Behavioral Report

max time kernel151s
max time network137s
platformwindows7_x64
resourcewin7-20220414-en
submitted21-05-2022 00:49

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

detail-information.exe

Filesize

494KB

Completed

21-05-2022 01:09

Task

behavioral1

Score

10^/10

MD5

07591af2349f8ebc5789fcb0b60c7c91

SHA1

828bcdd3d1e32d2ed0b0660fc92f41a562d4d466

SHA256

b50a0ea3d467e25e9c1917668e10f70e67434e468fcecbb1d3a927a3f105dbfa

SHA512

8bc1068c0d85f62176fe8e23ec23ecbcfaa1296d379c26ff5fe7ee274c5ef7d12b7a1fec44941eca9841af17c61c5c1b3ad50739fb5d5baadd72bf2feef48ad3

netwire botnet rat stealer

Discovery

NetWire RAT payload

Reported IOCs

resource	yara_rule
behavioral1/memory/2012-63-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1176-70-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire

Description

Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

Tags

botnet stealer netwire

Drops startup file

detail-information.exedetail-information.exe

Reported IOCs

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	detail-information.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	detail-information.exe

Suspicious use of SetThreadContext

detail-information.exedetail-information.exe

Reported IOCs

description	pid	process	target process
PID 1016 set thread context of 2012	1016	detail-information.exe	RegAsm.exe
PID 1688 set thread context of 1176	1688	detail-information.exe	RegAsm.exe

Enumerates physical storage devices

Description

Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

TTPs

System Information Discovery

Suspicious behavior: EnumeratesProcesses

detail-information.exedetail-information.exe

Reported IOCs

pid	process
1016	detail-information.exe
1016	detail-information.exe
1016	detail-information.exe
1016	detail-information.exe
1016	detail-information.exe
1016	detail-information.exe
1016	detail-information.exe
1016	detail-information.exe
1016	detail-information.exe
1016	detail-information.exe
1016	detail-information.exe
1688	detail-information.exe
1688	detail-information.exe
1016	detail-information.exe
1016	detail-information.exe
1688	detail-information.exe
1688	detail-information.exe
1016	detail-information.exe
1016	detail-information.exe
1688	detail-information.exe
1688	detail-information.exe
1016	detail-information.exe
1016	detail-information.exe
1688	detail-information.exe
1688	detail-information.exe
1016	detail-information.exe
1016	detail-information.exe
1688	detail-information.exe
1688	detail-information.exe
1016	detail-information.exe
1016	detail-information.exe
1688	detail-information.exe
1688	detail-information.exe
1016	detail-information.exe
1016	detail-information.exe
1688	detail-information.exe
1688	detail-information.exe
1016	detail-information.exe
1016	detail-information.exe
1688	detail-information.exe
1688	detail-information.exe
1016	detail-information.exe
1016	detail-information.exe
1688	detail-information.exe
1688	detail-information.exe
1016	detail-information.exe
1016	detail-information.exe
1688	detail-information.exe
1688	detail-information.exe
1016	detail-information.exe
1016	detail-information.exe
1688	detail-information.exe
1688	detail-information.exe
1016	detail-information.exe
1016	detail-information.exe
1688	detail-information.exe
1688	detail-information.exe
1016	detail-information.exe
1016	detail-information.exe
1688	detail-information.exe
1688	detail-information.exe
1016	detail-information.exe
1016	detail-information.exe
1688	detail-information.exe

Suspicious behavior: MapViewOfSection
detail-information.exedetail-information.exe

Reported IOCs

pid process

1016 detail-information.exe
1688 detail-information.exe
Suspicious use of AdjustPrivilegeToken
detail-information.exedetail-information.exe

Reported IOCs

description pid process

Token: SeDebugPrivilege 1016 detail-information.exe
Token: SeDebugPrivilege 1688 detail-information.exe

description	pid	process
Token: SeDebugPrivilege	1016	detail-information.exe
Token: SeDebugPrivilege	1688	detail-information.exe

Suspicious use of WriteProcessMemory

detail-information.execmd.exedetail-information.execmd.exe

Reported IOCs

description	pid	process	target process
PID 1016 wrote to memory of 2012	1016	detail-information.exe	RegAsm.exe
PID 1016 wrote to memory of 2012	1016	detail-information.exe	RegAsm.exe
PID 1016 wrote to memory of 2012	1016	detail-information.exe	RegAsm.exe
PID 1016 wrote to memory of 2012	1016	detail-information.exe	RegAsm.exe
PID 1016 wrote to memory of 2012	1016	detail-information.exe	RegAsm.exe
PID 1016 wrote to memory of 2012	1016	detail-information.exe	RegAsm.exe
PID 1016 wrote to memory of 2012	1016	detail-information.exe	RegAsm.exe
PID 1016 wrote to memory of 2012	1016	detail-information.exe	RegAsm.exe
PID 1016 wrote to memory of 1036	1016	detail-information.exe	cmd.exe
PID 1016 wrote to memory of 1036	1016	detail-information.exe	cmd.exe
PID 1016 wrote to memory of 1036	1016	detail-information.exe	cmd.exe
PID 1016 wrote to memory of 1036	1016	detail-information.exe	cmd.exe
PID 1036 wrote to memory of 964	1036	cmd.exe	choice.exe
PID 1036 wrote to memory of 964	1036	cmd.exe	choice.exe
PID 1036 wrote to memory of 964	1036	cmd.exe	choice.exe
PID 1036 wrote to memory of 964	1036	cmd.exe	choice.exe
PID 1016 wrote to memory of 1688	1016	detail-information.exe	detail-information.exe
PID 1016 wrote to memory of 1688	1016	detail-information.exe	detail-information.exe
PID 1016 wrote to memory of 1688	1016	detail-information.exe	detail-information.exe
PID 1016 wrote to memory of 1688	1016	detail-information.exe	detail-information.exe
PID 1688 wrote to memory of 1176	1688	detail-information.exe	RegAsm.exe
PID 1688 wrote to memory of 1176	1688	detail-information.exe	RegAsm.exe
PID 1688 wrote to memory of 1176	1688	detail-information.exe	RegAsm.exe
PID 1688 wrote to memory of 1176	1688	detail-information.exe	RegAsm.exe
PID 1688 wrote to memory of 1176	1688	detail-information.exe	RegAsm.exe
PID 1688 wrote to memory of 1176	1688	detail-information.exe	RegAsm.exe
PID 1688 wrote to memory of 1176	1688	detail-information.exe	RegAsm.exe
PID 1688 wrote to memory of 1176	1688	detail-information.exe	RegAsm.exe
PID 1688 wrote to memory of 1032	1688	detail-information.exe	cmd.exe
PID 1688 wrote to memory of 1032	1688	detail-information.exe	cmd.exe
PID 1688 wrote to memory of 1032	1688	detail-information.exe	cmd.exe
PID 1688 wrote to memory of 1032	1688	detail-information.exe	cmd.exe
PID 1032 wrote to memory of 1392	1032	cmd.exe	choice.exe
PID 1032 wrote to memory of 1392	1032	cmd.exe	choice.exe
PID 1032 wrote to memory of 1392	1032	cmd.exe	choice.exe
PID 1032 wrote to memory of 1392	1032	cmd.exe	choice.exe

C:\Users\Admin\AppData\Local\Temp\detail-information.exe

"C:\Users\Admin\AppData\Local\Temp\detail-information.exe"

Drops startup file
Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory

PID:1016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

PID:2012

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\detail-information.exe"

Suspicious use of WriteProcessMemory

PID:1036

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

PID:964

C:\Users\Admin\AppData\Local\Temp\detail-information.exe

"C:\Users\Admin\AppData\Local\Temp\detail-information.exe"

Drops startup file
Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory

PID:1688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

PID:1176

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\detail-information.exe"

Suspicious use of WriteProcessMemory

PID:1032

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

PID:1392

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

System Information Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

00:00 00:00

memory/964-61-0x0000000000000000-mapping.dmp

Download
memory/1016-55-0x0000000004250000-0x0000000004286000-memory.dmp

Download
memory/1016-56-0x0000000000440000-0x0000000000443000-memory.dmp

Download
memory/1016-57-0x0000000075F61000-0x0000000075F63000-memory.dmp

Download
memory/1016-62-0x00000000008C0000-0x00000000008C3000-memory.dmp

Download
memory/1016-54-0x0000000000220000-0x00000000002A2000-memory.dmp

Download
memory/1032-68-0x0000000000000000-mapping.dmp

Download
memory/1036-60-0x0000000000000000-mapping.dmp

Download
memory/1176-70-0x0000000000400000-0x0000000000433000-memory.dmp

Download
memory/1176-66-0x000000000040242D-mapping.dmp

Download
memory/1392-69-0x0000000000000000-mapping.dmp

Download
memory/1688-64-0x0000000000000000-mapping.dmp

Download
memory/2012-58-0x000000000040242D-mapping.dmp

Download
memory/2012-63-0x0000000000400000-0x0000000000433000-memory.dmp

Download

Filter: none

Tags

Reported IOCs

Description

Tags

Reported IOCs

Reported IOCs

Description

TTPs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Title