Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 12:03

General

  • Target

    15-08-2020 - SOFT COPY_PAYMENT SLIP.exe

  • Size

    234KB

  • MD5

    e792eb4a972110714df6761ef60284c6

  • SHA1

    91bb096d730ca536a0f18534acdec271bdd0eefa

  • SHA256

    b6f5a289ab47b790c1bc57a5a3b35871fc968da66ebb3fdd7669de18c2ba3dd5

  • SHA512

    40ebe7bd5b18845710cfb3116888d16da8a9fd6c1d53a39000103feac45c1dfeaa4efa05104072313973d5fb87b62b06ea3c697513b4303c45124d020b22eead

Malware Config

Extracted

Family

netwire

C2

iphanyi.duckdns.org:3360

Attributes
  • activex_autorun

    false

  • activex_key

  • copy_executable

    false

  • delete_original

    false

  • host_id

    SMS_Group

  • install_path

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

  • offline_keylogger

    true

  • password

    caster123

  • registry_autorun

    false

  • startup_name

  • use_mutex

    false

Signatures

  • NetWire RAT payload 11 IoCs
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 1 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\15-08-2020 - SOFT COPY_PAYMENT SLIP.exe
    "C:\Users\Admin\AppData\Local\Temp\15-08-2020 - SOFT COPY_PAYMENT SLIP.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1564
    • C:\Users\Admin\AppData\Local\Temp\tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
      2⤵
      • Executes dropped EXE
      PID:956
    • C:\Users\Admin\AppData\Local\Temp\svhost.exe
      "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
      2⤵
      • Executes dropped EXE
      PID:816
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\word.exe.lnk" /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1992
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\word.exe.lnk" /f
        3⤵
          PID:1876
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\word.exe:Zone.Identifier
        2⤵
        • NTFS ADS
        PID:1180
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c C:\Users\Admin\AppData\Local\Temp\FolderN\word.exe.bat
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1508
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 300
          3⤵
          • Delays execution with timeout.exe
          PID:1504

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Discovery

    System Information Discovery

    1
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\FolderN\word.exe.bat
      Filesize

      192B

      MD5

      c3d5aa05aa173009bf0eb7dfd0379f59

      SHA1

      0c91da5a0b5338603bd8d48a7722f5055b076b4f

      SHA256

      0156e2fc804a0b7a370953ed2e044b539b03b84c0fe478d85b4a908c1dd289ec

      SHA512

      8e2d751990bfab7b033e0b3077e744a7cc37d357d374bb6ab1b93e26ff377c13a251df33f5927d3afe8bf7e9d65f8903a2987da3904edefee7f8f6bbcb0b0046

    • C:\Users\Admin\AppData\Local\Temp\svhost.exe
      Filesize

      255KB

      MD5

      9af17c8393f0970ee5136bd3ffa27001

      SHA1

      4b285b72c1a11285a25f31f2597e090da6bbc049

      SHA256

      71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

      SHA512

      b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

    • C:\Users\Admin\AppData\Local\Temp\tmp.exe
      Filesize

      160KB

      MD5

      692dcec5b869cd8c2a4752baf58300a7

      SHA1

      3b99f3ee911d244b0d177953b19ef520f64728c2

      SHA256

      d9d83f0730977389fcae495d498364494f6b5948e1d8f184f7578f378215386d

      SHA512

      9e3b69902cc51f95b0ee694148d6bac0f7b4b318b06a94c187080294102b85af831898ec99ed3a8f200a219a5cd4d4c6debc5b313148bdc754fbabc94783b0a5

    • \Users\Admin\AppData\Local\Temp\svhost.exe
      Filesize

      255KB

      MD5

      9af17c8393f0970ee5136bd3ffa27001

      SHA1

      4b285b72c1a11285a25f31f2597e090da6bbc049

      SHA256

      71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

      SHA512

      b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

    • \Users\Admin\AppData\Local\Temp\tmp.exe
      Filesize

      160KB

      MD5

      692dcec5b869cd8c2a4752baf58300a7

      SHA1

      3b99f3ee911d244b0d177953b19ef520f64728c2

      SHA256

      d9d83f0730977389fcae495d498364494f6b5948e1d8f184f7578f378215386d

      SHA512

      9e3b69902cc51f95b0ee694148d6bac0f7b4b318b06a94c187080294102b85af831898ec99ed3a8f200a219a5cd4d4c6debc5b313148bdc754fbabc94783b0a5

    • \Users\Admin\AppData\Local\Temp\tmp.exe
      Filesize

      160KB

      MD5

      692dcec5b869cd8c2a4752baf58300a7

      SHA1

      3b99f3ee911d244b0d177953b19ef520f64728c2

      SHA256

      d9d83f0730977389fcae495d498364494f6b5948e1d8f184f7578f378215386d

      SHA512

      9e3b69902cc51f95b0ee694148d6bac0f7b4b318b06a94c187080294102b85af831898ec99ed3a8f200a219a5cd4d4c6debc5b313148bdc754fbabc94783b0a5

    • memory/816-71-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

    • memory/816-73-0x000000000040242D-mapping.dmp
    • memory/816-67-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

    • memory/816-69-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

    • memory/816-68-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

    • memory/816-65-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

    • memory/816-84-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

    • memory/816-63-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

    • memory/816-77-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

    • memory/816-62-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

    • memory/816-72-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

    • memory/956-58-0x0000000000000000-mapping.dmp
    • memory/1180-80-0x0000000000000000-mapping.dmp
    • memory/1504-83-0x0000000000000000-mapping.dmp
    • memory/1508-81-0x0000000000000000-mapping.dmp
    • memory/1564-55-0x0000000075CD1000-0x0000000075CD3000-memory.dmp
      Filesize

      8KB

    • memory/1564-54-0x0000000000070000-0x00000000000B0000-memory.dmp
      Filesize

      256KB

    • memory/1876-79-0x0000000000000000-mapping.dmp
    • memory/1992-78-0x0000000000000000-mapping.dmp