89c77f3fe

        SHA1

        20229279d9d1b3d38da9f23b3969036747ecb741

        SHA256

        91224a3d13c8ff4be2f2150a9751f82fb6dd3797851537e449447aaad0788c81

        SHA512

        1ba11344b63642f41cd418fa31f3b7984a1a7712392a5b3951838d0e3b8d75955bf2a2e27cc20b01e1c5ad632cd8dc66b91a15b9f19a703b42bf72741f4a0805

        Download Submit
      • C:\Users\Public\Run\.vbs
        MD5

        17ebb4c06e80f056a5ac11aaa2b1010c

        SHA1

        d3421c4cd4b204583068996c1849188238a6cd22

        SHA256

        a05ef5de2d8063812442ec091bcef0d33e66d94ca54feb8744038552e1284489

        SHA512

        d9f9412d65d1ffee143fb9395a33569c66817940636c89e07f00099e0ce1d8b3d866438cb59641b16d7f9aa628be5e0c2b4264899b87cbb2a88abdf691759401

        Download Submit
      • memory/308-60-0x000007FEFC661000-0x000007FEFC663000-memory.dmp
        Filesize

        8KB

        Download
      • memory/868-91-0x0000000000400000-0x0000000000433000-memory.dmp
        Filesize

        204KB

        Download
      • memory/868-88-0x0000000000400000-0x0000000000433000-memory.dmp
        Filesize

        204KB

        Download
      • memory/868-90-0x0000000075A31000-0x0000000075A33000-memory.dmp
        Filesize

        8KB

        Download
      • memory/868-89-0x000000000040242D-mapping.dmp
        Download
      • memory/1612-72-0x0000000000000000-mapping.dmp
        Download
      • memory/1668-75-0x0000000000000000-mapping.dmp
        Download
      • memory/1668-78-0x0000000001EC0000-0x0000000001EC1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1668-83-0x000000001AC94000-0x000000001AC96000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1668-87-0x0000000002350000-0x000000000235E000-memory.dmp
        Filesize

        56KB

        Download
      • memory/1668-79-0x000000001AD10000-0x000000001AD11000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1668-86-0x000000001C480000-0x000000001C481000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1668-80-0x0000000002450000-0x0000000002451000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1668-81-0x0000000002580000-0x0000000002581000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1668-82-0x000000001AC90000-0x000000001AC92000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1736-66-0x000000001AA10000-0x000000001AA12000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1736-63-0x0000000002400000-0x0000000002401000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1736-61-0x0000000000000000-mapping.dmp
        Download
      • memory/1736-64-0x000000001AA90000-0x000000001AA91000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1736-65-0x00000000024C0000-0x00000000024C1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1736-68-0x00000000022F0000-0x00000000022F1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1736-71-0x000000001C320000-0x000000001C321000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1736-70-0x000000001B400000-0x000000001B401000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1736-67-0x000000001AA14000-0x000000001AA16000-memory.dmp
        Filesize

        8KB

        Download