5413D7925B6E67E27E6FFDAB67974DBF.exe

General
Target

5413D7925B6E67E27E6FFDAB67974DBF.exe

Filesize

183KB

Completed

22-07-2021 23:13

Score
10 /10
MD5

5413d7925b6e67e27e6ffdab67974dbf

SHA1

72250774c05d90f827cd3e9a85a0d5b7b4e3b791

SHA256

7e12867c3e8353fc4175b559bbf654ccce1b253204fd7c5c0e2a72b56026ca32

Malware Config

Extracted

Family netwire
C2

finerthings.duckdns.org:3021

Attributes
activex_autorun
false
activex_key
copy_executable
false
delete_original
false
host_id
H23053OIGS
install_path
keylogger_dir
lock_executable
false
mutex
offline_keylogger
false
password
finerthings@963
registry_autorun
false
startup_name
use_mutex
false
Signatures 11

Filter: none

Discovery
  • NetWire RAT payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/3736-128-0x0000000000400000-0x0000000000433000-memory.dmpnetwire
  • Netwire

    Description

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

  • Downloads MZ/PE file
  • Executes dropped EXE
    DDllsystem.exeDDllsystem.exe

    Reported IOCs

    pidprocess
    3800DDllsystem.exe
    3736DDllsystem.exe
  • Loads dropped DLL
    DDllsystem.exe

    Reported IOCs

    pidprocess
    3800DDllsystem.exe
  • Suspicious use of SetThreadContext
    DDllsystem.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3800 set thread context of 37363800DDllsystem.exeDDllsystem.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • NSIS installer

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral2/files/0x0008000000000689-123.datnsis_installer_1
    behavioral2/files/0x0008000000000689-123.datnsis_installer_2
    behavioral2/files/0x0008000000000689-124.datnsis_installer_1
    behavioral2/files/0x0008000000000689-124.datnsis_installer_2
    behavioral2/files/0x0008000000000689-127.datnsis_installer_1
    behavioral2/files/0x0008000000000689-127.datnsis_installer_2
  • Suspicious behavior: MapViewOfSection
    DDllsystem.exe

    Reported IOCs

    pidprocess
    3800DDllsystem.exe
  • Suspicious use of AdjustPrivilegeToken
    5413D7925B6E67E27E6FFDAB67974DBF.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege40565413D7925B6E67E27E6FFDAB67974DBF.exe
  • Suspicious use of WriteProcessMemory
    5413D7925B6E67E27E6FFDAB67974DBF.exeDDllsystem.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4056 wrote to memory of 380040565413D7925B6E67E27E6FFDAB67974DBF.exeDDllsystem.exe
    PID 4056 wrote to memory of 380040565413D7925B6E67E27E6FFDAB67974DBF.exeDDllsystem.exe
    PID 4056 wrote to memory of 380040565413D7925B6E67E27E6FFDAB67974DBF.exeDDllsystem.exe
    PID 3800 wrote to memory of 37363800DDllsystem.exeDDllsystem.exe
    PID 3800 wrote to memory of 37363800DDllsystem.exeDDllsystem.exe
    PID 3800 wrote to memory of 37363800DDllsystem.exeDDllsystem.exe
    PID 3800 wrote to memory of 37363800DDllsystem.exeDDllsystem.exe
Processes 3
  • C:\Users\Admin\AppData\Local\Temp\5413D7925B6E67E27E6FFDAB67974DBF.exe
    "C:\Users\Admin\AppData\Local\Temp\5413D7925B6E67E27E6FFDAB67974DBF.exe"
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:4056
    • C:\Users\Admin\AppData\Local\Temp\DDllsystem.exe
      "C:\Users\Admin\AppData\Local\Temp\DDllsystem.exe"
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:3800
      • C:\Users\Admin\AppData\Local\Temp\DDllsystem.exe
        "C:\Users\Admin\AppData\Local\Temp\DDllsystem.exe"
        Executes dropped EXE
        PID:3736
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • C:\Users\Admin\AppData\Local\Temp\DDllsystem.exe

                          MD5

                          959be976070ea4820a2e24dcce3d0bdf

                          SHA1

                          7ec0c6d7d9b75ef8f078383a15d977b45dc434c1

                          SHA256

                          6b4dd13ea6241a6c8ad2c967d88f3336798dc1e30dd24cfa3377f9b363d70b2e

                          SHA512

                          de3ed25149af67a28cd5659bfeb895e323bbd9e79bb791bfbe972f448ca1012d4872b4478bd321a8baefd5813dd69fb19d73ff02d078f5b99ab6618946d4455e

                        • C:\Users\Admin\AppData\Local\Temp\DDllsystem.exe

                          MD5

                          959be976070ea4820a2e24dcce3d0bdf

                          SHA1

                          7ec0c6d7d9b75ef8f078383a15d977b45dc434c1

                          SHA256

                          6b4dd13ea6241a6c8ad2c967d88f3336798dc1e30dd24cfa3377f9b363d70b2e

                          SHA512

                          de3ed25149af67a28cd5659bfeb895e323bbd9e79bb791bfbe972f448ca1012d4872b4478bd321a8baefd5813dd69fb19d73ff02d078f5b99ab6618946d4455e

                        • C:\Users\Admin\AppData\Local\Temp\DDllsystem.exe

                          MD5

                          959be976070ea4820a2e24dcce3d0bdf

                          SHA1

                          7ec0c6d7d9b75ef8f078383a15d977b45dc434c1

                          SHA256

                          6b4dd13ea6241a6c8ad2c967d88f3336798dc1e30dd24cfa3377f9b363d70b2e

                          SHA512

                          de3ed25149af67a28cd5659bfeb895e323bbd9e79bb791bfbe972f448ca1012d4872b4478bd321a8baefd5813dd69fb19d73ff02d078f5b99ab6618946d4455e

                        • \Users\Admin\AppData\Local\Temp\kxtmnugf.dll

                          MD5

                          c6740f343d8777430307336fcb50d504

                          SHA1

                          54e4bafc84ab18dab87731ee3b3647d923af7fd7

                          SHA256

                          03d53a25652bbf853ab65f0428ebc68db0497654206b95bb86f0d45f0b0ebd70

                          SHA512

                          ae4e1919d94a23d522996ac86c920aaf7d05b1aa7d3596521c9b7fcfcee5a890249ab825b0cc5d4a3dc75ac54db5248500c1c11b676caebf49811f6eed887ff2

                        • memory/3736-126-0x000000000040242D-mapping.dmp

                        • memory/3736-128-0x0000000000400000-0x0000000000433000-memory.dmp

                        • memory/3800-122-0x0000000000000000-mapping.dmp

                        • memory/4056-121-0x0000000002600000-0x0000000002601000-memory.dmp

                        • memory/4056-117-0x0000000002630000-0x0000000002631000-memory.dmp

                        • memory/4056-119-0x0000000002633000-0x0000000002634000-memory.dmp

                        • memory/4056-120-0x0000000002634000-0x0000000002636000-memory.dmp

                        • memory/4056-118-0x0000000002632000-0x0000000002633000-memory.dmp

                        • memory/4056-116-0x00000000025C0000-0x00000000025D3000-memory.dmp

                        • memory/4056-115-0x00000000049B0000-0x00000000049B1000-memory.dmp

                        • memory/4056-114-0x0000000002430000-0x0000000002445000-memory.dmp