491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin

General
Target

491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe

Filesize

502KB

Completed

19-07-2021 15:17

Score
10 /10
MD5

b49f739d1d6f51d71f075e9392946b2e

SHA1

0967c716434876e355a3127e55f629cc8b0cc238

SHA256

491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1

Malware Config
Signatures 12

Filter: none

Discovery
  • NetWire RAT payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral2/files/0x000100000001ab1f-119.datnetwire
    behavioral2/files/0x000100000001ab1f-120.datnetwire
    behavioral2/memory/1476-122-0x0000000000402BCB-mapping.dmpnetwire
    behavioral2/memory/1476-124-0x00000000001C0000-0x00000000001EC000-memory.dmpnetwire
  • Netwire

    Description

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

  • Executes dropped EXE
    tmp.exesvhost.exe

    Reported IOCs

    pidprocess
    204tmp.exe
    1476svhost.exe
  • Drops startup file
    491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.exe.lnk491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe
  • Suspicious use of SetThreadContext
    491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3920 set thread context of 14763920491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exesvhost.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Program crash
    WerFault.exe

    Reported IOCs

    pidpid_targetprocesstarget process
    34761476WerFault.exesvhost.exe
  • Delays execution with timeout.exe
    timeout.exe

    Tags

    Reported IOCs

    pidprocess
    3976timeout.exe
  • NTFS ADS
    cmd.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Users\Admin\AppData\Roaming\FolderN\name.exe:Zone.Identifiercmd.exe
  • Suspicious behavior: EnumeratesProcesses
    491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exeWerFault.exe

    Reported IOCs

    pidprocess
    3920491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe
    3920491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe
    3920491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe
    3920491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe
    3920491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe
    3476WerFault.exe
    3476WerFault.exe
    3476WerFault.exe
    3476WerFault.exe
    3476WerFault.exe
    3476WerFault.exe
    3476WerFault.exe
    3476WerFault.exe
    3476WerFault.exe
    3476WerFault.exe
    3476WerFault.exe
    3476WerFault.exe
    3476WerFault.exe
    3476WerFault.exe
    3476WerFault.exe
    3920491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe
    3920491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe
    3920491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe
    3920491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe
    3920491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe
    3920491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe
    3920491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe
    3920491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe
    3920491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe
    3920491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe
    3920491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe
  • Suspicious use of AdjustPrivilegeToken
    491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exeWerFault.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege3920491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe
    Token: SeRestorePrivilege3476WerFault.exe
    Token: SeBackupPrivilege3476WerFault.exe
    Token: SeDebugPrivilege3476WerFault.exe
  • Suspicious use of WriteProcessMemory
    491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.execmd.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3920 wrote to memory of 31083920491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.execmd.exe
    PID 3920 wrote to memory of 31083920491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.execmd.exe
    PID 3920 wrote to memory of 31083920491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.execmd.exe
    PID 3108 wrote to memory of 40603108cmd.exereg.exe
    PID 3108 wrote to memory of 40603108cmd.exereg.exe
    PID 3108 wrote to memory of 40603108cmd.exereg.exe
    PID 3920 wrote to memory of 2043920491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exetmp.exe
    PID 3920 wrote to memory of 2043920491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exetmp.exe
    PID 3920 wrote to memory of 2043920491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exetmp.exe
    PID 3920 wrote to memory of 14763920491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exesvhost.exe
    PID 3920 wrote to memory of 14763920491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exesvhost.exe
    PID 3920 wrote to memory of 14763920491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exesvhost.exe
    PID 3920 wrote to memory of 14763920491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exesvhost.exe
    PID 3920 wrote to memory of 14763920491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exesvhost.exe
    PID 3920 wrote to memory of 14763920491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exesvhost.exe
    PID 3920 wrote to memory of 14763920491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exesvhost.exe
    PID 3920 wrote to memory of 14763920491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exesvhost.exe
    PID 3920 wrote to memory of 14763920491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exesvhost.exe
    PID 3920 wrote to memory of 14763920491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exesvhost.exe
    PID 3920 wrote to memory of 37603920491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.execmd.exe
    PID 3920 wrote to memory of 37603920491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.execmd.exe
    PID 3920 wrote to memory of 37603920491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.execmd.exe
    PID 3760 wrote to memory of 39763760cmd.exetimeout.exe
    PID 3760 wrote to memory of 39763760cmd.exetimeout.exe
    PID 3760 wrote to memory of 39763760cmd.exetimeout.exe
Processes 8
  • C:\Users\Admin\AppData\Local\Temp\491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe"
    Drops startup file
    Suspicious use of SetThreadContext
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:3920
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe"
      NTFS ADS
      Suspicious use of WriteProcessMemory
      PID:3108
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderN\name.exe.lnk" /f
        PID:4060
    • C:\Users\Admin\AppData\Roaming\tmp.exe
      "C:\Users\Admin\AppData\Roaming\tmp.exe"
      Executes dropped EXE
      PID:204
    • C:\Users\Admin\AppData\Local\Temp\svhost.exe
      "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
      Executes dropped EXE
      PID:1476
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 512
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        PID:3476
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FolderN\name.exe.bat
      Suspicious use of WriteProcessMemory
      PID:3760
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 300
        Delays execution with timeout.exe
        PID:3976
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • C:\Users\Admin\AppData\Local\Temp\svhost.exe

                          MD5

                          810be04867d847b702dd5fa163cb0a66

                          SHA1

                          fb2a355f356660ba494e70af002d6a728fe64aa7

                          SHA256

                          e83d07b6a965bcaf8502f7d869ff69a647b2fc68dc82bcf8be4a6b79e0e03f19

                          SHA512

                          b6e38765a9ae433994ac9d5986049aa33ab7fe581a324ef647f0295617bb00ed0af83ffc6cb33890052393ac1d34898553a3b78cab259bd4e45c446230652981

                        • C:\Users\Admin\AppData\Local\Temp\svhost.exe

                          MD5

                          810be04867d847b702dd5fa163cb0a66

                          SHA1

                          fb2a355f356660ba494e70af002d6a728fe64aa7

                          SHA256

                          e83d07b6a965bcaf8502f7d869ff69a647b2fc68dc82bcf8be4a6b79e0e03f19

                          SHA512

                          b6e38765a9ae433994ac9d5986049aa33ab7fe581a324ef647f0295617bb00ed0af83ffc6cb33890052393ac1d34898553a3b78cab259bd4e45c446230652981

                        • C:\Users\Admin\AppData\Roaming\FolderN\name.exe

                          MD5

                          b49f739d1d6f51d71f075e9392946b2e

                          SHA1

                          0967c716434876e355a3127e55f629cc8b0cc238

                          SHA256

                          491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1

                          SHA512

                          c1fc947539b319ab73a9fa5436c9aa1f6792cdbe90e009ae52073c8ac7fbb54e3d864d8e3abf37d8f50b5a024368c7f535f66044268df7d37cca699a6e45a800

                        • C:\Users\Admin\AppData\Roaming\FolderN\name.exe.bat

                          MD5

                          dca86f6bec779bba1b58d992319e88db

                          SHA1

                          844e656d3603d15ae56f36298f8031ad52935829

                          SHA256

                          413b4ee68f5400fcd30ae5df957d723989b400637dbc7f5d158fa050bdc20743

                          SHA512

                          4b9d532a777921543b3243020ea4b655a8b956c400b237ce714b5bd8e9a3ad7fdbcb11410e84e2e0ecc45e87dcd107385a487f5bb5b359aabd1322314ef2d24c

                        • C:\Users\Admin\AppData\Roaming\tmp.exe

                          MD5

                          9e9a9c00dec1b8e1c874fe0d8901588f

                          SHA1

                          c31b41085691200ae82345a624b173263e7a071b

                          SHA256

                          60f95b8cb87bf58697104d9d343270c6440370640a598e78ecaaacbd2d47f148

                          SHA512

                          90c18b69c09417ac7a7a1f76ee4bbff888dce896e061eb414aa126ef81a2003d25c4ecc46b4d790b332ecf1737c13a1f69c0aa1f18cec69342caf7a5c488440f

                        • C:\Users\Admin\AppData\Roaming\tmp.exe

                          MD5

                          9e9a9c00dec1b8e1c874fe0d8901588f

                          SHA1

                          c31b41085691200ae82345a624b173263e7a071b

                          SHA256

                          60f95b8cb87bf58697104d9d343270c6440370640a598e78ecaaacbd2d47f148

                          SHA512

                          90c18b69c09417ac7a7a1f76ee4bbff888dce896e061eb414aa126ef81a2003d25c4ecc46b4d790b332ecf1737c13a1f69c0aa1f18cec69342caf7a5c488440f

                        • memory/204-118-0x0000000000000000-mapping.dmp

                        • memory/1476-122-0x0000000000402BCB-mapping.dmp

                        • memory/1476-124-0x00000000001C0000-0x00000000001EC000-memory.dmp

                        • memory/3108-115-0x0000000000000000-mapping.dmp

                        • memory/3760-128-0x0000000000000000-mapping.dmp

                        • memory/3920-114-0x0000000002C60000-0x0000000002C61000-memory.dmp

                        • memory/3976-130-0x0000000000000000-mapping.dmp

                        • memory/4060-116-0x0000000000000000-mapping.dmp