A582F8176C5F4BECF5F95A563E9EC11A.exe

General
Target

A582F8176C5F4BECF5F95A563E9EC11A.exe

Filesize

1MB

Completed

25-07-2021 03:44

Score
10 /10
MD5

a582f8176c5f4becf5f95a563e9ec11a

SHA1

a8b2fd3f57157cce4fe9442b8ffa53e15ca4820c

SHA256

bd62e723aff056a5f6dd9b9ece4f5ea4bae0a50cc3bdd5f4228fb265c2a96170

Malware Config

Extracted

Family netwire
C2

roban.giize.com:1604

Attributes
activex_autorun
false
activex_key
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
install_path
keylogger_dir
lock_executable
false
mutex
offline_keylogger
false
password
Password
registry_autorun
false
startup_name
use_mutex
false
Signatures 7

Filter: none

  • NetWire RAT payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/2244-130-0x0000000000400000-0x0000000000433000-memory.dmpnetwire
    behavioral2/memory/2244-132-0x000000000040242D-mapping.dmpnetwire
    behavioral2/memory/2244-134-0x0000000000400000-0x0000000000433000-memory.dmpnetwire
  • Netwire

    Description

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

  • Drops startup file
    PowerShell.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\koleno.exePowerShell.exe
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\koleno.exePowerShell.exe
  • Suspicious use of SetThreadContext
    A582F8176C5F4BECF5F95A563E9EC11A.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3008 set thread context of 22443008A582F8176C5F4BECF5F95A563E9EC11A.exeA582F8176C5F4BECF5F95A563E9EC11A.exe
  • Suspicious behavior: EnumeratesProcesses
    PowerShell.exe

    Reported IOCs

    pidprocess
    2580PowerShell.exe
    2580PowerShell.exe
    2580PowerShell.exe
  • Suspicious use of AdjustPrivilegeToken
    PowerShell.exeA582F8176C5F4BECF5F95A563E9EC11A.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege2580PowerShell.exe
    Token: SeDebugPrivilege3008A582F8176C5F4BECF5F95A563E9EC11A.exe
  • Suspicious use of WriteProcessMemory
    A582F8176C5F4BECF5F95A563E9EC11A.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3008 wrote to memory of 25803008A582F8176C5F4BECF5F95A563E9EC11A.exePowerShell.exe
    PID 3008 wrote to memory of 25803008A582F8176C5F4BECF5F95A563E9EC11A.exePowerShell.exe
    PID 3008 wrote to memory of 25803008A582F8176C5F4BECF5F95A563E9EC11A.exePowerShell.exe
    PID 3008 wrote to memory of 22443008A582F8176C5F4BECF5F95A563E9EC11A.exeA582F8176C5F4BECF5F95A563E9EC11A.exe
    PID 3008 wrote to memory of 22443008A582F8176C5F4BECF5F95A563E9EC11A.exeA582F8176C5F4BECF5F95A563E9EC11A.exe
    PID 3008 wrote to memory of 22443008A582F8176C5F4BECF5F95A563E9EC11A.exeA582F8176C5F4BECF5F95A563E9EC11A.exe
    PID 3008 wrote to memory of 22443008A582F8176C5F4BECF5F95A563E9EC11A.exeA582F8176C5F4BECF5F95A563E9EC11A.exe
    PID 3008 wrote to memory of 22443008A582F8176C5F4BECF5F95A563E9EC11A.exeA582F8176C5F4BECF5F95A563E9EC11A.exe
    PID 3008 wrote to memory of 22443008A582F8176C5F4BECF5F95A563E9EC11A.exeA582F8176C5F4BECF5F95A563E9EC11A.exe
    PID 3008 wrote to memory of 22443008A582F8176C5F4BECF5F95A563E9EC11A.exeA582F8176C5F4BECF5F95A563E9EC11A.exe
    PID 3008 wrote to memory of 22443008A582F8176C5F4BECF5F95A563E9EC11A.exeA582F8176C5F4BECF5F95A563E9EC11A.exe
    PID 3008 wrote to memory of 22443008A582F8176C5F4BECF5F95A563E9EC11A.exeA582F8176C5F4BECF5F95A563E9EC11A.exe
    PID 3008 wrote to memory of 22443008A582F8176C5F4BECF5F95A563E9EC11A.exeA582F8176C5F4BECF5F95A563E9EC11A.exe
    PID 3008 wrote to memory of 22443008A582F8176C5F4BECF5F95A563E9EC11A.exeA582F8176C5F4BECF5F95A563E9EC11A.exe
Processes 3
  • C:\Users\Admin\AppData\Local\Temp\A582F8176C5F4BECF5F95A563E9EC11A.exe
    "C:\Users\Admin\AppData\Local\Temp\A582F8176C5F4BECF5F95A563E9EC11A.exe"
    Suspicious use of SetThreadContext
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:3008
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe
      "PowerShell" copy-item 'C:\Users\Admin\AppData\Local\Temp\A582F8176C5F4BECF5F95A563E9EC11A.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\koleno.exe'
      Drops startup file
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2580
    • C:\Users\Admin\AppData\Local\Temp\A582F8176C5F4BECF5F95A563E9EC11A.exe
      "C:\Users\Admin\AppData\Local\Temp\A582F8176C5F4BECF5F95A563E9EC11A.exe"
      PID:2244
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • memory/2244-130-0x0000000000400000-0x0000000000433000-memory.dmp

                          • memory/2244-134-0x0000000000400000-0x0000000000433000-memory.dmp

                          • memory/2244-132-0x000000000040242D-mapping.dmp

                          • memory/2580-136-0x00000000081F0000-0x00000000081F1000-memory.dmp

                          • memory/2580-121-0x0000000001020000-0x0000000001021000-memory.dmp

                          • memory/2580-123-0x0000000006A22000-0x0000000006A23000-memory.dmp

                          • memory/2580-122-0x0000000006A20000-0x0000000006A21000-memory.dmp

                          • memory/2580-124-0x0000000007060000-0x0000000007061000-memory.dmp

                          • memory/2580-142-0x0000000008FD0000-0x0000000008FD1000-memory.dmp

                          • memory/2580-126-0x0000000006FD0000-0x0000000006FD1000-memory.dmp

                          • memory/2580-137-0x0000000007FA0000-0x0000000007FA1000-memory.dmp

                          • memory/2580-129-0x0000000006F20000-0x0000000006F21000-memory.dmp

                          • memory/2580-147-0x0000000006A23000-0x0000000006A24000-memory.dmp

                          • memory/2580-143-0x0000000008C80000-0x0000000008C81000-memory.dmp

                          • memory/2580-131-0x0000000007800000-0x0000000007801000-memory.dmp

                          • memory/2580-117-0x0000000000000000-mapping.dmp

                          • memory/2580-133-0x0000000007870000-0x0000000007871000-memory.dmp

                          • memory/2580-144-0x0000000008CF0000-0x0000000008CF1000-memory.dmp

                          • memory/2580-135-0x00000000077C0000-0x00000000077C1000-memory.dmp

                          • memory/3008-128-0x0000000005890000-0x0000000005891000-memory.dmp

                          • memory/3008-127-0x0000000005AB0000-0x0000000005FAE000-memory.dmp

                          • memory/3008-125-0x0000000005840000-0x0000000005855000-memory.dmp

                          • memory/3008-118-0x0000000005FB0000-0x0000000005FB1000-memory.dmp

                          • memory/3008-116-0x00000000057A0000-0x00000000057A1000-memory.dmp

                          • memory/3008-114-0x0000000000E50000-0x0000000000E51000-memory.dmp