Overview

overview

10

Static

static

lAKdWjhOYMA6YfG.exe

windows7_x64

10

lAKdWjhOYMA6YfG.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    94s
  • max time network
    182s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    20-05-2022 22:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    lAKdWjhOYMA6YfG.exe

  • Size

    419KB

  • MD5

    fd175da54494e88a5777471577927264

  • SHA1

    60398520b817355b5644f4b3dfbb147638122dd2

  • SHA256

    73b0fb36b1b8763ebb06328273016c4c4c65b20d2abc3b5bb0566a6f13aa086d

  • SHA512

    ceb0f4aa2a962f5e5da4a7d5f1f50ebfb59918eb1ecaded728ae0266f1ae03e37a44f3e9dc06d1ebd5c46fc4bd1098191d5598090b3769a64ec8e369019ae7c3

Score
10/10
netwirebotnetevasionpersistenceratstealer

Malware Config

Extracted

Family

netwire

C2

sepp.myq-see.com:2001

Attributes
  • activex_autorun

    true

  • activex_key

    {50L4QLIK-5N0E-1U7P-5W65-RDN0R6N72FF0}

  • copy_executable

    true

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

    %AppData%\Install\Host.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

    XdWObmml

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    false

  • startup_name

  • use_mutex

    true

Signatures

  • NetWire RAT payload 5 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Looks for VirtualBox Guest Additions in registry 2 TTPs
    evasion
  • Executes dropped EXE 2 IoCs
  • Looks for VMWare Tools registry key 2 TTPs
    evasion
  • Modifies Installed Components in the registry 2 TTPs
    persistence
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\lAKdWjhOYMA6YfG.exe
    "C:\Users\Admin\AppData\Local\Temp\lAKdWjhOYMA6YfG.exe"
    1⤵
    • Checks BIOS information in registry
    • Checks computer location settings
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1200
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fukEDc" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC1BA.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:400
    • C:\Users\Admin\AppData\Local\Temp\lAKdWjhOYMA6YfG.exe
      "{path}"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:5004
      • C:\Users\Admin\AppData\Roaming\Install\Host.exe
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        3⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Checks computer location settings
        • Maps connected drives based on registry
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5060
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fukEDc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp66A4.tmp"
          4⤵
          • Creates scheduled task(s)
          PID:3352
        • C:\Users\Admin\AppData\Roaming\Install\Host.exe
          "{path}"
          4⤵
          • Executes dropped EXE
          PID:4080

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp66A4.tmp
    Filesize

    1KB

    MD5

    4bc2ca93971cf6ba5a6c7a8166478088

    SHA1

    5b14c5b82f8cd3e83691a36ebc204339e65b3083

    SHA256

    e9b99913c283f9b18ed786754f9e79f4a006719241f55030391e419ccd4d44b4

    SHA512

    ed220e4d3d90e9b7ad4f13715dfae903f5fa1acb91246e4a15f1647e09e6127f4935bbf5dfbbc48b7ade4a6aa7a670af288a55fb47630f76561560da51d14e3d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmpC1BA.tmp
    Filesize

    1KB

    MD5

    4bc2ca93971cf6ba5a6c7a8166478088

    SHA1

    5b14c5b82f8cd3e83691a36ebc204339e65b3083

    SHA256

    e9b99913c283f9b18ed786754f9e79f4a006719241f55030391e419ccd4d44b4

    SHA512

    ed220e4d3d90e9b7ad4f13715dfae903f5fa1acb91246e4a15f1647e09e6127f4935bbf5dfbbc48b7ade4a6aa7a670af288a55fb47630f76561560da51d14e3d

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Install\Host.exe
    Filesize

    419KB

    MD5

    fd175da54494e88a5777471577927264

    SHA1

    60398520b817355b5644f4b3dfbb147638122dd2

    SHA256

    73b0fb36b1b8763ebb06328273016c4c4c65b20d2abc3b5bb0566a6f13aa086d

    SHA512

    ceb0f4aa2a962f5e5da4a7d5f1f50ebfb59918eb1ecaded728ae0266f1ae03e37a44f3e9dc06d1ebd5c46fc4bd1098191d5598090b3769a64ec8e369019ae7c3

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Install\Host.exe
    Filesize

    419KB

    MD5

    fd175da54494e88a5777471577927264

    SHA1

    60398520b817355b5644f4b3dfbb147638122dd2

    SHA256

    73b0fb36b1b8763ebb06328273016c4c4c65b20d2abc3b5bb0566a6f13aa086d

    SHA512

    ceb0f4aa2a962f5e5da4a7d5f1f50ebfb59918eb1ecaded728ae0266f1ae03e37a44f3e9dc06d1ebd5c46fc4bd1098191d5598090b3769a64ec8e369019ae7c3

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Install\Host.exe
    Filesize

    419KB

    MD5

    fd175da54494e88a5777471577927264

    SHA1

    60398520b817355b5644f4b3dfbb147638122dd2

    SHA256

    73b0fb36b1b8763ebb06328273016c4c4c65b20d2abc3b5bb0566a6f13aa086d

    SHA512

    ceb0f4aa2a962f5e5da4a7d5f1f50ebfb59918eb1ecaded728ae0266f1ae03e37a44f3e9dc06d1ebd5c46fc4bd1098191d5598090b3769a64ec8e369019ae7c3

    Download Submit
  • memory/400-135-0x0000000000000000-mapping.dmp
    Download
  • memory/1200-132-0x00000000059E0000-0x0000000005A72000-memory.dmp
    Filesize

    584KB

    Download
  • memory/1200-130-0x0000000000FE0000-0x000000000104E000-memory.dmp
    Filesize

    440KB

    Download
  • memory/1200-131-0x00000000060D0000-0x0000000006674000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/1200-134-0x0000000006CA0000-0x0000000006D06000-memory.dmp
    Filesize

    408KB

    Download
  • memory/1200-133-0x0000000006800000-0x000000000689C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/3352-145-0x0000000000000000-mapping.dmp
    Download
  • memory/4080-152-0x0000000000400000-0x0000000000433000-memory.dmp
    Filesize

    204KB

    Download
  • memory/4080-151-0x0000000000400000-0x0000000000433000-memory.dmp
    Filesize

    204KB

    Download
  • memory/4080-147-0x0000000000000000-mapping.dmp
    Download
  • memory/5004-140-0x0000000000400000-0x0000000000433000-memory.dmp
    Filesize

    204KB

    Download
  • memory/5004-141-0x0000000000400000-0x0000000000433000-memory.dmp
    Filesize

    204KB

    Download
  • memory/5004-138-0x0000000000400000-0x0000000000433000-memory.dmp
    Filesize

    204KB

    Download
  • memory/5004-137-0x0000000000000000-mapping.dmp
    Download
  • memory/5060-142-0x0000000000000000-mapping.dmp
    Download