Overview

overview

10

Static

static

detail-inf...on.exe

windows7_x64

10

detail-inf...on.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 00:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    detail-information.exe

  • Size

    494KB

  • MD5

    07591af2349f8ebc5789fcb0b60c7c91

  • SHA1

    828bcdd3d1e32d2ed0b0660fc92f41a562d4d466

  • SHA256

    b50a0ea3d467e25e9c1917668e10f70e67434e468fcecbb1d3a927a3f105dbfa

  • SHA512

    8bc1068c0d85f62176fe8e23ec23ecbcfaa1296d379c26ff5fe7ee274c5ef7d12b7a1fec44941eca9841af17c61c5c1b3ad50739fb5d5baadd72bf2feef48ad3

Score
10/10
netwirebotnetratstealer

Malware Config

Signatures

  • NetWire RAT payload 2 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Drops startup file 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\detail-information.exe
    "C:\Users\Admin\AppData\Local\Temp\detail-information.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1016
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
        PID:2012
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\detail-information.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1036
        • C:\Windows\SysWOW64\choice.exe
          choice /C Y /N /D Y /T 3
          3⤵
            PID:964
        • C:\Users\Admin\AppData\Local\Temp\detail-information.exe
          "C:\Users\Admin\AppData\Local\Temp\detail-information.exe"
          2⤵
          • Drops startup file
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1688
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            3⤵
              PID:1176
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\detail-information.exe"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:1032
              • C:\Windows\SysWOW64\choice.exe
                choice /C Y /N /D Y /T 3
                4⤵
                  PID:1392

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Privilege Escalation

          Defense Evasion

          Credential Access

          Discovery

          System Information Discovery

          1
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/964-61-0x0000000000000000-mapping.dmp
            Download
          • memory/1016-57-0x0000000075F61000-0x0000000075F63000-memory.dmp
            Filesize

            8KB

            Download
          • memory/1016-56-0x0000000000440000-0x0000000000443000-memory.dmp
            Filesize

            12KB

            Download
          • memory/1016-54-0x0000000000220000-0x00000000002A2000-memory.dmp
            Filesize

            520KB

            Download
          • memory/1016-55-0x0000000004250000-0x0000000004286000-memory.dmp
            Filesize

            216KB

            Download
          • memory/1016-62-0x00000000008C0000-0x00000000008C3000-memory.dmp
            Filesize

            12KB

            Download
          • memory/1032-68-0x0000000000000000-mapping.dmp
            Download
          • memory/1036-60-0x0000000000000000-mapping.dmp
            Download
          • memory/1176-66-0x000000000040242D-mapping.dmp
            Download
          • memory/1176-70-0x0000000000400000-0x0000000000433000-memory.dmp
            Filesize

            204KB

            Download
          • memory/1392-69-0x0000000000000000-mapping.dmp
            Download
          • memory/1688-64-0x0000000000000000-mapping.dmp
            Download
          • memory/2012-58-0x000000000040242D-mapping.dmp
            Download
          • memory/2012-63-0x0000000000400000-0x0000000000433000-memory.dmp
            Filesize

            204KB

            Download