Analysis

  • max time kernel
    133s
  • max time network
    167s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    17/02/2022, 00:10

General

  • Target

    8077ab4eb763f47987ff28098272fc86a364cca3acf5831d0a3aac450dcba1f8.exe

  • Size

    160KB

  • MD5

    63ac5ce1a0da946394ef90e06492927c

  • SHA1

    9553cddd84dd3e9db5b22594ec9f50bb18cb14b0

  • SHA256

    8077ab4eb763f47987ff28098272fc86a364cca3acf5831d0a3aac450dcba1f8

  • SHA512

    16cc8fb53e8a23dcca49187c847b90b5fc8a63958d83337a1ce45e30da448935405c456b3390003322d389bea6022d762650cb5083f348df7556dc0e9b8548d6

Malware Config

Extracted

Family

netwire

C2

uploadp2p.publicvm.com:3362

Attributes
  • activex_autorun

    false

  • activex_key

  • copy_executable

    true

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

    %AppData%\Install\Hostes.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

    ViERmjPT

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    false

  • startup_name

  • use_mutex

    true

Signatures

  • NetWire RAT payload 2 IoCs
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8077ab4eb763f47987ff28098272fc86a364cca3acf5831d0a3aac450dcba1f8.exe
    "C:\Users\Admin\AppData\Local\Temp\8077ab4eb763f47987ff28098272fc86a364cca3acf5831d0a3aac450dcba1f8.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4852
    • C:\Users\Admin\AppData\Roaming\Install\Hostes.exe
      "C:\Users\Admin\AppData\Roaming\Install\Hostes.exe"
      2⤵
      • Executes dropped EXE
      PID:2336
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:3124
  • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
    C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:3488

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/3124-132-0x0000024323960000-0x0000024323970000-memory.dmp

          Filesize

          64KB

        • memory/3124-133-0x0000024323F20000-0x0000024323F30000-memory.dmp

          Filesize

          64KB

        • memory/3124-134-0x0000024326590000-0x0000024326594000-memory.dmp

          Filesize

          16KB