491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin

General
Target

491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe

Filesize

502KB

Completed

19-07-2021 15:17

Score
10 /10
MD5

b49f739d1d6f51d71f075e9392946b2e

SHA1

0967c716434876e355a3127e55f629cc8b0cc238

SHA256

491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1

Malware Config
Signatures 12

Filter: none

Discovery
  • NetWire RAT payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/files/0x00030000000130ed-67.datnetwire
    behavioral1/files/0x00030000000130ed-68.datnetwire
    behavioral1/files/0x00030000000130ed-70.datnetwire
    behavioral1/memory/368-73-0x0000000000400000-0x000000000042C000-memory.dmpnetwire
    behavioral1/memory/368-74-0x0000000000402BCB-mapping.dmpnetwire
    behavioral1/memory/368-80-0x0000000000400000-0x000000000042C000-memory.dmpnetwire
  • Netwire

    Description

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

  • Executes dropped EXE
    tmp.exesvhost.exe

    Reported IOCs

    pidprocess
    880tmp.exe
    368svhost.exe
  • Drops startup file
    491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.exe.lnk491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe
  • Loads dropped DLL
    491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe

    Reported IOCs

    pidprocess
    916491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe
    916491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe
    916491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe
    916491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe
    916491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe
  • Suspicious use of SetThreadContext
    491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 916 set thread context of 368916491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exesvhost.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Delays execution with timeout.exe
    timeout.exe

    Tags

    Reported IOCs

    pidprocess
    1832timeout.exe
  • NTFS ADS
    cmd.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Users\Admin\AppData\Roaming\FolderN\name.exe:Zone.Identifiercmd.exe
  • Suspicious behavior: EnumeratesProcesses
    491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe

    Reported IOCs

    pidprocess
    916491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe
    916491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe
    916491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe
    916491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe
    916491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe
    916491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe
    916491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe
    916491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe
    916491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe
    916491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe
    916491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe
    916491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe
    916491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe
    916491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe
  • Suspicious use of AdjustPrivilegeToken
    491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege916491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe
  • Suspicious use of WriteProcessMemory
    491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.execmd.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 916 wrote to memory of 2040916491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.execmd.exe
    PID 916 wrote to memory of 2040916491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.execmd.exe
    PID 916 wrote to memory of 2040916491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.execmd.exe
    PID 916 wrote to memory of 2040916491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.execmd.exe
    PID 2040 wrote to memory of 9082040cmd.exereg.exe
    PID 2040 wrote to memory of 9082040cmd.exereg.exe
    PID 2040 wrote to memory of 9082040cmd.exereg.exe
    PID 2040 wrote to memory of 9082040cmd.exereg.exe
    PID 916 wrote to memory of 880916491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exetmp.exe
    PID 916 wrote to memory of 880916491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exetmp.exe
    PID 916 wrote to memory of 880916491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exetmp.exe
    PID 916 wrote to memory of 880916491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exetmp.exe
    PID 916 wrote to memory of 368916491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exesvhost.exe
    PID 916 wrote to memory of 368916491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exesvhost.exe
    PID 916 wrote to memory of 368916491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exesvhost.exe
    PID 916 wrote to memory of 368916491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exesvhost.exe
    PID 916 wrote to memory of 368916491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exesvhost.exe
    PID 916 wrote to memory of 368916491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exesvhost.exe
    PID 916 wrote to memory of 368916491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exesvhost.exe
    PID 916 wrote to memory of 368916491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exesvhost.exe
    PID 916 wrote to memory of 368916491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exesvhost.exe
    PID 916 wrote to memory of 368916491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exesvhost.exe
    PID 916 wrote to memory of 368916491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exesvhost.exe
    PID 916 wrote to memory of 1500916491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.execmd.exe
    PID 916 wrote to memory of 1500916491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.execmd.exe
    PID 916 wrote to memory of 1500916491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.execmd.exe
    PID 916 wrote to memory of 1500916491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.execmd.exe
    PID 1500 wrote to memory of 18321500cmd.exetimeout.exe
    PID 1500 wrote to memory of 18321500cmd.exetimeout.exe
    PID 1500 wrote to memory of 18321500cmd.exetimeout.exe
    PID 1500 wrote to memory of 18321500cmd.exetimeout.exe
Processes 7
  • C:\Users\Admin\AppData\Local\Temp\491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe"
    Drops startup file
    Loads dropped DLL
    Suspicious use of SetThreadContext
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:916
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe"
      NTFS ADS
      Suspicious use of WriteProcessMemory
      PID:2040
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderN\name.exe.lnk" /f
        PID:908
    • C:\Users\Admin\AppData\Roaming\tmp.exe
      "C:\Users\Admin\AppData\Roaming\tmp.exe"
      Executes dropped EXE
      PID:880
    • C:\Users\Admin\AppData\Local\Temp\svhost.exe
      "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
      Executes dropped EXE
      PID:368
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Roaming\FolderN\name.exe.bat
      Suspicious use of WriteProcessMemory
      PID:1500
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 300
        Delays execution with timeout.exe
        PID:1832
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • C:\Users\Admin\AppData\Local\Temp\svhost.exe

                          MD5

                          2e5f1cf69f92392f8829fc9c9263ae9b

                          SHA1

                          97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5

                          SHA256

                          51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b

                          SHA512

                          f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

                        • C:\Users\Admin\AppData\Roaming\FolderN\name.exe

                          MD5

                          b49f739d1d6f51d71f075e9392946b2e

                          SHA1

                          0967c716434876e355a3127e55f629cc8b0cc238

                          SHA256

                          491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1

                          SHA512

                          c1fc947539b319ab73a9fa5436c9aa1f6792cdbe90e009ae52073c8ac7fbb54e3d864d8e3abf37d8f50b5a024368c7f535f66044268df7d37cca699a6e45a800

                        • C:\Users\Admin\AppData\Roaming\FolderN\name.exe.bat

                          MD5

                          dca86f6bec779bba1b58d992319e88db

                          SHA1

                          844e656d3603d15ae56f36298f8031ad52935829

                          SHA256

                          413b4ee68f5400fcd30ae5df957d723989b400637dbc7f5d158fa050bdc20743

                          SHA512

                          4b9d532a777921543b3243020ea4b655a8b956c400b237ce714b5bd8e9a3ad7fdbcb11410e84e2e0ecc45e87dcd107385a487f5bb5b359aabd1322314ef2d24c

                        • C:\Users\Admin\AppData\Roaming\tmp.exe

                          MD5

                          9e9a9c00dec1b8e1c874fe0d8901588f

                          SHA1

                          c31b41085691200ae82345a624b173263e7a071b

                          SHA256

                          60f95b8cb87bf58697104d9d343270c6440370640a598e78ecaaacbd2d47f148

                          SHA512

                          90c18b69c09417ac7a7a1f76ee4bbff888dce896e061eb414aa126ef81a2003d25c4ecc46b4d790b332ecf1737c13a1f69c0aa1f18cec69342caf7a5c488440f

                        • \Users\Admin\AppData\Local\Temp\svhost.exe

                          MD5

                          2e5f1cf69f92392f8829fc9c9263ae9b

                          SHA1

                          97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5

                          SHA256

                          51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b

                          SHA512

                          f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

                        • \Users\Admin\AppData\Roaming\FolderN\name.exe

                          MD5

                          b49f739d1d6f51d71f075e9392946b2e

                          SHA1

                          0967c716434876e355a3127e55f629cc8b0cc238

                          SHA256

                          491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1

                          SHA512

                          c1fc947539b319ab73a9fa5436c9aa1f6792cdbe90e009ae52073c8ac7fbb54e3d864d8e3abf37d8f50b5a024368c7f535f66044268df7d37cca699a6e45a800

                        • \Users\Admin\AppData\Roaming\FolderN\name.exe

                          MD5

                          b49f739d1d6f51d71f075e9392946b2e

                          SHA1

                          0967c716434876e355a3127e55f629cc8b0cc238

                          SHA256

                          491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1

                          SHA512

                          c1fc947539b319ab73a9fa5436c9aa1f6792cdbe90e009ae52073c8ac7fbb54e3d864d8e3abf37d8f50b5a024368c7f535f66044268df7d37cca699a6e45a800

                        • \Users\Admin\AppData\Roaming\tmp.exe

                          MD5

                          9e9a9c00dec1b8e1c874fe0d8901588f

                          SHA1

                          c31b41085691200ae82345a624b173263e7a071b

                          SHA256

                          60f95b8cb87bf58697104d9d343270c6440370640a598e78ecaaacbd2d47f148

                          SHA512

                          90c18b69c09417ac7a7a1f76ee4bbff888dce896e061eb414aa126ef81a2003d25c4ecc46b4d790b332ecf1737c13a1f69c0aa1f18cec69342caf7a5c488440f

                        • \Users\Admin\AppData\Roaming\tmp.exe

                          MD5

                          9e9a9c00dec1b8e1c874fe0d8901588f

                          SHA1

                          c31b41085691200ae82345a624b173263e7a071b

                          SHA256

                          60f95b8cb87bf58697104d9d343270c6440370640a598e78ecaaacbd2d47f148

                          SHA512

                          90c18b69c09417ac7a7a1f76ee4bbff888dce896e061eb414aa126ef81a2003d25c4ecc46b4d790b332ecf1737c13a1f69c0aa1f18cec69342caf7a5c488440f

                        • memory/368-74-0x0000000000402BCB-mapping.dmp

                        • memory/368-73-0x0000000000400000-0x000000000042C000-memory.dmp

                        • memory/368-80-0x0000000000400000-0x000000000042C000-memory.dmp

                        • memory/880-69-0x0000000000000000-mapping.dmp

                        • memory/908-63-0x0000000000000000-mapping.dmp

                        • memory/916-61-0x0000000002220000-0x0000000002221000-memory.dmp

                        • memory/916-60-0x0000000075011000-0x0000000075013000-memory.dmp

                        • memory/1500-77-0x0000000000000000-mapping.dmp

                        • memory/1832-79-0x0000000000000000-mapping.dmp

                        • memory/2040-62-0x0000000000000000-mapping.dmp