Overview

overview

10

Static

static

Quotation ....v.exe

windows7_x64

10

Quotation ....v.exe

windows10_x64

10

Analysis

  • max time kernel
    105s
  • max time network
    103s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    25-06-2021 15:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quotation Price - Double R Trading b.v.exe

  • Size

    462KB

  • MD5

    3c920fab166f834f4c0bdd7c68023103

  • SHA1

    3118437d4fd826916e53f67319be19f65083696d

  • SHA256

    dd10bbb6a4a85ae9ac6cf5ee9657e466ede164d19b3f40eb7c62e9083cec35d3

  • SHA512

    0d051a14d5a79afc0ada2ec9a6af1ee7ef967c90f11932e02b44f9ce51c9bf0159fa6a5b322421fe088f2c1faaa97d62c1e755285f99b1764ac6b251e2d16362

Score
10/10
netwirebotnetratstealer

Malware Config

Extracted

Family

netwire

C2

sipex2021.ddns.net:8753

Attributes
  • activex_autorun

    false

  • activex_key

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    false

  • startup_name

  • use_mutex

    false

Signatures

  • NetWire RAT payload 3 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Quotation Price - Double R Trading b.v.exe
    "C:\Users\Admin\AppData\Local\Temp\Quotation Price - Double R Trading b.v.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:940
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Wcrcjbfpuejnisk.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1456
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chrome\Google\chrome.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:324
    • C:\Users\Admin\AppData\Local\Temp\MSBuild.exe
      C:\Users\Admin\AppData\Local\Temp\MSBuild.exe
      2⤵
      • Executes dropped EXE
      PID:1612

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MSBuild.exe
    MD5

    9af17c8393f0970ee5136bd3ffa27001

    SHA1

    4b285b72c1a11285a25f31f2597e090da6bbc049

    SHA256

    71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

    SHA512

    b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_Wcrcjbfpuejnisk.vbs
    MD5

    dd324fe7f7eb1af18e2f0c011669c28d

    SHA1

    f1c148fe260963d257eaba866de68ffc09b5ef32

    SHA256

    192db1efb34c22fc3e03aab1f7c74bcfb263d57a75b25d90e1ea5e078207bb6f

    SHA512

    57bc4417a7b458833b1a08c9e949102f336725669b970758bc23720257cb33decd95e42b65bcf259997b5c53ab60912433ac91cd9df674bf52a85e9b6cb3ad59

    Download Submit
  • \Users\Admin\AppData\Local\Temp\MSBuild.exe
    MD5

    9af17c8393f0970ee5136bd3ffa27001

    SHA1

    4b285b72c1a11285a25f31f2597e090da6bbc049

    SHA256

    71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

    SHA512

    b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

    Download Submit
  • memory/324-94-0x00000000056B0000-0x00000000056B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/324-95-0x0000000006150000-0x0000000006151000-memory.dmp
    Filesize

    4KB

    Download
  • memory/324-119-0x0000000006310000-0x0000000006311000-memory.dmp
    Filesize

    4KB

    Download
  • memory/324-118-0x0000000006300000-0x0000000006301000-memory.dmp
    Filesize

    4KB

    Download
  • memory/324-107-0x000000007EF30000-0x000000007EF31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/324-103-0x00000000055E0000-0x00000000055E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/324-102-0x0000000006240000-0x0000000006241000-memory.dmp
    Filesize

    4KB

    Download
  • memory/324-89-0x0000000005660000-0x0000000005661000-memory.dmp
    Filesize

    4KB

    Download
  • memory/324-86-0x00000000052A0000-0x00000000052A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/324-78-0x0000000000000000-mapping.dmp
    Download
  • memory/324-80-0x0000000001F00000-0x0000000001F01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/324-81-0x00000000048A0000-0x00000000048A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/324-83-0x0000000004860000-0x0000000004861000-memory.dmp
    Filesize

    4KB

    Download
  • memory/324-84-0x0000000004862000-0x0000000004863000-memory.dmp
    Filesize

    4KB

    Download
  • memory/324-85-0x00000000046B0000-0x00000000046B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/940-62-0x0000000004AB0000-0x0000000004AB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/940-60-0x0000000001030000-0x0000000001031000-memory.dmp
    Filesize

    4KB

    Download
  • memory/940-69-0x0000000005DD0000-0x0000000005E23000-memory.dmp
    Filesize

    332KB

    Download
  • memory/940-63-0x0000000004AB5000-0x0000000004AC6000-memory.dmp
    Filesize

    68KB

    Download
  • memory/940-64-0x00000000007D0000-0x000000000081C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/1456-72-0x0000000075051000-0x0000000075053000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1456-70-0x0000000000000000-mapping.dmp
    Download
  • memory/1612-82-0x0000000000400000-0x0000000000433000-memory.dmp
    Filesize

    204KB

    Download
  • memory/1612-74-0x0000000000400000-0x0000000000433000-memory.dmp
    Filesize

    204KB

    Download
  • memory/1612-75-0x000000000040242D-mapping.dmp
    Download