Overview

overview

10

Static

static

PO-9768708...df.exe

windows7_x64

10

PO-9768708...df.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    64s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    04-05-2022 05:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO-9768708-Hyundai-09221-6138 pdf.exe

  • Size

    702KB

  • MD5

    5df0240aa06b38e1a88fde9c6c5c306e

  • SHA1

    2a3d233fed9ea294b049061fe85e471cabc83f97

  • SHA256

    869fa23919d381e4af0d8c04881d65ad842cb96020da5c1e16f65c48190d3eef

  • SHA512

    cfff543c68effd0051e6f29be985e6527f317ea5813bc695de4b0a97bda68ca29f6d05c3a9b6efb9bf98596aef403d25373c3bcf58d10f84678b276d52b6d8a0

Score
10/10
netwirebotnetratstealer

Malware Config

Signatures

  • NetWire RAT payload 7 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PO-9768708-Hyundai-09221-6138 pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\PO-9768708-Hyundai-09221-6138 pdf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1092
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\KPwtapzko.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1108
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KPwtapzko" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCF9F.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2024
    • C:\Users\Admin\AppData\Local\Temp\PO-9768708-Hyundai-09221-6138 pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\PO-9768708-Hyundai-09221-6138 pdf.exe"
      2⤵
        PID:1252

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpCF9F.tmp
      Filesize

      1KB

      MD5

      319a273b68894a8032e131c72438fd84

      SHA1

      3ce9745d2ac9a95283924088df85e7002137aeeb

      SHA256

      03acc711d098ebfe378410e02ae0a7057283814a546536ca30bbf2c2a1cd476c

      SHA512

      a191be432baf59f5d1192b59a76bb0ac5d85172603a39b45575c535dddec3b79d5b6b8099267b8183a0d99ce41bca060398169619a35cf27864eabfaadb158bf

      Download Submit
    • memory/1092-54-0x00000000000B0000-0x0000000000164000-memory.dmp
      Filesize

      720KB

      Download
    • memory/1092-55-0x00000000752A1000-0x00000000752A3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1092-56-0x0000000001F40000-0x0000000001F58000-memory.dmp
      Filesize

      96KB

      Download
    • memory/1092-57-0x0000000007DA0000-0x0000000007E2E000-memory.dmp
      Filesize

      568KB

      Download
    • memory/1092-62-0x0000000004DC0000-0x0000000004E0A000-memory.dmp
      Filesize

      296KB

      Download
    • memory/1108-58-0x0000000000000000-mapping.dmp
      Download
    • memory/1108-78-0x000000006E600000-0x000000006EBAB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1252-63-0x0000000000400000-0x0000000000450000-memory.dmp
      Filesize

      320KB

      Download
    • memory/1252-64-0x0000000000400000-0x0000000000450000-memory.dmp
      Filesize

      320KB

      Download
    • memory/1252-66-0x0000000000400000-0x0000000000450000-memory.dmp
      Filesize

      320KB

      Download
    • memory/1252-68-0x0000000000400000-0x0000000000450000-memory.dmp
      Filesize

      320KB

      Download
    • memory/1252-70-0x0000000000400000-0x0000000000450000-memory.dmp
      Filesize

      320KB

      Download
    • memory/1252-71-0x0000000000400000-0x0000000000450000-memory.dmp
      Filesize

      320KB

      Download
    • memory/1252-74-0x000000000041AE7B-mapping.dmp
      Download
    • memory/1252-73-0x0000000000400000-0x0000000000450000-memory.dmp
      Filesize

      320KB

      Download
    • memory/1252-77-0x0000000000400000-0x0000000000450000-memory.dmp
      Filesize

      320KB

      Download
    • memory/1252-79-0x0000000000400000-0x0000000000450000-memory.dmp
      Filesize

      320KB

      Download
    • memory/2024-59-0x0000000000000000-mapping.dmp
      Download