Overview

overview

10

Static

static

1

059d96b639...9e.exe

windows7_x64

10

059d96b639...9e.exe

windows10_x64

10

Analysis

  • max time kernel
    14s
  • max time network
    103s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    03-03-2021 19:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    059d96b63981600043166193b25f479e.exe

  • Size

    241KB

  • MD5

    059d96b63981600043166193b25f479e

  • SHA1

    7bc871be5b1905692eb1a6d93158668092cdb51c

  • SHA256

    f77b3b293e8f2218082419742b85c2156fe8c13353cec54ba021e26312d3698f

  • SHA512

    9c10be0296905681b1c52f126ee86a78fe6004f1ffc895e08b403d0726f464546fd308ee57383be23f06fd09e1f099bca3e8b7916715642bdebc2019abb1d2ed

Score
10/10
netwirebotnetratstealer

Malware Config

Signatures

  • NetWire RAT payload 1 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\059d96b63981600043166193b25f479e.exe
    "C:\Users\Admin\AppData\Local\Temp\059d96b63981600043166193b25f479e.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:648
    • C:\Users\Admin\AppData\Local\Temp\059d96b63981600043166193b25f479e.exe
      "C:\Users\Admin\AppData\Local\Temp\059d96b63981600043166193b25f479e.exe"
      2⤵
        PID:3972

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\nss6807.tmp\wxh1lz88z2hnpbv.dll
      MD5

      dc75a8b470f13c8ee2509f84e5e05eb9

      SHA1

      27fe57d610f4c9ff84377911cff2c7db0aa7e0ee

      SHA256

      e416459e6f3011911ecbb3b3eba891b0f82668bef98ea6cbe05ef56dc645027d

      SHA512

      22fbfc9614c5bfbc1e6c5370144d26a540f726edb9b7d7c615f91f179f88f8eb1dff72daff51d594274a326f88404e150a91b3c95aa0b192d6d4a4d28bd11629

      Download Submit

    • memory/3972-3-0x000000000040242D-mapping.dmp

      Download

    • memory/3972-4-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download