Overview

overview

10

Static

static

P0 200522-5PRD024.exe

windows7_x64

10

P0 200522-5PRD024.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    93s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    20-05-2022 09:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    P0 200522-5PRD024.exe

  • Size

    834KB

  • MD5

    8968318de8888badcd0dd9b320bb3ee6

  • SHA1

    a6dc14ab8ed7cbbc9cc60316dc6f804850fcc82b

  • SHA256

    ab50301ca528c2cee1ed6d8ea39ceed66548cc2f8418d6487573c418dbf1a824

  • SHA512

    ac6ebb7c7e185b6b9c2c66cc85404f6fca734a4a4e6ab45df84f7185a4792f61964fbdf103131b0047031e65cc192da8539d9ba2fd5077ab675e0b4371a6e458

Score
10/10
netwirebotnetratstealer

Malware Config

Extracted

Family

netwire

C2

nowancenorly.ddns.net:6969

Attributes
  • activex_autorun

    false

  • activex_key

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

  • keylogger_dir

  • lock_executable

    false

  • mutex

    pYeAqduB

  • offline_keylogger

    false

  • password

    Password

  • registry_autorun

    false

  • startup_name

    ��9C��ο$75�O�h

  • use_mutex

    false

Signatures

  • NetWire RAT payload 3 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\P0 200522-5PRD024.exe
    "C:\Users\Admin\AppData\Local\Temp\P0 200522-5PRD024.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4024
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\P0 200522-5PRD024.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4008
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\TEKkmyaWugmdb.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3792
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TEKkmyaWugmdb" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDFF0.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3904
    • C:\Users\Admin\AppData\Local\Temp\P0 200522-5PRD024.exe
      "C:\Users\Admin\AppData\Local\Temp\P0 200522-5PRD024.exe"
      2⤵
        PID:3952
      • C:\Users\Admin\AppData\Local\Temp\P0 200522-5PRD024.exe
        "C:\Users\Admin\AppData\Local\Temp\P0 200522-5PRD024.exe"
        2⤵
          PID:2500

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        3d086a433708053f9bf9523e1d87a4e8

        SHA1

        b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

        SHA256

        6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

        SHA512

        931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\tmpDFF0.tmp
        Filesize

        1KB

        MD5

        5c59ea41e5827865e8a42968615d615c

        SHA1

        6b59ae22d79f6cbff7da8f0047a4c85fcfb9c46b

        SHA256

        616a75c4f67a7ac5774688288a5b13c49757f1002a3727c375001a19c0fd0df6

        SHA512

        1500a3b39fd52c48450d9af39c7dfef6538ca149de4fc6de45dd9a643c4a17bc29464829853112eef369adaf51b016b26afdd4d9d7cce3d3c7eb5e73ce136db3

        Download Submit
      • memory/2500-149-0x0000000000400000-0x0000000000444000-memory.dmp
        Filesize

        272KB

        Download
      • memory/2500-148-0x0000000000400000-0x0000000000444000-memory.dmp
        Filesize

        272KB

        Download
      • memory/2500-145-0x0000000000400000-0x0000000000444000-memory.dmp
        Filesize

        272KB

        Download
      • memory/2500-143-0x0000000000000000-mapping.dmp
        Download
      • memory/3792-147-0x0000000005460000-0x00000000054C6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/3792-156-0x0000000006E20000-0x0000000006E3A000-memory.dmp
        Filesize

        104KB

        Download
      • memory/3792-138-0x0000000000000000-mapping.dmp
        Download
      • memory/3792-161-0x0000000007150000-0x0000000007158000-memory.dmp
        Filesize

        32KB

        Download
      • memory/3792-140-0x0000000004D20000-0x0000000005348000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/3792-160-0x0000000007170000-0x000000000718A000-memory.dmp
        Filesize

        104KB

        Download
      • memory/3792-159-0x0000000007060000-0x000000000706E000-memory.dmp
        Filesize

        56KB

        Download
      • memory/3792-157-0x0000000006E90000-0x0000000006E9A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/3792-153-0x00000000713A0000-0x00000000713EC000-memory.dmp
        Filesize

        304KB

        Download
      • memory/3792-144-0x00000000053C0000-0x00000000053E2000-memory.dmp
        Filesize

        136KB

        Download
      • memory/3792-151-0x00000000060D0000-0x0000000006102000-memory.dmp
        Filesize

        200KB

        Download
      • memory/3792-150-0x0000000005B10000-0x0000000005B2E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/3904-139-0x0000000000000000-mapping.dmp
        Download
      • memory/3952-142-0x0000000000000000-mapping.dmp
        Download
      • memory/4008-155-0x0000000007F00000-0x000000000857A000-memory.dmp
        Filesize

        6.5MB

        Download
      • memory/4008-152-0x00000000713A0000-0x00000000713EC000-memory.dmp
        Filesize

        304KB

        Download
      • memory/4008-154-0x0000000006B60000-0x0000000006B7E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/4008-137-0x0000000004FF0000-0x0000000005026000-memory.dmp
        Filesize

        216KB

        Download
      • memory/4008-158-0x0000000007B40000-0x0000000007BD6000-memory.dmp
        Filesize

        600KB

        Download
      • memory/4008-136-0x0000000000000000-mapping.dmp
        Download
      • memory/4024-134-0x0000000008250000-0x00000000082EC000-memory.dmp
        Filesize

        624KB

        Download
      • memory/4024-132-0x0000000007EE0000-0x0000000007F72000-memory.dmp
        Filesize

        584KB

        Download
      • memory/4024-135-0x000000000AB20000-0x000000000AB86000-memory.dmp
        Filesize

        408KB

        Download
      • memory/4024-130-0x0000000000FB0000-0x0000000001086000-memory.dmp
        Filesize

        856KB

        Download
      • memory/4024-133-0x0000000007F80000-0x0000000007F8A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/4024-131-0x00000000083A0000-0x0000000008944000-memory.dmp
        Filesize

        5.6MB

        Download