Overview

overview

10

Static

static

355059ce41...in.exe

windows7_x64

10

355059ce41...in.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    116s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    19-07-2021 15:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe

  • Size

    212KB

  • MD5

    aeae64fab4622ed23e1c61d26de74249

  • SHA1

    5dabbf8093eed124e64a7e39c83e14976a74b8bb

  • SHA256

    355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065

  • SHA512

    ca6602e3ee04b174581b90cde554a6bdf5f7560fd1ccbae26982df297e8daf18db63219029322ff2e2ea950d8a284311d7486086c9048d1b247f2dd62a953050

Score
10/10
netwirebotnetpersistenceratstealer

Malware Config

Extracted

Family

netwire

C2

127.0.0.1:3360

chrisle79.ddns.net:4414

jacknop79.ddns.net:4414

smath79.ddns.net:4414

whatis79.ddns.net:4414

goodgt79.ddns.net:4414

bonding79.ddns.net:4414
Attributes
  • activex_autorun

    false

  • activex_key

  • copy_executable

    false

  • delete_original

    false

  • host_id

    June 2021

  • install_path

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

  • offline_keylogger

    true

  • password

    Password2$

  • registry_autorun

    false

  • startup_name

  • use_mutex

    false

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • NetWire RAT payload 3 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:776
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      2⤵
        PID:208
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 484
          3⤵
          • Program crash
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3568

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scripting

    1
    T1064

    Persistence

    Winlogon Helper DLL

    1
    T1004

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Scripting

    1
    T1064

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/208-116-0x0000000000402453-mapping.dmp
      Download
    • memory/208-115-0x0000000000400000-0x0000000000436000-memory.dmp
      Filesize

      216KB

      Download
    • memory/208-117-0x0000000010000000-0x0000000010006000-memory.dmp
      Filesize

      24KB

      Download
    • memory/208-120-0x0000000000400000-0x0000000000436000-memory.dmp
      Filesize

      216KB

      Download
    • memory/776-114-0x00000000005A0000-0x00000000006EA000-memory.dmp
      Filesize

      1.3MB

      Download