Overview

overview

10

Static

static

10

Pay014_Screenshot.scr

windows7_x64

10

Pay014_Screenshot.scr

windows10_x64

10

Analysis

  • max time kernel
    2s
  • max time network
    38s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    05-07-2021 14:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Pay014_Screenshot.scr

  • Size

    244KB

  • MD5

    e56903f300876fd5df505a60f5967a31

  • SHA1

    292fc1e81ab323b7de82a791d4f6bdd316605a7e

  • SHA256

    40993feefb8af3c4a93426f9ff21815b24fa093fa650a9f46beae791e54ce8ce

  • SHA512

    b760c9a8f74baba1782b972b288f3a27d27fb17cbe928a663472827fd3735a82e32f59fccf6a1a764ea397e49db561602c9e601f33656f93a494cc6c141e4368

Score
10/10
netwirebotnetpersistenceratstealer

Malware Config

Signatures

  • NetWire RAT payload 1 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Pay014_Screenshot.scr
    "C:\Users\Admin\AppData\Local\Temp\Pay014_Screenshot.scr" /S
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1728
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      2⤵
        PID:2028
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\SysWOW64\explorer.exe"
        2⤵
          PID:1944
        • C:\Windows\SysWOW64\explorer.exe
          "C:\Windows\SysWOW64\explorer.exe"
          2⤵
            PID:1928
          • C:\Windows\SysWOW64\explorer.exe
            "C:\Windows\SysWOW64\explorer.exe"
            2⤵
              PID:1480
            • C:\Windows\SysWOW64\explorer.exe
              "C:\Windows\SysWOW64\explorer.exe"
              2⤵
                PID:1836

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Persistence

            Registry Run Keys / Startup Folder

            1
            T1060

            Privilege Escalation

            Defense Evasion

            Modify Registry

            1
            T1112

            Credential Access

            Discovery

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/1728-62-0x0000000000160000-0x0000000000170000-memory.dmp
              Filesize

              64KB

              Download
            • memory/1728-60-0x000000013F280000-0x000000013F281000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1728-63-0x00000000007E0000-0x00000000007E1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1728-64-0x00000000007F0000-0x0000000000819000-memory.dmp
              Filesize

              164KB

              Download
            • memory/1728-65-0x0000000002510000-0x0000000002512000-memory.dmp
              Filesize

              8KB

              Download