Analysis
-
max time kernel
126s -
max time network
136s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
02-07-2021 14:01
Static task
static1
Behavioral task
behavioral1
Sample
4.vbs
Resource
win7v20210410
General
-
Target
4.vbs
-
Size
2KB
-
MD5
7eb0c3e8d56bd16f621cf7cb7b28043c
-
SHA1
906d0a06d1274c9e1805ccffa9119f1ddfc9bac9
-
SHA256
423927640b464a7d3ecbe5e923f42f0808f38f35bf47c3134ef5bf4581821b98
-
SHA512
3071cfaabcf59ccde2e036a16ccf01a422f551fbb7144e33a4eb7b2f845a5522a3ef9720bb2670b718f968c1bbe044fe99893dabf1cad753b6cc94e379e59646
Malware Config
Extracted
https://ia601409.us.archive.org/32/items/bypass1sd/bypass1sd.TXT
Extracted
https://ia601503.us.archive.org/32/items/Serverne/Serverne.txt
Extracted
netwire
185.19.85.172:1723
-
activex_autorun
false
- activex_key
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
- install_path
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
- mutex
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
- startup_name
-
use_mutex
false
Signatures
-
NetWire RAT payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2252-174-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/2252-175-0x000000000040242D-mapping.dmp netwire behavioral2/memory/2252-179-0x0000000000400000-0x0000000000433000-memory.dmp netwire -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exepowershell.exeflow pid process 6 1708 powershell.exe 15 232 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 232 set thread context of 2252 232 powershell.exe aspnet_compiler.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exepid process 1708 powershell.exe 1708 powershell.exe 1708 powershell.exe 232 powershell.exe 232 powershell.exe 232 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1708 powershell.exe Token: SeDebugPrivilege 232 powershell.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
WScript.exepowershell.exeWScript.exepowershell.exedescription pid process target process PID 528 wrote to memory of 1708 528 WScript.exe powershell.exe PID 528 wrote to memory of 1708 528 WScript.exe powershell.exe PID 1708 wrote to memory of 528 1708 powershell.exe WScript.exe PID 1708 wrote to memory of 528 1708 powershell.exe WScript.exe PID 528 wrote to memory of 232 528 WScript.exe powershell.exe PID 528 wrote to memory of 232 528 WScript.exe powershell.exe PID 232 wrote to memory of 2252 232 powershell.exe aspnet_compiler.exe PID 232 wrote to memory of 2252 232 powershell.exe aspnet_compiler.exe PID 232 wrote to memory of 2252 232 powershell.exe aspnet_compiler.exe PID 232 wrote to memory of 2252 232 powershell.exe aspnet_compiler.exe PID 232 wrote to memory of 2252 232 powershell.exe aspnet_compiler.exe PID 232 wrote to memory of 2252 232 powershell.exe aspnet_compiler.exe PID 232 wrote to memory of 2252 232 powershell.exe aspnet_compiler.exe PID 232 wrote to memory of 2252 232 powershell.exe aspnet_compiler.exe PID 232 wrote to memory of 2252 232 powershell.exe aspnet_compiler.exe PID 232 wrote to memory of 2252 232 powershell.exe aspnet_compiler.exe PID 232 wrote to memory of 2252 232 powershell.exe aspnet_compiler.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass &'C:\Users\Public\Downloads\Run.ps1'2⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\Run\.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass &'C:\Users\Public\.ps1'4⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logMD5
ea6243fdb2bfcca2211884b0a21a0afc
SHA12eee5232ca6acc33c3e7de03900e890f4adf0f2f
SHA2565bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8
SHA512189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
3b59d2a41cac2403e67794129031dc52
SHA1e261687f59b587ff557543509c2c12713b03772d
SHA256f9a1b16823929190e1fe551dfe8fb812a0b7faf0d70d60af0c363dd1ceedab3c
SHA5126040f57fc2e996ff58b10cd43b16236e78afa8fb83624563e5986fdf3fda3b4b92e5628d2af8ceea5440ce4b2147fc5ff47787e3edd37b199a394d6509a0fc9b
-
C:\Users\Public\.ps1MD5
49ed3a79ad1d1fd9a62d213f4a97f3a7
SHA1b03c6b1b5936f6600e346e4e94d0e164e72dbedc
SHA25612a00f0af753d217cf68a32e549304bf6df86414b6a5b47a37b44cd91f36fe11
SHA512a26632debef68c8db7efd48650c72cbef16b7fba3760490dffd7f0c03aa7331a48f00d6d30ac89126a6f42cfe2d53e6c6ec08a3cee9ee8d4cab47790cc9b824f
-
C:\Users\Public\Downloads\Run.ps1MD5
40d30e0b7df0d993a4ccd0b89c77f3fe
SHA120229279d9d1b3d38da9f23b3969036747ecb741
SHA25691224a3d13c8ff4be2f2150a9751f82fb6dd3797851537e449447aaad0788c81
SHA5121ba11344b63642f41cd418fa31f3b7984a1a7712392a5b3951838d0e3b8d75955bf2a2e27cc20b01e1c5ad632cd8dc66b91a15b9f19a703b42bf72741f4a0805
-
C:\Users\Public\Run\.vbsMD5
17ebb4c06e80f056a5ac11aaa2b1010c
SHA1d3421c4cd4b204583068996c1849188238a6cd22
SHA256a05ef5de2d8063812442ec091bcef0d33e66d94ca54feb8744038552e1284489
SHA512d9f9412d65d1ffee143fb9395a33569c66817940636c89e07f00099e0ce1d8b3d866438cb59641b16d7f9aa628be5e0c2b4264899b87cbb2a88abdf691759401
-
memory/232-165-0x000002B9DCF20000-0x000002B9DCF22000-memory.dmpFilesize
8KB
-
memory/232-166-0x000002B9DCF23000-0x000002B9DCF25000-memory.dmpFilesize
8KB
-
memory/232-173-0x000002B9DD1D0000-0x000002B9DD1DE000-memory.dmpFilesize
56KB
-
memory/232-172-0x000002B9DCF26000-0x000002B9DCF28000-memory.dmpFilesize
8KB
-
memory/232-154-0x0000000000000000-mapping.dmp
-
memory/528-151-0x0000000000000000-mapping.dmp
-
memory/1708-123-0x0000014CF41F0000-0x0000014CF41F2000-memory.dmpFilesize
8KB
-
memory/1708-130-0x0000014CF41F6000-0x0000014CF41F8000-memory.dmpFilesize
8KB
-
memory/1708-124-0x0000014CF41F3000-0x0000014CF41F5000-memory.dmpFilesize
8KB
-
memory/1708-122-0x0000014CF4480000-0x0000014CF4481000-memory.dmpFilesize
4KB
-
memory/1708-119-0x0000014CF4180000-0x0000014CF4181000-memory.dmpFilesize
4KB
-
memory/1708-114-0x0000000000000000-mapping.dmp
-
memory/2252-174-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/2252-175-0x000000000040242D-mapping.dmp
-
memory/2252-179-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB