Overview

overview

10

Static

static

8

Shell-9969...20.exe

windows7_x64

10

Shell-9969...20.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    153s
  • max time network
    179s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    20-05-2022 14:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Shell-996933_29-07-2020.exe

  • Size

    467KB

  • MD5

    5102ee8e4128267915b1c288b82ce6b5

  • SHA1

    63344aefdf0b14a864c24abbb0884d769b3595ac

  • SHA256

    54e95ef949e6f817b50144b1f8ae37a609d5ab3bc07567699a642a339566d555

  • SHA512

    fa09a941c1e64b44fbee495e946b4527a3228bfd7bbc5cc74e961b3eeb4b706b993fbef2d79f169d2f60a3c0a2739a2a080f68c1b230347c5c30cab74ea4abff

Score
10/10
netwirebotnetratstealer

Malware Config

Signatures

  • NetWire RAT payload 1 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Shell-996933_29-07-2020.exe
    "C:\Users\Admin\AppData\Local\Temp\Shell-996933_29-07-2020.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:760
    • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Order.pdf"
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:984
    • C:\Users\Admin\AppData\Local\Temp\Shell-996933_29-07-2020.exe
      "C:\Users\Admin\AppData\Local\Temp\Shell-996933_29-07-2020.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1064
    • C:\Users\Admin\AppData\Local\Temp\Shell-996933_29-07-2020.exe
      "C:\Users\Admin\AppData\Local\Temp\Shell-996933_29-07-2020.exe" 2 1064 7103037
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1720

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Order.pdf
    Filesize

    38KB

    MD5

    64c51e428b3aae202fe3b1f250783e38

    SHA1

    9c37ca4019a5ed8b6368a2c8a9319cac7541d86d

    SHA256

    0f92458dfe74bca8a5fb6e5db0d52d0227e9126a846f311a6b3b7ba16d8021d4

    SHA512

    dab4a6fe5331d757311737dffa73ebca4a91c6fa53b50e50c1d39f839039ab46b8e5fd029259394292c30ec85a88726de31fb2fa99d87e9a7350e9f82f4985dd

    Download Submit
  • memory/760-54-0x0000000076851000-0x0000000076853000-memory.dmp
    Filesize

    8KB

    Download
  • memory/760-55-0x00000000003D0000-0x00000000003E3000-memory.dmp
    Filesize

    76KB

    Download
  • memory/984-56-0x0000000000000000-mapping.dmp
    Download
  • memory/1064-58-0x0000000000600087-mapping.dmp
    Download
  • memory/1064-63-0x00000000003C0000-0x00000000003F3000-memory.dmp
    Filesize

    204KB

    Download
  • memory/1720-59-0x0000000000000000-mapping.dmp
    Download