Overview

overview

10

Static

static

KR033172A5...DF.exe

windows7_x64

10

KR033172A5...DF.exe

windows10_x64

10

Analysis

  • max time kernel
    47s
  • max time network
    98s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    21-04-2021 06:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    KR033172A562700243.PDF.exe

  • Size

    789KB

  • MD5

    5ca9ea11f89e982fc93ad12e656648a8

  • SHA1

    0d0bd9cb9549638218db8c3442a3047e25ffc9a9

  • SHA256

    9a0550bcf1c770a3febe17adb59aa91717654e4d660fca29bd7ccff14da6256f

  • SHA512

    cd4f2d1ba153dea1d28a12d9566fdf5bb183ba795584b7e6dc049cb5e4fb1c007fa6581c1cec77f0c0917b9050300dc54213fdc877ab5c69905237dd8dff8262

Score
10/10
netwirebotnetratstealer

Malware Config

Extracted

Family

netwire

C2

194.156.90.31:5008

Attributes
  • activex_autorun

    false

  • activex_key

  • copy_executable

    false

  • delete_original

    false

  • host_id

    APRL-WORK

  • install_path

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    false

  • startup_name

  • use_mutex

    false

Signatures

  • NetWire RAT payload 3 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\KR033172A562700243.PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\KR033172A562700243.PDF.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1684
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qZYahesl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp25F8.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:852
    • C:\Users\Admin\AppData\Local\Temp\KR033172A562700243.PDF.exe
      "{path}"
      2⤵
        PID:1504
      • C:\Users\Admin\AppData\Local\Temp\KR033172A562700243.PDF.exe
        "{path}"
        2⤵
          PID:1564
        • C:\Users\Admin\AppData\Local\Temp\KR033172A562700243.PDF.exe
          "{path}"
          2⤵
            PID:1708
          • C:\Users\Admin\AppData\Local\Temp\KR033172A562700243.PDF.exe
            "{path}"
            2⤵
              PID:1616
            • C:\Users\Admin\AppData\Local\Temp\KR033172A562700243.PDF.exe
              "{path}"
              2⤵
                PID:1840

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Scheduled Task

            1
            T1053

            Persistence

            Scheduled Task

            1
            T1053

            Privilege Escalation

            Scheduled Task

            1
            T1053

            Defense Evasion

            Credential Access

            Discovery

            System Information Discovery

            1
            T1082

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\tmp25F8.tmp
              MD5

              b3228b1f5224b46085df8686bd92fd72

              SHA1

              e7250f9549296745af647942f5512ea9545cd674

              SHA256

              b6499d513bc88b52ec8ef6a6e760e63c0aabd6e111c3433666ffabb8e6d6dab2

              SHA512

              e3eb6acfc30f4c12071b6321f821a05efb940c720cff29c4112de9e408bebf456ef77e854c9370418dd7f82ecac63b17ba4157bf6d2497f8bc43b63fdd8c2903

              Download Submit
            • memory/852-66-0x0000000000000000-mapping.dmp
              Download
            • memory/1684-60-0x0000000000180000-0x0000000000181000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1684-62-0x0000000004AA0000-0x0000000004AA1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1684-63-0x0000000000630000-0x000000000063E000-memory.dmp
              Filesize

              56KB

              Download
            • memory/1684-64-0x0000000007EA0000-0x0000000007F5D000-memory.dmp
              Filesize

              756KB

              Download
            • memory/1684-65-0x0000000005230000-0x00000000052A9000-memory.dmp
              Filesize

              484KB

              Download
            • memory/1840-68-0x0000000000400000-0x0000000000433000-memory.dmp
              Filesize

              204KB

              Download
            • memory/1840-69-0x000000000040242D-mapping.dmp
              Download
            • memory/1840-70-0x0000000075B31000-0x0000000075B33000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1840-71-0x0000000000400000-0x0000000000433000-memory.dmp
              Filesize

              204KB

              Download