Overview

overview

10

Static

static

ORDER SPEC...ION.js

windows7_x64

10

ORDER SPEC...ION.js

windows10-2004_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    20-06-2022 07:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ORDER SPECIFICATION.js

  • Size

    81KB

  • MD5

    8c577d950786e8262f22dd3c23ca8c07

  • SHA1

    a933a3f7da664089ab715ee06ca9fdf17d9ef318

  • SHA256

    d6d4d55f2df43c5d2a35a96b53ac0f949673a901ce8aeb41ed1144ecb7b3ba09

  • SHA512

    21217ecf4c1f0aba4c72e3a7cb1d49643d506aed4ca59753e052090c4df2d8f2f607c46d7a2b95802f1686f48d45e8ca9fd0cd851ce66ecf6ce88b17db4d7c40

Score
10/10
netwirevjw0rmbotnetpersistenceratstealertrojanworm

Malware Config

Extracted

Family

netwire

C2

netuwaya.servecounterstrike.com:4734

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • lock_executable

    false

  • offline_keylogger

    false

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • NetWire RAT payload 8 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 15 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Drops startup file 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\ORDER SPECIFICATION.js"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:1900
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\SdORAbNrxc.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:1208
    • C:\Users\Admin\AppData\Roaming\QB8Dp5m5pHF6fkB.exe
      "C:\Users\Admin\AppData\Roaming\QB8Dp5m5pHF6fkB.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1520
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\HSzaYH.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:112
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HSzaYH" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE1D8.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:836
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        3⤵
          PID:532

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpE1D8.tmp
      Filesize

      1KB

      MD5

      1c422c8262fc9fb12a5eea841200e28c

      SHA1

      374b93844ce6b45af02af021afba9a460e9ec910

      SHA256

      796df29fe9e950b48360622746a923a130633f67bab15ef9b0f3df0e2bbc9004

      SHA512

      7c7e17f21fedfae22f3ec095f2fd988680cdf9eed12953eebcbd3112e3919dc5cdbb89a515b53442c476b8d5019979fbfabcc00a3be9e52f8f4542b0bf7d29ef

      Download Submit

    • C:\Users\Admin\AppData\Roaming\QB8Dp5m5pHF6fkB.exe
      Filesize

      549KB

      MD5

      01da8ba876eb4038213d8eb6493c9947

      SHA1

      c05eb1a5b5bf52bc05bece7e2bb65e8281828e5f

      SHA256

      a4c6f718bffae66def8dc2d48d844bf90632cc708ffdc6363f2aa3021d1a6f60

      SHA512

      dec4b9ddd63fc6769ffd9a4858f9c27cce2d56e3a0ea9af7dc48ff13d04ecedaa44948329c9299a962e01c97ef455fa266eb6857e7af5868db5d354397efebaa

      Download Submit

    • C:\Users\Admin\AppData\Roaming\QB8Dp5m5pHF6fkB.exe
      Filesize

      549KB

      MD5

      01da8ba876eb4038213d8eb6493c9947

      SHA1

      c05eb1a5b5bf52bc05bece7e2bb65e8281828e5f

      SHA256

      a4c6f718bffae66def8dc2d48d844bf90632cc708ffdc6363f2aa3021d1a6f60

      SHA512

      dec4b9ddd63fc6769ffd9a4858f9c27cce2d56e3a0ea9af7dc48ff13d04ecedaa44948329c9299a962e01c97ef455fa266eb6857e7af5868db5d354397efebaa

      Download Submit

    • C:\Users\Admin\AppData\Roaming\SdORAbNrxc.js
      Filesize

      30KB

      MD5

      ce7c8bc0e2587dcc7044d337fda0320f

      SHA1

      6e4e6d39752ca7a454f7081210402e7bb1bd52d4

      SHA256

      7d70fd9144c686fe6ff23fe66e44ccbb55827b2af1a91ca60b10ef1631f0c067

      SHA512

      e395ba15f19051811d1ba5220bf2f326041a95c245f0faf47ca8b416953bdfda8e16e7fd132ff439637f5e3372c4ae1fe4baff26b6e6c7ba545077b3ffb48f28

      Download Submit

    • memory/112-65-0x0000000000000000-mapping.dmp

      Download

    • memory/112-87-0x000000006F560000-0x000000006FB0B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/112-85-0x000000006F560000-0x000000006FB0B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/532-77-0x0000000000400000-0x0000000000450000-memory.dmp

      Filesize

      320KB

      Download

    • memory/532-80-0x0000000000400000-0x0000000000450000-memory.dmp

      Filesize

      320KB

      Download

    • memory/532-88-0x0000000000400000-0x0000000000450000-memory.dmp

      Filesize

      320KB

      Download

    • memory/532-86-0x0000000000400000-0x0000000000450000-memory.dmp

      Filesize

      320KB

      Download

    • memory/532-84-0x0000000000400000-0x0000000000450000-memory.dmp

      Filesize

      320KB

      Download

    • memory/532-81-0x000000000041AE7B-mapping.dmp

      Download

    • memory/532-78-0x0000000000400000-0x0000000000450000-memory.dmp

      Filesize

      320KB

      Download

    • memory/532-70-0x0000000000400000-0x0000000000450000-memory.dmp

      Filesize

      320KB

      Download

    • memory/532-71-0x0000000000400000-0x0000000000450000-memory.dmp

      Filesize

      320KB

      Download

    • memory/532-73-0x0000000000400000-0x0000000000450000-memory.dmp

      Filesize

      320KB

      Download

    • memory/532-75-0x0000000000400000-0x0000000000450000-memory.dmp

      Filesize

      320KB

      Download

    • memory/836-67-0x0000000000000000-mapping.dmp

      Download

    • memory/1208-55-0x0000000000000000-mapping.dmp

      Download

    • memory/1520-69-0x0000000004B30000-0x0000000004B7A000-memory.dmp

      Filesize

      296KB

      Download

    • memory/1520-63-0x0000000000320000-0x000000000032E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1520-61-0x00000000013B0000-0x000000000143E000-memory.dmp

      Filesize

      568KB

      Download

    • memory/1520-58-0x0000000000000000-mapping.dmp

      Download

    • memory/1520-62-0x0000000076011000-0x0000000076013000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1520-64-0x0000000005D30000-0x0000000005DB2000-memory.dmp

      Filesize

      520KB

      Download

    • memory/1900-54-0x000007FEFC061000-0x000007FEFC063000-memory.dmp

      Filesize

      8KB

      Download