Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 12:03

General

  • Target

    15-08-2020 - SOFT COPY_PAYMENT SLIP.exe

  • Size

    234KB

  • MD5

    e792eb4a972110714df6761ef60284c6

  • SHA1

    91bb096d730ca536a0f18534acdec271bdd0eefa

  • SHA256

    b6f5a289ab47b790c1bc57a5a3b35871fc968da66ebb3fdd7669de18c2ba3dd5

  • SHA512

    40ebe7bd5b18845710cfb3116888d16da8a9fd6c1d53a39000103feac45c1dfeaa4efa05104072313973d5fb87b62b06ea3c697513b4303c45124d020b22eead

Malware Config

Extracted

Family

netwire

C2

iphanyi.duckdns.org:3360

Attributes
  • activex_autorun

    false

  • activex_key

  • copy_executable

    false

  • delete_original

    false

  • host_id

    SMS_Group

  • install_path

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

  • offline_keylogger

    true

  • password

    caster123

  • registry_autorun

    false

  • startup_name

  • use_mutex

    false

Signatures

  • NetWire RAT payload 5 IoCs
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 1 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\15-08-2020 - SOFT COPY_PAYMENT SLIP.exe
    "C:\Users\Admin\AppData\Local\Temp\15-08-2020 - SOFT COPY_PAYMENT SLIP.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:444
    • C:\Users\Admin\AppData\Local\Temp\tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
      2⤵
      • Executes dropped EXE
      PID:3332
    • C:\Users\Admin\AppData\Local\Temp\svhost.exe
      "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
      2⤵
      • Executes dropped EXE
      PID:1312
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\word.exe.lnk" /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5080
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\word.exe.lnk" /f
        3⤵
          PID:388
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\word.exe:Zone.Identifier
        2⤵
        • NTFS ADS
        PID:4328
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\FolderN\word.exe.bat
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4304
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 300
          3⤵
          • Delays execution with timeout.exe
          PID:1092

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\FolderN\word.exe.bat
      Filesize

      192B

      MD5

      c3d5aa05aa173009bf0eb7dfd0379f59

      SHA1

      0c91da5a0b5338603bd8d48a7722f5055b076b4f

      SHA256

      0156e2fc804a0b7a370953ed2e044b539b03b84c0fe478d85b4a908c1dd289ec

      SHA512

      8e2d751990bfab7b033e0b3077e744a7cc37d357d374bb6ab1b93e26ff377c13a251df33f5927d3afe8bf7e9d65f8903a2987da3904edefee7f8f6bbcb0b0046

    • C:\Users\Admin\AppData\Local\Temp\svhost.exe
      Filesize

      256KB

      MD5

      8fdf47e0ff70c40ed3a17014aeea4232

      SHA1

      e6256a0159688f0560b015da4d967f41cbf8c9bd

      SHA256

      ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82

      SHA512

      bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be

    • C:\Users\Admin\AppData\Local\Temp\tmp.exe
      Filesize

      160KB

      MD5

      692dcec5b869cd8c2a4752baf58300a7

      SHA1

      3b99f3ee911d244b0d177953b19ef520f64728c2

      SHA256

      d9d83f0730977389fcae495d498364494f6b5948e1d8f184f7578f378215386d

      SHA512

      9e3b69902cc51f95b0ee694148d6bac0f7b4b318b06a94c187080294102b85af831898ec99ed3a8f200a219a5cd4d4c6debc5b313148bdc754fbabc94783b0a5

    • C:\Users\Admin\AppData\Local\Temp\tmp.exe
      Filesize

      160KB

      MD5

      692dcec5b869cd8c2a4752baf58300a7

      SHA1

      3b99f3ee911d244b0d177953b19ef520f64728c2

      SHA256

      d9d83f0730977389fcae495d498364494f6b5948e1d8f184f7578f378215386d

      SHA512

      9e3b69902cc51f95b0ee694148d6bac0f7b4b318b06a94c187080294102b85af831898ec99ed3a8f200a219a5cd4d4c6debc5b313148bdc754fbabc94783b0a5

    • memory/388-142-0x0000000000000000-mapping.dmp
    • memory/444-131-0x0000000005800000-0x000000000589C000-memory.dmp
      Filesize

      624KB

    • memory/444-135-0x0000000006B00000-0x00000000070A4000-memory.dmp
      Filesize

      5.6MB

    • memory/444-130-0x0000000000ED0000-0x0000000000F10000-memory.dmp
      Filesize

      256KB

    • memory/1092-147-0x0000000000000000-mapping.dmp
    • memory/1312-137-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

    • memory/1312-140-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

    • memory/1312-145-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

    • memory/1312-136-0x0000000000000000-mapping.dmp
    • memory/3332-132-0x0000000000000000-mapping.dmp
    • memory/4304-144-0x0000000000000000-mapping.dmp
    • memory/4328-143-0x0000000000000000-mapping.dmp
    • memory/5080-141-0x0000000000000000-mapping.dmp