Overview

overview

10

Static

static

1

307e257292...42.exe

windows7_x64

10

307e257292...42.exe

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    05-03-2021 13:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    307e257292be5d47304c1712c8bd1342.exe

  • Size

    386KB

  • MD5

    307e257292be5d47304c1712c8bd1342

  • SHA1

    b22e2b425e3a663f7404579ebf03507713b45959

  • SHA256

    31a804fddf5f1ed1d5c1a69772bc92026f90696a6903a3a7ebaf7aef6dfa9478

  • SHA512

    8496a01a16daa648eb802d3b5ad5e06fb431202f6681afe53f6ab4c7876018169d86963574b7202e7c8653e586df64f280a21432fd4cc3ad82a97b4825db522f

Score
10/10
netwirebotnetratstealer

Malware Config

Signatures

  • NetWire RAT payload 1 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\307e257292be5d47304c1712c8bd1342.exe
    "C:\Users\Admin\AppData\Local\Temp\307e257292be5d47304c1712c8bd1342.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1596
    • C:\Users\Admin\AppData\Local\Temp\307e257292be5d47304c1712c8bd1342.exe
      "C:\Users\Admin\AppData\Local\Temp\307e257292be5d47304c1712c8bd1342.exe"
      2⤵
        PID:2044

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\nsn6E4E.tmp\abxq191c.dll
      MD5

      ba26ab4b2985a5af1ac235659010c85e

      SHA1

      06c00b2bb76b1cbe07b0708ca34a3084aec48eb5

      SHA256

      aedf7b32123d8b8a6a2bf5a5c58b02aef9adee2a88bc0fb070bc1d034200ae07

      SHA512

      0121feb31715a882d0ad283aef6258436c8d31d79ebd4a163135f0bcfba6ec51c5c4164b7fad8425f1a64365b67a75b59118a5a7be2e0ee655c7f5e4bb6c2081

      Download Submit
    • memory/1596-2-0x0000000075781000-0x0000000075783000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2044-4-0x000000000040242D-mapping.dmp
      Download
    • memory/2044-6-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download