Overview

overview

10

Static

static

NEW ORDERS.exe

windows7_x64

10

NEW ORDERS.exe

windows10_x64

10

Analysis

  • max time kernel
    132s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    17-12-2020 08:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEW ORDERS.exe

  • Size

    587KB

  • MD5

    25db6bf1906d3f8e82f2e0be5c84cce5

  • SHA1

    b25465a07d80934f44c4f94c87848c19aeaa4dec

  • SHA256

    21b720127c08d4ba7b5fe44f6c1f555db9b2b98a3adc53b9f63a2fe63e6e5ead

  • SHA512

    6edb791a243b845d6dcd6226207a6a5196e01a9cd21c6d3bd6c6c03ba263ae077a18c62d7935a01ac764621fa107a9c5aefb376f2f35c05d86134b5dab0c62ad

Score
10/10
netwirebotnetratstealer

Malware Config

Signatures

  • NetWire RAT payload 3 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEW ORDERS.exe
    "C:\Users\Admin\AppData\Local\Temp\NEW ORDERS.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:868
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HPeNXWq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp213.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1556
    • C:\Users\Admin\AppData\Local\Temp\NEW ORDERS.exe
      "{path}"
      2⤵
        PID:416

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp213.tmp
      MD5

      d5d8a3c48f816f3342b64429c9a81a4f

      SHA1

      3385ea1b0fd975b98a43f6c17a66c8cc0b1cee9a

      SHA256

      2bd6bcc31bc0ac681b47ae4dceb2582cc510fb0a0236f28cbad9d42aba90c4a1

      SHA512

      a34297519ec36eb76b56ff164b95681260cb606e574adf4f3a5f5606ce38af4989a12bfd56decb18e0d577197909cb755b32a4325714544f7e75e7f2661d69fb

      Download Submit
    • memory/416-9-0x0000000000400000-0x000000000042B000-memory.dmp
      Filesize

      172KB

      Download
    • memory/416-10-0x00000000004026D0-mapping.dmp
      Download
    • memory/416-11-0x0000000000400000-0x000000000042B000-memory.dmp
      Filesize

      172KB

      Download
    • memory/868-2-0x00000000741E0000-0x00000000748CE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/868-3-0x0000000000FA0000-0x0000000000FA1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/868-5-0x0000000000430000-0x0000000000434000-memory.dmp
      Filesize

      16KB

      Download
    • memory/868-6-0x0000000005CC0000-0x0000000005D4D000-memory.dmp
      Filesize

      564KB

      Download
    • memory/1556-7-0x0000000000000000-mapping.dmp
      Download