Overview

overview

10

Static

static

4.vbs

windows7_x64

10

4.vbs

windows10_x64

10

Analysis

  • max time kernel
    126s
  • max time network
    136s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    02-07-2021 14:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4.vbs

  • Size

    2KB

  • MD5

    7eb0c3e8d56bd16f621cf7cb7b28043c

  • SHA1

    906d0a06d1274c9e1805ccffa9119f1ddfc9bac9

  • SHA256

    423927640b464a7d3ecbe5e923f42f0808f38f35bf47c3134ef5bf4581821b98

  • SHA512

    3071cfaabcf59ccde2e036a16ccf01a422f551fbb7144e33a4eb7b2f845a5522a3ef9720bb2670b718f968c1bbe044fe99893dabf1cad753b6cc94e379e59646

Score
10/10
netwirebotnetratstealer

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://ia601409.us.archive.org/32/items/bypass1sd/bypass1sd.TXT

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://ia601503.us.archive.org/32/items/Serverne/Serverne.txt

Extracted

Family

netwire

C2

185.19.85.172:1723

Attributes
  • activex_autorun

    false

  • activex_key

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    false

  • startup_name

  • use_mutex

    false

Signatures

  • NetWire RAT payload 3 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Blocklisted process makes network request 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:528
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass &'C:\Users\Public\Downloads\Run.ps1'
      2⤵
      • Blocklisted process makes network request
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1708
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Public\Run\.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:528
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass &'C:\Users\Public\.ps1'
          4⤵
          • Blocklisted process makes network request
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:232
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
            5⤵
              PID:2252

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      MD5

      ea6243fdb2bfcca2211884b0a21a0afc

      SHA1

      2eee5232ca6acc33c3e7de03900e890f4adf0f2f

      SHA256

      5bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8

      SHA512

      189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      MD5

      3b59d2a41cac2403e67794129031dc52

      SHA1

      e261687f59b587ff557543509c2c12713b03772d

      SHA256

      f9a1b16823929190e1fe551dfe8fb812a0b7faf0d70d60af0c363dd1ceedab3c

      SHA512

      6040f57fc2e996ff58b10cd43b16236e78afa8fb83624563e5986fdf3fda3b4b92e5628d2af8ceea5440ce4b2147fc5ff47787e3edd37b199a394d6509a0fc9b

      Download Submit
    • C:\Users\Public\.ps1
      MD5

      49ed3a79ad1d1fd9a62d213f4a97f3a7

      SHA1

      b03c6b1b5936f6600e346e4e94d0e164e72dbedc

      SHA256

      12a00f0af753d217cf68a32e549304bf6df86414b6a5b47a37b44cd91f36fe11

      SHA512

      a26632debef68c8db7efd48650c72cbef16b7fba3760490dffd7f0c03aa7331a48f00d6d30ac89126a6f42cfe2d53e6c6ec08a3cee9ee8d4cab47790cc9b824f

      Download Submit
    • C:\Users\Public\Downloads\Run.ps1
      MD5

      40d30e0b7df0d993a4ccd0b89c77f3fe

      SHA1

      20229279d9d1b3d38da9f23b3969036747ecb741

      SHA256

      91224a3d13c8ff4be2f2150a9751f82fb6dd3797851537e449447aaad0788c81

      SHA512

      1ba11344b63642f41cd418fa31f3b7984a1a7712392a5b3951838d0e3b8d75955bf2a2e27cc20b01e1c5ad632cd8dc66b91a15b9f19a703b42bf72741f4a0805

      Download Submit
    • C:\Users\Public\Run\.vbs
      MD5

      17ebb4c06e80f056a5ac11aaa2b1010c

      SHA1

      d3421c4cd4b204583068996c1849188238a6cd22

      SHA256

      a05ef5de2d8063812442ec091bcef0d33e66d94ca54feb8744038552e1284489

      SHA512

      d9f9412d65d1ffee143fb9395a33569c66817940636c89e07f00099e0ce1d8b3d866438cb59641b16d7f9aa628be5e0c2b4264899b87cbb2a88abdf691759401

      Download Submit
    • memory/232-165-0x000002B9DCF20000-0x000002B9DCF22000-memory.dmp
      Filesize

      8KB

      Download
    • memory/232-166-0x000002B9DCF23000-0x000002B9DCF25000-memory.dmp
      Filesize

      8KB

      Download
    • memory/232-173-0x000002B9DD1D0000-0x000002B9DD1DE000-memory.dmp
      Filesize

      56KB

      Download
    • memory/232-172-0x000002B9DCF26000-0x000002B9DCF28000-memory.dmp
      Filesize

      8KB

      Download
    • memory/232-154-0x0000000000000000-mapping.dmp
      Download
    • memory/528-151-0x0000000000000000-mapping.dmp
      Download
    • memory/1708-123-0x0000014CF41F0000-0x0000014CF41F2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1708-130-0x0000014CF41F6000-0x0000014CF41F8000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1708-124-0x0000014CF41F3000-0x0000014CF41F5000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1708-122-0x0000014CF4480000-0x0000014CF4481000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1708-119-0x0000014CF4180000-0x0000014CF4181000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1708-114-0x0000000000000000-mapping.dmp
      Download
    • memory/2252-174-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/2252-175-0x000000000040242D-mapping.dmp
      Download
    • memory/2252-179-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download