Overview

overview

10

Static

static

PO-13918.jpeg.exe

windows7_x64

10

PO-13918.jpeg.exe

windows10_x64

10

Analysis

  • max time kernel
    62s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    14-07-2021 05:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO-13918.jpeg.exe

  • Size

    814KB

  • MD5

    39354b7b1d0dda28b95785b967621c07

  • SHA1

    e0e21df731ac7e2bcaa1fa1ca0a3f12936a111a4

  • SHA256

    ff32e93cbeacbeda2437159fc90e1c0a4b6b1d7fa160a931fe80801ba6e3311d

  • SHA512

    ba6eb8b059b0ac8b420facc74c41ac0cd46e790f943c83c37902399e500239937d4424ed4e49226c2dfcd47e37ecee07f24894c67e1b0b5e43848a75f6a59619

Score
10/10
netwirebotnetratstealer

Malware Config

Extracted

Family

netwire

C2

netwire.linkpc.net:6000

Attributes
  • activex_autorun

    false

  • activex_key

  • copy_executable

    false

  • delete_original

    false

  • host_id

    NETWIRE 2021

  • install_path

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

    RRMkVNlN

  • offline_keylogger

    true

  • password

    chizzy25@

  • registry_autorun

    false

  • startup_name

  • use_mutex

    true

Signatures

  • NetWire RAT payload 3 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PO-13918.jpeg.exe
    "C:\Users\Admin\AppData\Local\Temp\PO-13918.jpeg.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1564
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nPcEeWJgmfPi" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE3AB.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1504
    • C:\Users\Admin\AppData\Local\Temp\PO-13918.jpeg.exe
      "C:\Users\Admin\AppData\Local\Temp\PO-13918.jpeg.exe"
      2⤵
        PID:624

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpE3AB.tmp
      MD5

      614fd7f4a2e859d08557b8d4992ceb8e

      SHA1

      e126832821829749f3efa26314a917b020cd7107

      SHA256

      c462ada5bcf0085439d30142dece3d193471a4b7053e68bb6af592a0cc5144ac

      SHA512

      0541270c1b661173fea2f35d48bb429a57365936a7bd8f9c0b46dacfff9550c316ef72263544965e4fdba0733888df7abec27152959de0ce12e470fa2e54de1d

      Download Submit
    • memory/624-67-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/624-68-0x000000000040242D-mapping.dmp
      Download
    • memory/624-69-0x0000000075211000-0x0000000075213000-memory.dmp
      Filesize

      8KB

      Download
    • memory/624-70-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/1504-65-0x0000000000000000-mapping.dmp
      Download
    • memory/1564-59-0x00000000001E0000-0x00000000001E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1564-61-0x0000000001E60000-0x0000000001E61000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1564-62-0x00000000005F0000-0x0000000000600000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1564-63-0x0000000005610000-0x00000000056A8000-memory.dmp
      Filesize

      608KB

      Download
    • memory/1564-64-0x0000000004840000-0x0000000004894000-memory.dmp
      Filesize

      336KB

      Download