Overview

overview

10

Static

static

nxxt.exe

windows7_x64

10

nxxt.exe

windows10_x64

10

Analysis

  • max time kernel
    34s
  • max time network
    112s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    10-07-2020 05:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    nxxt.exe

  • Size

    338KB

  • MD5

    5a68d27a6d644b88a59ae764acaad552

  • SHA1

    24f135bf0c8e0db609a39fc2a5b68e644ed1ce7c

  • SHA256

    1a4ea9c422e80abe0f0abd7cbc73e3070b0345d2e9ab5ff57840230240f10f47

  • SHA512

    191b216e498e1ea68d4f61b506ea08e9f4852461bb9324febbd527a16dc4eb610f43a1457e8f2482874f6b634aaadad46c20baf2944871c40f894226e3f59783

Score
10/10
ratbotnetstealernetwire

Malware Config

Signatures

  • NTFS ADS 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops startup file 1 IoCs
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • NetWire RAT payload 2 IoCs
    rat

Processes

  • C:\Users\Admin\AppData\Local\Temp\nxxt.exe
    "C:\Users\Admin\AppData\Local\Temp\nxxt.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • Drops startup file
    • Suspicious behavior: EnumeratesProcesses
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    PID:272
    • C:\Users\Admin\AppData\Local\Temp\sdhost.exe
      "C:\Users\Admin\AppData\Local\Temp\sdhost.exe"
      2⤵
      • Executes dropped EXE
      PID:1116
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/nxxt.exe" "%temp%\FolderN\name.exe" /Y
      2⤵
        PID:1512
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
        2⤵
        • NTFS ADS
        PID:1776

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe
      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\sdhost.exe
      Download Submit

    • \Users\Admin\AppData\Local\Temp\FolderN\name.exe
      Download Submit

    • \Users\Admin\AppData\Local\Temp\FolderN\name.exe
      Download Submit

    • \Users\Admin\AppData\Local\Temp\sdhost.exe
      Download Submit

    • memory/1116-1-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1116-2-0x000000000040242D-mapping.dmp

      Download

    • memory/1116-4-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1512-5-0x0000000000000000-mapping.dmp

      Download

    • memory/1776-9-0x0000000000000000-mapping.dmp

      Download