Overview

overview

10

Static

static

URLScan

urlscan

http://stellar-airdr...

windows10_x64

10

Analysis

  • max time kernel
    91s
  • max time network
    99s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    03-03-2021 20:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    http://stellar-airdrop.com/download/Begantoda.exe

  • Sample

    210303-dkh3s21yne

Score
10/10
netwirebotnetratstealer

Malware Config

Signatures

  • NetWire RAT payload 3 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Executes dropped EXE 1 IoCs
  • Drops startup file 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 33 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://stellar-airdrop.com/download/Begantoda.exe
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1232
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1232 CREDAT:82945 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:3976
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0PZ2C2W1\Begantoda.exe
      "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0PZ2C2W1\Begantoda.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3752
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        3⤵
          PID:2084
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          3⤵
            PID:3176
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pOwERsHeLl.exe
            "pOwERsHeLl.exe" Copy-Item 'C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0PZ2C2W1\Begantoda.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Trevorrendo.exe'
            3⤵
            • Drops startup file
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1460

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        MD5

        8f926706e689fe76043072abc7e883ec

        SHA1

        cbe1a4242672c1ac372045c9e815effebdfc6ae8

        SHA256

        de78007e2b2a44a4a2fb2c6202c11ac4aec7ac67b0afe7b809ea8b85c4dcfbc9

        SHA512

        486310b2109876bb2f08a2020b83f5ddeb2e7dcb1425628d305f2a000e3117083c1b962ce010132c98311b02679fe26e8ac218a41103a9499a6cd99529d62232

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        MD5

        6d870c5972106083df624ed19a9c2b06

        SHA1

        e6946c1cdd728466d5cdc780ae5f6a78aefd2e18

        SHA256

        96d1fe2355cab3546eae8c4c05cbcbf42df56f373ecbcfa2b42fa35539366c03

        SHA512

        1b06cbf163c1908b8a3313c41ab8725b48d8c1c6e049161e98f917d4507d37532b7c01791abf530785b66e46965a3d40d3eb43a88cb1d5ae68f41ac79416c0b6

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0PZ2C2W1\Begantoda.exe
        MD5

        b4ff2825679835badd44aaa15256638c

        SHA1

        f67f7fac7368250b8df4d0a9b05408f775fe5f9c

        SHA256

        691f3e4b532cb3802630762dadc0eb5f894a6b5463ab5723ef67379ef3f9d31f

        SHA512

        33339d4ca2687a802ae61679bba672f926020fb319794e84bbdc84c3e68c744b8e241784f2ae5daa08ac78f58ca570539cd1ba446ec3ee4315c032937369db5a

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0PZ2C2W1\Begantoda.exe.lw2cd78.partial
        MD5

        b4ff2825679835badd44aaa15256638c

        SHA1

        f67f7fac7368250b8df4d0a9b05408f775fe5f9c

        SHA256

        691f3e4b532cb3802630762dadc0eb5f894a6b5463ab5723ef67379ef3f9d31f

        SHA512

        33339d4ca2687a802ae61679bba672f926020fb319794e84bbdc84c3e68c744b8e241784f2ae5daa08ac78f58ca570539cd1ba446ec3ee4315c032937369db5a

        Download Submit
      • memory/1460-40-0x0000000009A60000-0x0000000009A61000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1460-33-0x00000000082E0000-0x00000000082E1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1460-27-0x0000000000000000-mapping.dmp
        Download
      • memory/1460-39-0x0000000008AA0000-0x0000000008AA1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1460-38-0x0000000008BC0000-0x0000000008BC1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1460-37-0x0000000008150000-0x0000000008151000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1460-36-0x0000000007352000-0x0000000007353000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1460-35-0x0000000007350000-0x0000000007351000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1460-34-0x0000000008380000-0x0000000008381000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1460-41-0x0000000009750000-0x0000000009751000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1460-32-0x0000000008170000-0x0000000008171000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1460-31-0x0000000007FF0000-0x0000000007FF1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1460-30-0x0000000007990000-0x0000000007991000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1460-29-0x00000000072A0000-0x00000000072A1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1460-42-0x00000000097A0000-0x00000000097A1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1460-44-0x0000000007353000-0x0000000007354000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1460-28-0x000000006F650000-0x000000006FD3E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/3176-24-0x0000000000400000-0x0000000000433000-memory.dmp
        Filesize

        204KB

        Download
      • memory/3176-25-0x000000000040242D-mapping.dmp
        Download
      • memory/3176-26-0x0000000000400000-0x0000000000433000-memory.dmp
        Filesize

        204KB

        Download
      • memory/3752-13-0x0000000004ED0000-0x0000000004ED1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3752-9-0x0000000004C40000-0x0000000004C41000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3752-20-0x0000000004EC9000-0x0000000004ECF000-memory.dmp
        Filesize

        24KB

        Download
      • memory/3752-19-0x0000000004EC8000-0x0000000004EC9000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3752-18-0x0000000004EC7000-0x0000000004EC8000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3752-17-0x0000000004EC6000-0x0000000004EC7000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3752-16-0x0000000004EC5000-0x0000000004EC6000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3752-15-0x0000000004EC3000-0x0000000004EC5000-memory.dmp
        Filesize

        8KB

        Download
      • memory/3752-14-0x0000000004EC0000-0x0000000004EC1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3752-4-0x0000000000000000-mapping.dmp
        Download
      • memory/3752-12-0x0000000004BF0000-0x0000000004BF1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3752-11-0x0000000004CE0000-0x0000000004CE1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3752-10-0x00000000051E0000-0x00000000051E1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3752-23-0x0000000005980000-0x000000000598C000-memory.dmp
        Filesize

        48KB

        Download
      • memory/3752-7-0x0000000000200000-0x0000000000201000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3752-6-0x000000006F650000-0x000000006FD3E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/3976-2-0x0000000000000000-mapping.dmp
        Download