Analysis

  • max time kernel
    82s
  • max time network
    107s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    19-07-2021 15:14

General

  • Target

    491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe

  • Size

    502KB

  • MD5

    b49f739d1d6f51d71f075e9392946b2e

  • SHA1

    0967c716434876e355a3127e55f629cc8b0cc238

  • SHA256

    491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1

  • SHA512

    c1fc947539b319ab73a9fa5436c9aa1f6792cdbe90e009ae52073c8ac7fbb54e3d864d8e3abf37d8f50b5a024368c7f535f66044268df7d37cca699a6e45a800

Malware Config

Signatures

  • NetWire RAT payload 6 IoCs
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

  • Executes dropped EXE 2 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 1 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:916
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe"
      2⤵
      • NTFS ADS
      • Suspicious use of WriteProcessMemory
      PID:2040
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderN\name.exe.lnk" /f
        3⤵
          PID:908
      • C:\Users\Admin\AppData\Roaming\tmp.exe
        "C:\Users\Admin\AppData\Roaming\tmp.exe"
        2⤵
        • Executes dropped EXE
        PID:880
      • C:\Users\Admin\AppData\Local\Temp\svhost.exe
        "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        2⤵
        • Executes dropped EXE
        PID:368
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c C:\Users\Admin\AppData\Roaming\FolderN\name.exe.bat
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1500
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 300
          3⤵
          • Delays execution with timeout.exe
          PID:1832

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Discovery

    System Information Discovery

    1
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\svhost.exe
      MD5

      2e5f1cf69f92392f8829fc9c9263ae9b

      SHA1

      97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5

      SHA256

      51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b

      SHA512

      f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

    • C:\Users\Admin\AppData\Roaming\FolderN\name.exe
      MD5

      b49f739d1d6f51d71f075e9392946b2e

      SHA1

      0967c716434876e355a3127e55f629cc8b0cc238

      SHA256

      491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1

      SHA512

      c1fc947539b319ab73a9fa5436c9aa1f6792cdbe90e009ae52073c8ac7fbb54e3d864d8e3abf37d8f50b5a024368c7f535f66044268df7d37cca699a6e45a800

    • C:\Users\Admin\AppData\Roaming\FolderN\name.exe.bat
      MD5

      dca86f6bec779bba1b58d992319e88db

      SHA1

      844e656d3603d15ae56f36298f8031ad52935829

      SHA256

      413b4ee68f5400fcd30ae5df957d723989b400637dbc7f5d158fa050bdc20743

      SHA512

      4b9d532a777921543b3243020ea4b655a8b956c400b237ce714b5bd8e9a3ad7fdbcb11410e84e2e0ecc45e87dcd107385a487f5bb5b359aabd1322314ef2d24c

    • C:\Users\Admin\AppData\Roaming\tmp.exe
      MD5

      9e9a9c00dec1b8e1c874fe0d8901588f

      SHA1

      c31b41085691200ae82345a624b173263e7a071b

      SHA256

      60f95b8cb87bf58697104d9d343270c6440370640a598e78ecaaacbd2d47f148

      SHA512

      90c18b69c09417ac7a7a1f76ee4bbff888dce896e061eb414aa126ef81a2003d25c4ecc46b4d790b332ecf1737c13a1f69c0aa1f18cec69342caf7a5c488440f

    • \Users\Admin\AppData\Local\Temp\svhost.exe
      MD5

      2e5f1cf69f92392f8829fc9c9263ae9b

      SHA1

      97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5

      SHA256

      51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b

      SHA512

      f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

    • \Users\Admin\AppData\Roaming\FolderN\name.exe
      MD5

      b49f739d1d6f51d71f075e9392946b2e

      SHA1

      0967c716434876e355a3127e55f629cc8b0cc238

      SHA256

      491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1

      SHA512

      c1fc947539b319ab73a9fa5436c9aa1f6792cdbe90e009ae52073c8ac7fbb54e3d864d8e3abf37d8f50b5a024368c7f535f66044268df7d37cca699a6e45a800

    • \Users\Admin\AppData\Roaming\FolderN\name.exe
      MD5

      b49f739d1d6f51d71f075e9392946b2e

      SHA1

      0967c716434876e355a3127e55f629cc8b0cc238

      SHA256

      491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1

      SHA512

      c1fc947539b319ab73a9fa5436c9aa1f6792cdbe90e009ae52073c8ac7fbb54e3d864d8e3abf37d8f50b5a024368c7f535f66044268df7d37cca699a6e45a800

    • \Users\Admin\AppData\Roaming\tmp.exe
      MD5

      9e9a9c00dec1b8e1c874fe0d8901588f

      SHA1

      c31b41085691200ae82345a624b173263e7a071b

      SHA256

      60f95b8cb87bf58697104d9d343270c6440370640a598e78ecaaacbd2d47f148

      SHA512

      90c18b69c09417ac7a7a1f76ee4bbff888dce896e061eb414aa126ef81a2003d25c4ecc46b4d790b332ecf1737c13a1f69c0aa1f18cec69342caf7a5c488440f

    • \Users\Admin\AppData\Roaming\tmp.exe
      MD5

      9e9a9c00dec1b8e1c874fe0d8901588f

      SHA1

      c31b41085691200ae82345a624b173263e7a071b

      SHA256

      60f95b8cb87bf58697104d9d343270c6440370640a598e78ecaaacbd2d47f148

      SHA512

      90c18b69c09417ac7a7a1f76ee4bbff888dce896e061eb414aa126ef81a2003d25c4ecc46b4d790b332ecf1737c13a1f69c0aa1f18cec69342caf7a5c488440f

    • memory/368-73-0x0000000000400000-0x000000000042C000-memory.dmp
      Filesize

      176KB

    • memory/368-74-0x0000000000402BCB-mapping.dmp
    • memory/368-80-0x0000000000400000-0x000000000042C000-memory.dmp
      Filesize

      176KB

    • memory/880-69-0x0000000000000000-mapping.dmp
    • memory/908-63-0x0000000000000000-mapping.dmp
    • memory/916-60-0x0000000075011000-0x0000000075013000-memory.dmp
      Filesize

      8KB

    • memory/916-61-0x0000000002220000-0x0000000002221000-memory.dmp
      Filesize

      4KB

    • memory/1500-77-0x0000000000000000-mapping.dmp
    • memory/1832-79-0x0000000000000000-mapping.dmp
    • memory/2040-62-0x0000000000000000-mapping.dmp