Overview

overview

10

Static

static

lAKdWjhOYMA6YfG.exe

windows7_x64

10

lAKdWjhOYMA6YfG.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    97s
  • max time network
    104s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    20-05-2022 22:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    lAKdWjhOYMA6YfG.exe

  • Size

    419KB

  • MD5

    fd175da54494e88a5777471577927264

  • SHA1

    60398520b817355b5644f4b3dfbb147638122dd2

  • SHA256

    73b0fb36b1b8763ebb06328273016c4c4c65b20d2abc3b5bb0566a6f13aa086d

  • SHA512

    ceb0f4aa2a962f5e5da4a7d5f1f50ebfb59918eb1ecaded728ae0266f1ae03e37a44f3e9dc06d1ebd5c46fc4bd1098191d5598090b3769a64ec8e369019ae7c3

Score
10/10
netwirebotnetevasionpersistenceratstealer

Malware Config

Extracted

Family

netwire

C2

sepp.myq-see.com:2001

Attributes
  • activex_autorun

    true

  • activex_key

    {50L4QLIK-5N0E-1U7P-5W65-RDN0R6N72FF0}

  • copy_executable

    true

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

    %AppData%\Install\Host.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

    XdWObmml

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    false

  • startup_name

  • use_mutex

    true

Signatures

  • NetWire RAT payload 11 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Looks for VirtualBox Guest Additions in registry 2 TTPs
    evasion
  • Executes dropped EXE 2 IoCs
  • Looks for VMWare Tools registry key 2 TTPs
    evasion
  • Modifies Installed Components in the registry 2 TTPs
    persistence
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 1 IoCs
  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\lAKdWjhOYMA6YfG.exe
    "C:\Users\Admin\AppData\Local\Temp\lAKdWjhOYMA6YfG.exe"
    1⤵
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1704
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fukEDc" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF4AC.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1176
    • C:\Users\Admin\AppData\Local\Temp\lAKdWjhOYMA6YfG.exe
      "{path}"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1624
      • C:\Users\Admin\AppData\Roaming\Install\Host.exe
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        3⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Maps connected drives based on registry
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1356
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fukEDc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9906.tmp"
          4⤵
          • Creates scheduled task(s)
          PID:1876
        • C:\Users\Admin\AppData\Roaming\Install\Host.exe
          "{path}"
          4⤵
          • Executes dropped EXE
          PID:380

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp9906.tmp
    Filesize

    1KB

    MD5

    783c1c8c02a6345330e5dcdf0ef1ee82

    SHA1

    4a4677dacb81ffac42ee69df9543af772dc44463

    SHA256

    42bfd5f48fe26260c3b757b67d1cf08d491da0f8f05ec7b6bff33e2d04182682

    SHA512

    9db748339d80ccb6390c86169f076c4f1fc046df0a74101253aa5342a8e57a958372d9594e4c1871696ac44c0173c3169f47ab14174b479b23ab40d80e8f2cd0

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmpF4AC.tmp
    Filesize

    1KB

    MD5

    783c1c8c02a6345330e5dcdf0ef1ee82

    SHA1

    4a4677dacb81ffac42ee69df9543af772dc44463

    SHA256

    42bfd5f48fe26260c3b757b67d1cf08d491da0f8f05ec7b6bff33e2d04182682

    SHA512

    9db748339d80ccb6390c86169f076c4f1fc046df0a74101253aa5342a8e57a958372d9594e4c1871696ac44c0173c3169f47ab14174b479b23ab40d80e8f2cd0

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Install\Host.exe
    Filesize

    419KB

    MD5

    fd175da54494e88a5777471577927264

    SHA1

    60398520b817355b5644f4b3dfbb147638122dd2

    SHA256

    73b0fb36b1b8763ebb06328273016c4c4c65b20d2abc3b5bb0566a6f13aa086d

    SHA512

    ceb0f4aa2a962f5e5da4a7d5f1f50ebfb59918eb1ecaded728ae0266f1ae03e37a44f3e9dc06d1ebd5c46fc4bd1098191d5598090b3769a64ec8e369019ae7c3

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Install\Host.exe
    Filesize

    419KB

    MD5

    fd175da54494e88a5777471577927264

    SHA1

    60398520b817355b5644f4b3dfbb147638122dd2

    SHA256

    73b0fb36b1b8763ebb06328273016c4c4c65b20d2abc3b5bb0566a6f13aa086d

    SHA512

    ceb0f4aa2a962f5e5da4a7d5f1f50ebfb59918eb1ecaded728ae0266f1ae03e37a44f3e9dc06d1ebd5c46fc4bd1098191d5598090b3769a64ec8e369019ae7c3

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Install\Host.exe
    Filesize

    419KB

    MD5

    fd175da54494e88a5777471577927264

    SHA1

    60398520b817355b5644f4b3dfbb147638122dd2

    SHA256

    73b0fb36b1b8763ebb06328273016c4c4c65b20d2abc3b5bb0566a6f13aa086d

    SHA512

    ceb0f4aa2a962f5e5da4a7d5f1f50ebfb59918eb1ecaded728ae0266f1ae03e37a44f3e9dc06d1ebd5c46fc4bd1098191d5598090b3769a64ec8e369019ae7c3

    Download Submit
  • \Users\Admin\AppData\Roaming\Install\Host.exe
    Filesize

    419KB

    MD5

    fd175da54494e88a5777471577927264

    SHA1

    60398520b817355b5644f4b3dfbb147638122dd2

    SHA256

    73b0fb36b1b8763ebb06328273016c4c4c65b20d2abc3b5bb0566a6f13aa086d

    SHA512

    ceb0f4aa2a962f5e5da4a7d5f1f50ebfb59918eb1ecaded728ae0266f1ae03e37a44f3e9dc06d1ebd5c46fc4bd1098191d5598090b3769a64ec8e369019ae7c3

    Download Submit
  • memory/380-99-0x0000000000400000-0x0000000000433000-memory.dmp
    Filesize

    204KB

    Download
  • memory/380-98-0x0000000000400000-0x0000000000433000-memory.dmp
    Filesize

    204KB

    Download
  • memory/380-94-0x000000000040242D-mapping.dmp
    Download
  • memory/1176-58-0x0000000000000000-mapping.dmp
    Download
  • memory/1356-80-0x00000000000B0000-0x000000000011E000-memory.dmp
    Filesize

    440KB

    Download
  • memory/1356-76-0x0000000000000000-mapping.dmp
    Download
  • memory/1624-63-0x0000000000400000-0x0000000000433000-memory.dmp
    Filesize

    204KB

    Download
  • memory/1624-66-0x0000000000400000-0x0000000000433000-memory.dmp
    Filesize

    204KB

    Download
  • memory/1624-71-0x000000000040242D-mapping.dmp
    Download
  • memory/1624-73-0x0000000076241000-0x0000000076243000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1624-74-0x0000000000400000-0x0000000000433000-memory.dmp
    Filesize

    204KB

    Download
  • memory/1624-70-0x0000000000400000-0x0000000000433000-memory.dmp
    Filesize

    204KB

    Download
  • memory/1624-69-0x0000000000400000-0x0000000000433000-memory.dmp
    Filesize

    204KB

    Download
  • memory/1624-65-0x0000000000400000-0x0000000000433000-memory.dmp
    Filesize

    204KB

    Download
  • memory/1624-67-0x0000000000400000-0x0000000000433000-memory.dmp
    Filesize

    204KB

    Download
  • memory/1624-60-0x0000000000400000-0x0000000000433000-memory.dmp
    Filesize

    204KB

    Download
  • memory/1624-79-0x0000000000400000-0x0000000000433000-memory.dmp
    Filesize

    204KB

    Download
  • memory/1624-61-0x0000000000400000-0x0000000000433000-memory.dmp
    Filesize

    204KB

    Download
  • memory/1704-54-0x0000000000DC0000-0x0000000000E2E000-memory.dmp
    Filesize

    440KB

    Download
  • memory/1704-57-0x0000000004D40000-0x0000000004D8C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/1704-56-0x0000000004B90000-0x0000000004BF0000-memory.dmp
    Filesize

    384KB

    Download
  • memory/1704-55-0x0000000000750000-0x000000000075A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1876-81-0x0000000000000000-mapping.dmp
    Download