Overview

overview

10

Static

static

Quotation ....v.exe

windows7_x64

10

Quotation ....v.exe

windows10_x64

10

Analysis

  • max time kernel
    101s
  • max time network
    96s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    25-06-2021 15:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quotation Price - Double R Trading b.v.exe

  • Size

    462KB

  • MD5

    3c920fab166f834f4c0bdd7c68023103

  • SHA1

    3118437d4fd826916e53f67319be19f65083696d

  • SHA256

    dd10bbb6a4a85ae9ac6cf5ee9657e466ede164d19b3f40eb7c62e9083cec35d3

  • SHA512

    0d051a14d5a79afc0ada2ec9a6af1ee7ef967c90f11932e02b44f9ce51c9bf0159fa6a5b322421fe088f2c1faaa97d62c1e755285f99b1764ac6b251e2d16362

Score
10/10
netwirebotnetratstealer

Malware Config

Extracted

Family

netwire

C2

sipex2021.ddns.net:8753

Attributes
  • activex_autorun

    false

  • activex_key

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    false

  • startup_name

  • use_mutex

    false

Signatures

  • NetWire RAT payload 3 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Quotation Price - Double R Trading b.v.exe
    "C:\Users\Admin\AppData\Local\Temp\Quotation Price - Double R Trading b.v.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:672
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Wcrcjbfpuejnisk.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3592
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chrome\Google\chrome.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1728
    • C:\Users\Admin\AppData\Local\Temp\MSBuild.exe
      C:\Users\Admin\AppData\Local\Temp\MSBuild.exe
      2⤵
      • Executes dropped EXE
      PID:3936
    • C:\Users\Admin\AppData\Local\Temp\MSBuild.exe
      C:\Users\Admin\AppData\Local\Temp\MSBuild.exe
      2⤵
      • Executes dropped EXE
      PID:4048

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MSBuild.exe
    MD5

    9af17c8393f0970ee5136bd3ffa27001

    SHA1

    4b285b72c1a11285a25f31f2597e090da6bbc049

    SHA256

    71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

    SHA512

    b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\MSBuild.exe
    MD5

    9af17c8393f0970ee5136bd3ffa27001

    SHA1

    4b285b72c1a11285a25f31f2597e090da6bbc049

    SHA256

    71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

    SHA512

    b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_Wcrcjbfpuejnisk.vbs
    MD5

    dd324fe7f7eb1af18e2f0c011669c28d

    SHA1

    f1c148fe260963d257eaba866de68ffc09b5ef32

    SHA256

    192db1efb34c22fc3e03aab1f7c74bcfb263d57a75b25d90e1ea5e078207bb6f

    SHA512

    57bc4417a7b458833b1a08c9e949102f336725669b970758bc23720257cb33decd95e42b65bcf259997b5c53ab60912433ac91cd9df674bf52a85e9b6cb3ad59

    Download Submit
  • memory/672-116-0x00000000056C0000-0x00000000056C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/672-117-0x0000000005090000-0x0000000005091000-memory.dmp
    Filesize

    4KB

    Download
  • memory/672-118-0x0000000005030000-0x0000000005031000-memory.dmp
    Filesize

    4KB

    Download
  • memory/672-119-0x0000000004FF0000-0x0000000005082000-memory.dmp
    Filesize

    584KB

    Download
  • memory/672-120-0x0000000005083000-0x0000000005085000-memory.dmp
    Filesize

    8KB

    Download
  • memory/672-121-0x0000000006EB0000-0x0000000006EFC000-memory.dmp
    Filesize

    304KB

    Download
  • memory/672-126-0x0000000007540000-0x0000000007593000-memory.dmp
    Filesize

    332KB

    Download
  • memory/672-114-0x0000000000650000-0x0000000000651000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1728-145-0x0000000008420000-0x0000000008421000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1728-155-0x00000000096F0000-0x0000000009723000-memory.dmp
    Filesize

    204KB

    Download
  • memory/1728-170-0x0000000004BC3000-0x0000000004BC4000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1728-133-0x0000000000000000-mapping.dmp
    Download
  • memory/1728-136-0x0000000006F80000-0x0000000006F81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1728-137-0x00000000075F0000-0x00000000075F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1728-169-0x000000007ED40000-0x000000007ED41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1728-139-0x0000000004BC0000-0x0000000004BC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1728-140-0x0000000004BC2000-0x0000000004BC3000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1728-141-0x0000000007580000-0x0000000007581000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1728-142-0x0000000007D50000-0x0000000007D51000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1728-143-0x0000000007DC0000-0x0000000007DC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1728-144-0x0000000008010000-0x0000000008011000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1728-168-0x00000000099E0000-0x00000000099E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1728-146-0x0000000008950000-0x0000000008951000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1728-147-0x0000000008710000-0x0000000008711000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1728-167-0x0000000009830000-0x0000000009831000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1728-162-0x00000000096D0000-0x00000000096D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3592-127-0x0000000000000000-mapping.dmp
    Download
  • memory/4048-131-0x000000000040242D-mapping.dmp
    Download
  • memory/4048-138-0x0000000000400000-0x0000000000433000-memory.dmp
    Filesize

    204KB

    Download
  • memory/4048-130-0x0000000000400000-0x0000000000433000-memory.dmp
    Filesize

    204KB

    Download