Overview

overview

10

Static

static

URLScan

urlscan

https://1drv.ms/u/s!...

windows7_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    180s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    05-07-2021 21:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://1drv.ms/u/s!AgM5TBFnYP0Mh3c2VflmNQ3jqh3W?e=hKhwu2

  • Sample

    210705-k55rt84zv2

Score
10/10
netwirebotnetpersistenceratstealer

Malware Config

Extracted

Family

netwire

C2

iphanyi.mooo.com:3360

Attributes
  • activex_autorun

    false

  • activex_key

  • copy_executable

    false

  • delete_original

    false

  • host_id

    DNS Afraid

  • install_path

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

  • offline_keylogger

    true

  • password

    caster123

  • registry_autorun

    false

  • startup_name

  • use_mutex

    false

Signatures

  • NetWire RAT payload 7 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Core1 .NET packer 3 IoCs

    Detects packer/loader used by .NET malware.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://1drv.ms/u/s!AgM5TBFnYP0Mh3c2VflmNQ3jqh3W?e=hKhwu2
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2032
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2032 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1804
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2032 CREDAT:1979399 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:564
  • C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Pay014_Screenshot.rar
    1⤵
    • Modifies registry class
    PID:1532
  • C:\Windows\explorer.exe
    explorer .
    1⤵
      PID:1684
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Loads dropped DLL
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1264
      • C:\Program Files\7-Zip\7zG.exe
        "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\" -an -ai#7zMap17967:76:7zEvent10540
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:944
    • C:\Users\Admin\Pay014_Screenshot.scr
      Pay014_Screenshot.scr
      1⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1760
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\SysWOW64\explorer.exe"
        2⤵
          PID:1556

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      3
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442
        MD5

        4104dec10f46331a50ae76885f2a34b2

        SHA1

        d326751c6c7262bc0935487ccd55ddb8ea9338b2

        SHA256

        685ec210653e37bcb77c7abf9269925f845425c6e5aa40b47b858e958fc64269

        SHA512

        bd88b7fcc42a90639e8e58ad7bed0ccd11493b6176f81ecabdd60a57fc89931a8baa53011f382df1931af8de13da4a5d60446531f31df4809b9e2bf684cc8842

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
        MD5

        4f94395d18e1920fefa958f5831a2166

        SHA1

        59dbb3c3672b50347262007715bf8757b30f93db

        SHA256

        efd3c799478f3e81335a0ff5142584702e87f42c7cfd75b8071ecdb1f77abe97

        SHA512

        8383428dd226d0ac640c081d2912686c33cbe765b054b33e88f10e55dbe174c2777fd98a868b9b8a066368361a9a8afb05e7fbc82ba3bc807d6510fd6e852619

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
        MD5

        2902de11e30dcc620b184e3bb0f0c1cb

        SHA1

        5d11d14a2558801a2688dc2d6dfad39ac294f222

        SHA256

        e6a7f1f8810e46a736e80ee5ac6187690f28f4d5d35d130d410e20084b2c1544

        SHA512

        efd415cde25b827ac2a7ca4d6486ce3a43cdcc1c31d3a94fd7944681aa3e83a4966625bf2e6770581c4b59d05e35ff9318d9adaddade9070f131076892af2fa0

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
        MD5

        a266bb7dcc38a562631361bbf61dd11b

        SHA1

        3b1efd3a66ea28b16697394703a72ca340a05bd5

        SHA256

        df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

        SHA512

        0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442
        MD5

        b554ab50c685a0e61dfbf8dc587a4b34

        SHA1

        66dd907433101527ae5c44a647a13813995036db

        SHA256

        c12d3b11b7891389c1879b30bdcd9f7a0bb886de4ecbb724f73764592449c64d

        SHA512

        4f2dec3831c249aac1041925fe855e6d6916922a718c1e8e4f2d8db4ac3efb17ed193ffe55506ccea0995bb6e01f3f5da811b98a99ba70f8a40b2a8126e5d096

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
        MD5

        cbf049b2d6965a98403fe1d11c0bcc67

        SHA1

        7c1a42b4dc34940f7183fb89ad0f9b057fa6a04d

        SHA256

        2e7ac2b21e7e9d3253fad022b575b7e8eb5e20613333fdaf0f2255fa406f7cc5

        SHA512

        f0f782dc7ae01cb7d08a69cff9254fe834d4dba00c0cf48470e1967408acac4f3f0dc3063fa7179b6f4edefd6fa5ed2c468edab29666e0ab31569c7bc5edf7a3

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        MD5

        756e4482037764b787d3d4efd96f0350

        SHA1

        db39fd66d1abf4cb99d702d615d3dd71378907a5

        SHA256

        d5d87d15d8d5ecc5bcc1d79b317cb8683457a4408e2b82d163a21304965e58bd

        SHA512

        c9bf57ca8fc371a97bf5a0a6a246cc6af50f72547d3ce1375547dacc6d12eb8993b8fbac4748f39f6fdb6da7be9f7628280650bf758bed2f45a23ea3bec6e3fe

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        MD5

        0483f5d5428a30b94951c1d03ebc8416

        SHA1

        02752dcb8f22ccfdddffa5e283ee01b29f20cc88

        SHA256

        56847e87258e3133b365ece16fc82b6135eb4033a19c2c90b6a7847a0be452fe

        SHA512

        2bfac55e89661b3389f97946710e88d4a267c9d103d3e0cf71ff591d51869822d6659e7d95ee3d147a089852c208785ce3e3b97646fc350d067537914efcc29c

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        MD5

        0e2fb0bb2fc5c7997bcd267ee97ccc08

        SHA1

        76890dc3c053ce7ce6f78e7b9fc34cb61dbd213b

        SHA256

        bdc7a3b7f20cf7288064ec58f599f6fe8235b16cb227631b63208f0669cf43a9

        SHA512

        6d019fcde4466b0e089ff0930076a4457a6188dfbc28f57ddd5ba9503bd2c57b5bd2f70ba2f2620e4381c22d3c9d39c80424fcd023224a405c83928ce80d99ed

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        MD5

        92cd982aba2ddb7ef5ac65409d2a89a2

        SHA1

        8d07266e9e35ddf22e12cf2a979a2c0a7d837d9a

        SHA256

        b01120cb15d048be0553cb109dd053480d0c180b3e55bb9739e5b36c85444173

        SHA512

        5611d35cdd0b56c8493d36091f92edf8450c0ce140c34572d179f732c2390595f0a2f2a7dfc1537963e9797f1258828c6d4902883cbce056ae848ba1e2294418

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        MD5

        f126e8ea7f71ba073b3b3cbe3db92e18

        SHA1

        90e8b13b608b44ab11e2c8729abff03d2975cb75

        SHA256

        d4ea0d2ea198c038069337cac8a5d99738324823f24d44ebd68a7860816c9892

        SHA512

        53c074eb987e8caa21a7ec477ca67b6e4723469734df55c035c9672476509f03d67387bef41597dac062ad309021ac9245bae7ccd59f7cee7875e34c8b129d64

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        MD5

        f126e8ea7f71ba073b3b3cbe3db92e18

        SHA1

        90e8b13b608b44ab11e2c8729abff03d2975cb75

        SHA256

        d4ea0d2ea198c038069337cac8a5d99738324823f24d44ebd68a7860816c9892

        SHA512

        53c074eb987e8caa21a7ec477ca67b6e4723469734df55c035c9672476509f03d67387bef41597dac062ad309021ac9245bae7ccd59f7cee7875e34c8b129d64

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
        MD5

        1b3ea40bd32fbb8670805326140fb996

        SHA1

        284378538949183c4319e1b52e7e26bae31db009

        SHA256

        285a7a78055de8190c80eb52c3d55ab83826f517b76628b2d12ed5c10cf9ecbd

        SHA512

        6786a6708fdbfce0f4a2091e2e6366593bc9732027627b50974970536faa75042ce47cf47b1cbc57af390c8679e15574ca08c3c7e5baac9ef298e72e9a896587

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\bq3gxmw\imagestore.dat
        MD5

        67210933c29ff94923580b0a481d6d60

        SHA1

        9eef1435c3d219c5f403b19b3b92c5ac2cf88ce2

        SHA256

        cea3ddd6fee2ceca946ca3b9e679510d8b104e36c21637632f7f903301f19b96

        SHA512

        e47a6e88635f34c41d07d4d18297241ac9c2415b93604a5f42b283959f82c42b8c43a70a168cce17881a34cd3b4e8b4c6009a1d41da647d877c2a3f9f763c40c

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\B4H8BAD0.txt
        MD5

        bade7aeaf52333b9ba228101eec62a01

        SHA1

        f21e7f468ec773b97ed90bbed0db7131289f1049

        SHA256

        20b59d16c022cc00fef892e4d56bec686cb61a52d7adde8a88bf5c3841ff42d9

        SHA512

        cdac0e1eceab0c613d7b495e76249ba234b8c8c0d32330379ed7741afc38d91939bbfe7be7186811db7bfb084cc4e0d90955f8833fa465bed1ceb4ef4e8cfed7

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\BS5HASJT.txt
        MD5

        be974d649b17eda7db22b91dbd738bb2

        SHA1

        33b33ad16b6a74a3a6b187f396706ce86491308e

        SHA256

        de6d744137f1beb865d388ac280850f8eed71831cff0f8745f3a4871cfc6abba

        SHA512

        fb15b14b4cafd03fa2fa9b6279509427f0f0a234e95064f80081f318a82a93c13929212639f88290cd4ff8264284bc77ff12deb6158b3b20e8ff641d20910ff9

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\PSQLDO5E.txt
        MD5

        c5fd7a1f0a0d4d502d907af1b52d1794

        SHA1

        ff0141eb1f2988fe9f4c8347f872704bc3c91b1e

        SHA256

        73961fd4a5b0430c3f3855d97a70d65989190ae80dbeb55b04454151cfc3addd

        SHA512

        7fa5c2f89fb3d3cf0fb6eb04db9cd49ae5a6f570438315dbe4d14d394eb69fb963c10adae8f4945884f689d0ac8e91baa964f2f756de1c4f150d0713beb9d47f

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\TB0H2C3S.txt
        MD5

        a4c1d15f7ca0df2f2c1f03cf63579035

        SHA1

        51174f109556d716da156d72ca33a6aa0506663c

        SHA256

        6627f9fa3d02ac16b0cd5c9c65edd12777bd7638be3b1788dfd4e92af95c91c1

        SHA512

        21cb525ba564fe46e8e2c608ad52065c615e5578488cbd9ed4ef5636744a128ef2058d8e7251bf4d33e66e5ba4e3812367bd667fc12181f48ed3e2716d56e8f2

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\V150VFLV.txt
        MD5

        c9e8f4d9f93838c0ccaa89a030c763ed

        SHA1

        ff51038b8b179dd8d57c3956f13fa3a15dfed640

        SHA256

        e2d2ffd5cac5f656ae1d35f0557eb0255949032ea969eeba0195a76ef397e28e

        SHA512

        608c5d30ecf3844eb731308e978cae7419de04928830dfbac33f48cf96a7bf1bafddb681bd962d0219da7e8575deb7c12ae555bedc4203cebce3abd8d795e4b6

        Download Submit
      • C:\Users\Admin\Pay014_Screenshot.rar.20nxdoi.partial
        MD5

        21c1c662cc174c82cb768ffff1ca27d5

        SHA1

        35f3aa06e56ff709683d70842505b15363331088

        SHA256

        fe822a928a2a772500437c4eabfaf6b5af07fc7bb510e33956dcd8468550039f

        SHA512

        fb7485d607dc8d4c82c97a9a4bf2d48ca75072b44e59a73d1c5ad5d27b9e9175ed54fe8a2d21cd9fa484bff7c6d77f404c59c3877ea5c61df4f589637a814496

        Download Submit
      • C:\Users\Admin\Pay014_Screenshot.scr
        MD5

        e56903f300876fd5df505a60f5967a31

        SHA1

        292fc1e81ab323b7de82a791d4f6bdd316605a7e

        SHA256

        40993feefb8af3c4a93426f9ff21815b24fa093fa650a9f46beae791e54ce8ce

        SHA512

        b760c9a8f74baba1782b972b288f3a27d27fb17cbe928a663472827fd3735a82e32f59fccf6a1a764ea397e49db561602c9e601f33656f93a494cc6c141e4368

        Download Submit
      • C:\Users\Admin\Pay014_Screenshot.scr
        MD5

        e56903f300876fd5df505a60f5967a31

        SHA1

        292fc1e81ab323b7de82a791d4f6bdd316605a7e

        SHA256

        40993feefb8af3c4a93426f9ff21815b24fa093fa650a9f46beae791e54ce8ce

        SHA512

        b760c9a8f74baba1782b972b288f3a27d27fb17cbe928a663472827fd3735a82e32f59fccf6a1a764ea397e49db561602c9e601f33656f93a494cc6c141e4368

        Download Submit
      • \Users\Admin\Pay014_Screenshot.scr
        MD5

        e56903f300876fd5df505a60f5967a31

        SHA1

        292fc1e81ab323b7de82a791d4f6bdd316605a7e

        SHA256

        40993feefb8af3c4a93426f9ff21815b24fa093fa650a9f46beae791e54ce8ce

        SHA512

        b760c9a8f74baba1782b972b288f3a27d27fb17cbe928a663472827fd3735a82e32f59fccf6a1a764ea397e49db561602c9e601f33656f93a494cc6c141e4368

        Download Submit
      • memory/564-62-0x0000000000000000-mapping.dmp
        Download
      • memory/944-88-0x0000000000000000-mapping.dmp
        Download
      • memory/1264-87-0x0000000003730000-0x0000000003731000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1532-84-0x000007FEFBFB1000-0x000007FEFBFB3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1556-99-0x0000000000400000-0x0000000000433000-memory.dmp
        Filesize

        204KB

        Download
      • memory/1556-100-0x000000000040242D-mapping.dmp
        Download
      • memory/1556-102-0x0000000000400000-0x0000000000433000-memory.dmp
        Filesize

        204KB

        Download
      • memory/1760-93-0x000000013F210000-0x000000013F211000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1760-95-0x0000000000670000-0x0000000000680000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1760-96-0x0000000000680000-0x0000000000681000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1760-97-0x000000001ACB0000-0x000000001ACB2000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1760-98-0x0000000000730000-0x0000000000759000-memory.dmp
        Filesize

        164KB

        Download
      • memory/1804-59-0x0000000000000000-mapping.dmp
        Download
      • memory/1804-60-0x0000000076691000-0x0000000076693000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2032-74-0x00000000049B0000-0x00000000049B1000-memory.dmp
        Filesize

        4KB

        Download