Overview

overview

10

Static

static

1

Purchase_Order.exe

windows7_x64

7

Purchase_Order.exe

windows10_x64

10

Analysis

  • max time kernel
    81s
  • max time network
    122s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    29-06-2021 12:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Purchase_Order.exe

  • Size

    337KB

  • MD5

    39fcd8503fd2e6e2773a5b5176b5cfb0

  • SHA1

    cbf286bec3ac50743352cdead151ca2be6bea121

  • SHA256

    0d7f2b187239381646230ae6f03ce02a7bba8a95482df00f459904af60da902a

  • SHA512

    fdb923a1639f27f74da659c635ab251e536fd75c7d05d2696e2e8d312c4a55f37bcd127b314d1606962335593713ae1cdfed129ba2d1bb7f3223b8d7d6926f95

Score
10/10
netwirebotnetratstealer

Malware Config

Extracted

Family

netwire

C2

warin.hopto.org:4320

Attributes
  • activex_autorun

    false

  • activex_key

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    false

  • startup_name

  • use_mutex

    false

Signatures

  • NetWire RAT payload 2 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Purchase_Order.exe
    "C:\Users\Admin\AppData\Local\Temp\Purchase_Order.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3492
    • C:\Users\Admin\AppData\Local\Temp\Purchase_Order.exe
      "C:\Users\Admin\AppData\Local\Temp\Purchase_Order.exe"
      2⤵
        PID:3736

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\diejc.dll
      MD5

      5e72c6604a2ea57e6b311e3103c1e53f

      SHA1

      34f2287255ed04551a5da72659e663f123613f26

      SHA256

      12f743c8c38d6f091300ca7b0dc380a88a3ceb5da025ed44b9a49991a47868b7

      SHA512

      c293cb5bdc2665ac7d7d55d8faf23dd7e4da220132b41eb0793cb348eb91b65fce19167c802a5a6a19cb35671c4a180e5fed9efdd7d31ede46425872afd1cedd

      Download Submit
    • memory/3736-116-0x000000000046242D-mapping.dmp
      Download
    • memory/3736-120-0x0000000000460000-0x0000000000493000-memory.dmp
      Filesize

      204KB

      Download