5413D7925B6E67E27E6FFDAB67974DBF.exe

General
Target

5413D7925B6E67E27E6FFDAB67974DBF.exe

Filesize

183KB

Completed

22-07-2021 23:13

Score
10 /10
MD5

5413d7925b6e67e27e6ffdab67974dbf

SHA1

72250774c05d90f827cd3e9a85a0d5b7b4e3b791

SHA256

7e12867c3e8353fc4175b559bbf654ccce1b253204fd7c5c0e2a72b56026ca32

Malware Config

Extracted

Family netwire
C2

finerthings.duckdns.org:3021

Attributes
activex_autorun
false
activex_key
copy_executable
false
delete_original
false
host_id
H23053OIGS
install_path
keylogger_dir
lock_executable
false
mutex
offline_keylogger
false
password
finerthings@963
registry_autorun
false
startup_name
use_mutex
false
Signatures 11

Filter: none

Discovery
  • NetWire RAT payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1080-77-0x0000000000400000-0x0000000000433000-memory.dmpnetwire
  • Netwire

    Description

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

  • Downloads MZ/PE file
  • Executes dropped EXE
    DDllsystem.exeDDllsystem.exe

    Reported IOCs

    pidprocess
    296DDllsystem.exe
    1080DDllsystem.exe
  • Loads dropped DLL
    5413D7925B6E67E27E6FFDAB67974DBF.exeDDllsystem.exe

    Reported IOCs

    pidprocess
    14205413D7925B6E67E27E6FFDAB67974DBF.exe
    296DDllsystem.exe
    296DDllsystem.exe
  • Suspicious use of SetThreadContext
    DDllsystem.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 296 set thread context of 1080296DDllsystem.exeDDllsystem.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • NSIS installer

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/files/0x00040000000130df-67.datnsis_installer_1
    behavioral1/files/0x00040000000130df-67.datnsis_installer_2
    behavioral1/files/0x00040000000130df-69.datnsis_installer_1
    behavioral1/files/0x00040000000130df-69.datnsis_installer_2
    behavioral1/files/0x00040000000130df-71.datnsis_installer_1
    behavioral1/files/0x00040000000130df-71.datnsis_installer_2
    behavioral1/files/0x00040000000130df-73.datnsis_installer_1
    behavioral1/files/0x00040000000130df-73.datnsis_installer_2
    behavioral1/files/0x00040000000130df-75.datnsis_installer_1
    behavioral1/files/0x00040000000130df-75.datnsis_installer_2
  • Suspicious behavior: MapViewOfSection
    DDllsystem.exe

    Reported IOCs

    pidprocess
    296DDllsystem.exe
  • Suspicious use of AdjustPrivilegeToken
    5413D7925B6E67E27E6FFDAB67974DBF.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege14205413D7925B6E67E27E6FFDAB67974DBF.exe
  • Suspicious use of WriteProcessMemory
    5413D7925B6E67E27E6FFDAB67974DBF.exeDDllsystem.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1420 wrote to memory of 29614205413D7925B6E67E27E6FFDAB67974DBF.exeDDllsystem.exe
    PID 1420 wrote to memory of 29614205413D7925B6E67E27E6FFDAB67974DBF.exeDDllsystem.exe
    PID 1420 wrote to memory of 29614205413D7925B6E67E27E6FFDAB67974DBF.exeDDllsystem.exe
    PID 1420 wrote to memory of 29614205413D7925B6E67E27E6FFDAB67974DBF.exeDDllsystem.exe
    PID 296 wrote to memory of 1080296DDllsystem.exeDDllsystem.exe
    PID 296 wrote to memory of 1080296DDllsystem.exeDDllsystem.exe
    PID 296 wrote to memory of 1080296DDllsystem.exeDDllsystem.exe
    PID 296 wrote to memory of 1080296DDllsystem.exeDDllsystem.exe
    PID 296 wrote to memory of 1080296DDllsystem.exeDDllsystem.exe
Processes 3
  • C:\Users\Admin\AppData\Local\Temp\5413D7925B6E67E27E6FFDAB67974DBF.exe
    "C:\Users\Admin\AppData\Local\Temp\5413D7925B6E67E27E6FFDAB67974DBF.exe"
    Loads dropped DLL
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:1420
    • C:\Users\Admin\AppData\Local\Temp\DDllsystem.exe
      "C:\Users\Admin\AppData\Local\Temp\DDllsystem.exe"
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:296
      • C:\Users\Admin\AppData\Local\Temp\DDllsystem.exe
        "C:\Users\Admin\AppData\Local\Temp\DDllsystem.exe"
        Executes dropped EXE
        PID:1080
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • C:\Users\Admin\AppData\Local\Temp\DDllsystem.exe

                          MD5

                          959be976070ea4820a2e24dcce3d0bdf

                          SHA1

                          7ec0c6d7d9b75ef8f078383a15d977b45dc434c1

                          SHA256

                          6b4dd13ea6241a6c8ad2c967d88f3336798dc1e30dd24cfa3377f9b363d70b2e

                          SHA512

                          de3ed25149af67a28cd5659bfeb895e323bbd9e79bb791bfbe972f448ca1012d4872b4478bd321a8baefd5813dd69fb19d73ff02d078f5b99ab6618946d4455e

                        • C:\Users\Admin\AppData\Local\Temp\DDllsystem.exe

                          MD5

                          959be976070ea4820a2e24dcce3d0bdf

                          SHA1

                          7ec0c6d7d9b75ef8f078383a15d977b45dc434c1

                          SHA256

                          6b4dd13ea6241a6c8ad2c967d88f3336798dc1e30dd24cfa3377f9b363d70b2e

                          SHA512

                          de3ed25149af67a28cd5659bfeb895e323bbd9e79bb791bfbe972f448ca1012d4872b4478bd321a8baefd5813dd69fb19d73ff02d078f5b99ab6618946d4455e

                        • C:\Users\Admin\AppData\Local\Temp\DDllsystem.exe

                          MD5

                          959be976070ea4820a2e24dcce3d0bdf

                          SHA1

                          7ec0c6d7d9b75ef8f078383a15d977b45dc434c1

                          SHA256

                          6b4dd13ea6241a6c8ad2c967d88f3336798dc1e30dd24cfa3377f9b363d70b2e

                          SHA512

                          de3ed25149af67a28cd5659bfeb895e323bbd9e79bb791bfbe972f448ca1012d4872b4478bd321a8baefd5813dd69fb19d73ff02d078f5b99ab6618946d4455e

                        • \Users\Admin\AppData\Local\Temp\DDllsystem.exe

                          MD5

                          959be976070ea4820a2e24dcce3d0bdf

                          SHA1

                          7ec0c6d7d9b75ef8f078383a15d977b45dc434c1

                          SHA256

                          6b4dd13ea6241a6c8ad2c967d88f3336798dc1e30dd24cfa3377f9b363d70b2e

                          SHA512

                          de3ed25149af67a28cd5659bfeb895e323bbd9e79bb791bfbe972f448ca1012d4872b4478bd321a8baefd5813dd69fb19d73ff02d078f5b99ab6618946d4455e

                        • \Users\Admin\AppData\Local\Temp\DDllsystem.exe

                          MD5

                          959be976070ea4820a2e24dcce3d0bdf

                          SHA1

                          7ec0c6d7d9b75ef8f078383a15d977b45dc434c1

                          SHA256

                          6b4dd13ea6241a6c8ad2c967d88f3336798dc1e30dd24cfa3377f9b363d70b2e

                          SHA512

                          de3ed25149af67a28cd5659bfeb895e323bbd9e79bb791bfbe972f448ca1012d4872b4478bd321a8baefd5813dd69fb19d73ff02d078f5b99ab6618946d4455e

                        • \Users\Admin\AppData\Local\Temp\kxtmnugf.dll

                          MD5

                          c6740f343d8777430307336fcb50d504

                          SHA1

                          54e4bafc84ab18dab87731ee3b3647d923af7fd7

                          SHA256

                          03d53a25652bbf853ab65f0428ebc68db0497654206b95bb86f0d45f0b0ebd70

                          SHA512

                          ae4e1919d94a23d522996ac86c920aaf7d05b1aa7d3596521c9b7fcfcee5a890249ab825b0cc5d4a3dc75ac54db5248500c1c11b676caebf49811f6eed887ff2

                        • memory/296-68-0x0000000000000000-mapping.dmp

                        • memory/296-70-0x0000000074FB1000-0x0000000074FB3000-memory.dmp

                        • memory/1080-74-0x000000000040242D-mapping.dmp

                        • memory/1080-77-0x0000000000400000-0x0000000000433000-memory.dmp

                        • memory/1420-66-0x0000000001FB0000-0x0000000001FB1000-memory.dmp

                        • memory/1420-65-0x0000000004954000-0x0000000004956000-memory.dmp

                        • memory/1420-63-0x0000000004952000-0x0000000004953000-memory.dmp

                        • memory/1420-64-0x0000000004953000-0x0000000004954000-memory.dmp

                        • memory/1420-62-0x0000000004951000-0x0000000004952000-memory.dmp

                        • memory/1420-61-0x0000000001F90000-0x0000000001FA3000-memory.dmp

                        • memory/1420-60-0x00000000005F0000-0x0000000000605000-memory.dmp