Overview

overview

10

Static

static

09dcbd4090...a8.exe

windows7_x64

10

09dcbd4090...a8.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    158s
  • max time network
    171s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    17-02-2022 07:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    09dcbd4090a6ae4c8d19ec1e357a017722c33a38abf3b610982a11e742c37da8.exe

  • Size

    786KB

  • MD5

    1cdf8fa8ddae20c8c6a302e67f1f4acb

  • SHA1

    b0dc15105131707ce20039df436463549fb4b913

  • SHA256

    09dcbd4090a6ae4c8d19ec1e357a017722c33a38abf3b610982a11e742c37da8

  • SHA512

    27e160208c212d7cbbe3293233c7bd6301eb0d6a54191560017af3a2ae90d286f369cd4180d7959de4071effc621f84996e4ae4f7ec02dfc45851755d4411a75

Score
10/10
neshtanetwirebotnetpersistenceratspywarestealer

Malware Config

Extracted

Family

netwire

C2

cctv-home.ddns.me:3360

cctv-home.serveftp.com:3360
Attributes
  • activex_autorun

    true

  • activex_key

    {R5Q8L480-V2I5-AA1A-5GR0-RGV5X2101O0D}

  • copy_executable

    true

  • delete_original

    false

  • host_id

    Money

  • install_path

    %AppData%\Microcoft\operas.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

    YwkrXNoi

  • offline_keylogger

    true

  • password

    dick

  • registry_autorun

    true

  • startup_name

    BrowsersPriv

  • use_mutex

    true

Signatures

  • Detect Neshta Payload 2 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • NetWire RAT payload 6 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Modifies Installed Components in the registry 2 TTPs
    persistence
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\09dcbd4090a6ae4c8d19ec1e357a017722c33a38abf3b610982a11e742c37da8.exe
    "C:\Users\Admin\AppData\Local\Temp\09dcbd4090a6ae4c8d19ec1e357a017722c33a38abf3b610982a11e742c37da8.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1984
    • C:\Users\Admin\AppData\Local\Temp\Host.exe
      "C:\Users\Admin\AppData\Local\Temp\Host.exe"
      2⤵
      • Modifies system executable filetype association
      • Executes dropped EXE
      • Checks computer location settings
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2992
      • C:\Users\Admin\AppData\Local\Temp\3582-490\Host.exe
        "C:\Users\Admin\AppData\Local\Temp\3582-490\Host.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3936
        • C:\Users\Admin\AppData\Roaming\Microcoft\operas.exe
          "C:\Users\Admin\AppData\Roaming\Microcoft\operas.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          PID:2612
    • C:\Users\Admin\AppData\Local\Temp\Paypal Valid Email Checker By X-SLAYER.exe
      "C:\Users\Admin\AppData\Local\Temp\Paypal Valid Email Checker By X-SLAYER.exe"
      2⤵
      • Executes dropped EXE
      PID:2292
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 2292 -s 1012
        3⤵
        • Program crash
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:3628
  • C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -pss -s 408 -p 2292 -ip 2292
    1⤵
    • Suspicious use of NtCreateProcessExOtherParentProcess
    • Suspicious use of WriteProcessMemory
    PID:3692
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:3108
  • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
    C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:3904

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3582-490\Host.exe
    MD5

    ed876a1434032b34a76c5b4bf0bf5e14

    SHA1

    1e6fd20060088cde898a56721f267ff8ef48ea78

    SHA256

    249c848e47deb86e8c2d4150d6bfa04dd0b0457105d92d41af330b9433f12b0b

    SHA512

    3e9d6e8cda567e84db47fc0f494d0e7570c6865ecd2fd405bdfc96f728602bd06040634febec7b86ea6d6d998fd4bafc78c368d38e71575a18a9a96735c30f55

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3582-490\Host.exe
    MD5

    ed876a1434032b34a76c5b4bf0bf5e14

    SHA1

    1e6fd20060088cde898a56721f267ff8ef48ea78

    SHA256

    249c848e47deb86e8c2d4150d6bfa04dd0b0457105d92d41af330b9433f12b0b

    SHA512

    3e9d6e8cda567e84db47fc0f494d0e7570c6865ecd2fd405bdfc96f728602bd06040634febec7b86ea6d6d998fd4bafc78c368d38e71575a18a9a96735c30f55

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Host.exe
    MD5

    03efa228bd04a6beb79975668969d863

    SHA1

    f039736ed906aaf6e040ac4b7ee8528e660fd83a

    SHA256

    b60892bf1bf647c35ca36de5e5bb00960846c07dec8700364ac01a3428c9ba53

    SHA512

    3e4998d3c9c4981cd1915da8e40f30ef3d53cd7b63257a6122b4159a9fa1bbadebd3b2ba013278c1c352d1864d595d61b339e7c8102a25957b105220395a3f64

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Host.exe
    MD5

    03efa228bd04a6beb79975668969d863

    SHA1

    f039736ed906aaf6e040ac4b7ee8528e660fd83a

    SHA256

    b60892bf1bf647c35ca36de5e5bb00960846c07dec8700364ac01a3428c9ba53

    SHA512

    3e4998d3c9c4981cd1915da8e40f30ef3d53cd7b63257a6122b4159a9fa1bbadebd3b2ba013278c1c352d1864d595d61b339e7c8102a25957b105220395a3f64

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Paypal Valid Email Checker By X-SLAYER.exe
    MD5

    027c04d092196816f3a02a0ce2941541

    SHA1

    136b3568c00734d85d77e43d9e553f8fb68ec7b7

    SHA256

    2b03dc71ff9e56c92868b3145268ca7fbccd4e845a61ed413725f62dbd61605b

    SHA512

    43d5021189c9b020eddb2e0b2c406b08f2ed82bb86e0971d9d4dd5b156b2ab95a6f70a67ba63085e2b48f6cfacbd5598576e9d5c6a7c4a30a1636ad3f3bd4b02

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Paypal Valid Email Checker By X-SLAYER.exe
    MD5

    027c04d092196816f3a02a0ce2941541

    SHA1

    136b3568c00734d85d77e43d9e553f8fb68ec7b7

    SHA256

    2b03dc71ff9e56c92868b3145268ca7fbccd4e845a61ed413725f62dbd61605b

    SHA512

    43d5021189c9b020eddb2e0b2c406b08f2ed82bb86e0971d9d4dd5b156b2ab95a6f70a67ba63085e2b48f6cfacbd5598576e9d5c6a7c4a30a1636ad3f3bd4b02

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microcoft\operas.exe
    MD5

    ed876a1434032b34a76c5b4bf0bf5e14

    SHA1

    1e6fd20060088cde898a56721f267ff8ef48ea78

    SHA256

    249c848e47deb86e8c2d4150d6bfa04dd0b0457105d92d41af330b9433f12b0b

    SHA512

    3e9d6e8cda567e84db47fc0f494d0e7570c6865ecd2fd405bdfc96f728602bd06040634febec7b86ea6d6d998fd4bafc78c368d38e71575a18a9a96735c30f55

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microcoft\operas.exe
    MD5

    ed876a1434032b34a76c5b4bf0bf5e14

    SHA1

    1e6fd20060088cde898a56721f267ff8ef48ea78

    SHA256

    249c848e47deb86e8c2d4150d6bfa04dd0b0457105d92d41af330b9433f12b0b

    SHA512

    3e9d6e8cda567e84db47fc0f494d0e7570c6865ecd2fd405bdfc96f728602bd06040634febec7b86ea6d6d998fd4bafc78c368d38e71575a18a9a96735c30f55

    Download Submit
  • memory/2292-134-0x0000000000110000-0x0000000000250000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/2292-139-0x00007FFA9E0B3000-0x00007FFA9E0B5000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2292-140-0x000000001B1B0000-0x000000001B1B2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3108-141-0x000002D441020000-0x000002D441030000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3108-142-0x000002D441080000-0x000002D441090000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3108-143-0x000002D443750000-0x000002D443754000-memory.dmp
    Filesize

    16KB

    Download