Overview

overview

10

Static

static

order.exe

windows7_x64

10

order.exe

windows10_x64

10

Analysis

  • max time kernel
    143s
  • max time network
    145s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    21-07-2021 08:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    order.exe

  • Size

    838KB

  • MD5

    587f6655380282c9fb7997fa2225438e

  • SHA1

    5b45eb58ef1d1cd93df0ecfc7b4124644515e93c

  • SHA256

    9add495b9373ca17ea4f158da84a200f3d5a52ce81bc535a575a5eac31bd76bb

  • SHA512

    1b97c465d355d8fa6355c7b856ba7eebac8b8c4bdd9c482b1a8fa6c558309356cfb80ac3373737b269c1ca9c4df03294daee918a34500e45874c1b6fc32ce488

Score
10/10
netwirebotnetratstealer

Malware Config

Extracted

Family

netwire

C2

84.38.129.130:19891

Attributes
  • activex_autorun

    false

  • activex_key

  • copy_executable

    true

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

    %AppData%\Install\Host.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

    iFwvrEFs

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    false

  • startup_name

  • use_mutex

    true

Signatures

  • NetWire RAT payload 5 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Executes dropped EXE 3 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\order.exe
    "C:\Users\Admin\AppData\Local\Temp\order.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:804
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BFzyfsQWtX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3038.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2776
    • C:\Users\Admin\AppData\Local\Temp\order.exe
      "{path}"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1560
      • C:\Users\Admin\AppData\Roaming\Install\Host.exe
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:904
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BFzyfsQWtX" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF07B.tmp"
          4⤵
          • Creates scheduled task(s)
          PID:3800
        • C:\Users\Admin\AppData\Roaming\Install\Host.exe
          "{path}"
          4⤵
          • Executes dropped EXE
          PID:1844
        • C:\Users\Admin\AppData\Roaming\Install\Host.exe
          "{path}"
          4⤵
          • Executes dropped EXE
          PID:3776

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp3038.tmp
    MD5

    8f4b327e97258a599564cd2ad518ac56

    SHA1

    3a72b232fce4b3d80ce27175408ae70d5cf6d1e7

    SHA256

    112517429d8cf336b27742478319bf3bfd4cc4ff141a60982bb7fbe09c7667a3

    SHA512

    fc152ba8d86fd274b1fbd117a9efe8971e1e9ebf75a2d3a6fef1adb86b8d12f67d9c6051d02771121bc01daf985cbd3261c53602bbc52791ca5c1ad0f5c42823

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmpF07B.tmp
    MD5

    8f4b327e97258a599564cd2ad518ac56

    SHA1

    3a72b232fce4b3d80ce27175408ae70d5cf6d1e7

    SHA256

    112517429d8cf336b27742478319bf3bfd4cc4ff141a60982bb7fbe09c7667a3

    SHA512

    fc152ba8d86fd274b1fbd117a9efe8971e1e9ebf75a2d3a6fef1adb86b8d12f67d9c6051d02771121bc01daf985cbd3261c53602bbc52791ca5c1ad0f5c42823

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Install\Host.exe
    MD5

    587f6655380282c9fb7997fa2225438e

    SHA1

    5b45eb58ef1d1cd93df0ecfc7b4124644515e93c

    SHA256

    9add495b9373ca17ea4f158da84a200f3d5a52ce81bc535a575a5eac31bd76bb

    SHA512

    1b97c465d355d8fa6355c7b856ba7eebac8b8c4bdd9c482b1a8fa6c558309356cfb80ac3373737b269c1ca9c4df03294daee918a34500e45874c1b6fc32ce488

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Install\Host.exe
    MD5

    587f6655380282c9fb7997fa2225438e

    SHA1

    5b45eb58ef1d1cd93df0ecfc7b4124644515e93c

    SHA256

    9add495b9373ca17ea4f158da84a200f3d5a52ce81bc535a575a5eac31bd76bb

    SHA512

    1b97c465d355d8fa6355c7b856ba7eebac8b8c4bdd9c482b1a8fa6c558309356cfb80ac3373737b269c1ca9c4df03294daee918a34500e45874c1b6fc32ce488

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Install\Host.exe
    MD5

    587f6655380282c9fb7997fa2225438e

    SHA1

    5b45eb58ef1d1cd93df0ecfc7b4124644515e93c

    SHA256

    9add495b9373ca17ea4f158da84a200f3d5a52ce81bc535a575a5eac31bd76bb

    SHA512

    1b97c465d355d8fa6355c7b856ba7eebac8b8c4bdd9c482b1a8fa6c558309356cfb80ac3373737b269c1ca9c4df03294daee918a34500e45874c1b6fc32ce488

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Install\Host.exe
    MD5

    587f6655380282c9fb7997fa2225438e

    SHA1

    5b45eb58ef1d1cd93df0ecfc7b4124644515e93c

    SHA256

    9add495b9373ca17ea4f158da84a200f3d5a52ce81bc535a575a5eac31bd76bb

    SHA512

    1b97c465d355d8fa6355c7b856ba7eebac8b8c4bdd9c482b1a8fa6c558309356cfb80ac3373737b269c1ca9c4df03294daee918a34500e45874c1b6fc32ce488

    Download Submit
  • memory/804-121-0x0000000008760000-0x0000000008761000-memory.dmp
    Filesize

    4KB

    Download
  • memory/804-122-0x0000000006DE0000-0x0000000006E93000-memory.dmp
    Filesize

    716KB

    Download
  • memory/804-123-0x000000000B230000-0x000000000B29F000-memory.dmp
    Filesize

    444KB

    Download
  • memory/804-117-0x00000000052F0000-0x00000000052F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/804-120-0x0000000005790000-0x0000000005792000-memory.dmp
    Filesize

    8KB

    Download
  • memory/804-116-0x00000000057F0000-0x00000000057F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/804-118-0x0000000005260000-0x0000000005261000-memory.dmp
    Filesize

    4KB

    Download
  • memory/804-114-0x0000000000940000-0x0000000000941000-memory.dmp
    Filesize

    4KB

    Download
  • memory/804-119-0x0000000005250000-0x0000000005251000-memory.dmp
    Filesize

    4KB

    Download
  • memory/904-139-0x0000000005690000-0x0000000005722000-memory.dmp
    Filesize

    584KB

    Download
  • memory/904-129-0x0000000000000000-mapping.dmp
    Download
  • memory/1560-128-0x0000000000400000-0x0000000000433000-memory.dmp
    Filesize

    204KB

    Download
  • memory/1560-127-0x000000000040242D-mapping.dmp
    Download
  • memory/1560-126-0x0000000000400000-0x0000000000433000-memory.dmp
    Filesize

    204KB

    Download
  • memory/2776-124-0x0000000000000000-mapping.dmp
    Download
  • memory/3776-146-0x000000000040242D-mapping.dmp
    Download
  • memory/3800-142-0x0000000000000000-mapping.dmp
    Download