Overview

overview

10

Static

static

1

3777a3e8d9...73.exe

windows7_x64

10

3777a3e8d9...73.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    25-06-2022 23:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3777a3e8d9718ad94254a20ae962f68a513da63668d8621c2b93a4a582ca9573.exe

  • Size

    149KB

  • MD5

    9128ba0138be09b05ea45364e482d01d

  • SHA1

    94b47559d6367e2f02f0002810f4cb9cee339fa1

  • SHA256

    3777a3e8d9718ad94254a20ae962f68a513da63668d8621c2b93a4a582ca9573

  • SHA512

    d677b5db63a188978ebd31ca5a839eedc60f6033cc13839b4df9a067afd85cbf652f1e1d9b66dcb2e699edd5b60b179c9462f74f5b389b80d5381c78a3f56db9

Score
10/10
netwirebotnetpersistenceratstealer

Malware Config

Signatures

  • NetWire RAT payload 8 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Executes dropped EXE 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 8 IoCs
    installer
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3777a3e8d9718ad94254a20ae962f68a513da63668d8621c2b93a4a582ca9573.exe
    "C:\Users\Admin\AppData\Local\Temp\3777a3e8d9718ad94254a20ae962f68a513da63668d8621c2b93a4a582ca9573.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1980
    • C:\Users\Admin\AppData\Local\Temp\3777a3e8d9718ad94254a20ae962f68a513da63668d8621c2b93a4a582ca9573.exe
      C:\Users\Admin\AppData\Local\Temp\3777a3e8d9718ad94254a20ae962f68a513da63668d8621c2b93a4a582ca9573.exe
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1536
      • C:\Users\Admin\AppData\Roaming\Install\Notepad.exe
        "C:\Users\Admin\AppData\Roaming\Install\Notepad.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1268
        • C:\Users\Admin\AppData\Roaming\Install\Notepad.exe
          C:\Users\Admin\AppData\Roaming\Install\Notepad.exe
          4⤵
          • Executes dropped EXE
          • Modifies Installed Components in the registry
          • Adds Run key to start application
          PID:1920

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\HauberkPunctilio
    Filesize

    1KB

    MD5

    7faf3470e1e405dcf83f35aac7611210

    SHA1

    b53016b654d9c8077da583852eccff50051a62cb

    SHA256

    90f6f3d8343f87281343aef85eafa0548c3b4390d78d1b00ea2e661e96a537cb

    SHA512

    52e3865fc2bce349536c13b9ff891d6037e768080867b016122e31cc5ab1fc8a97983b10ab0690852c170ae1e86ddf5e4d7b47cdca639d53101f802a230571f4

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tapestries.dll
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tweakChkDsk_zh-tw.p5p
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Install\Notepad.exe
    Filesize

    149KB

    MD5

    9128ba0138be09b05ea45364e482d01d

    SHA1

    94b47559d6367e2f02f0002810f4cb9cee339fa1

    SHA256

    3777a3e8d9718ad94254a20ae962f68a513da63668d8621c2b93a4a582ca9573

    SHA512

    d677b5db63a188978ebd31ca5a839eedc60f6033cc13839b4df9a067afd85cbf652f1e1d9b66dcb2e699edd5b60b179c9462f74f5b389b80d5381c78a3f56db9

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Install\Notepad.exe
    Filesize

    149KB

    MD5

    9128ba0138be09b05ea45364e482d01d

    SHA1

    94b47559d6367e2f02f0002810f4cb9cee339fa1

    SHA256

    3777a3e8d9718ad94254a20ae962f68a513da63668d8621c2b93a4a582ca9573

    SHA512

    d677b5db63a188978ebd31ca5a839eedc60f6033cc13839b4df9a067afd85cbf652f1e1d9b66dcb2e699edd5b60b179c9462f74f5b389b80d5381c78a3f56db9

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Install\Notepad.exe
    Filesize

    149KB

    MD5

    9128ba0138be09b05ea45364e482d01d

    SHA1

    94b47559d6367e2f02f0002810f4cb9cee339fa1

    SHA256

    3777a3e8d9718ad94254a20ae962f68a513da63668d8621c2b93a4a582ca9573

    SHA512

    d677b5db63a188978ebd31ca5a839eedc60f6033cc13839b4df9a067afd85cbf652f1e1d9b66dcb2e699edd5b60b179c9462f74f5b389b80d5381c78a3f56db9

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsiCE.tmp\System.dll
    Filesize

    11KB

    MD5

    883eff06ac96966270731e4e22817e11

    SHA1

    523c87c98236cbc04430e87ec19b977595092ac8

    SHA256

    44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82

    SHA512

    60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsj2CAF.tmp\System.dll
    Filesize

    11KB

    MD5

    883eff06ac96966270731e4e22817e11

    SHA1

    523c87c98236cbc04430e87ec19b977595092ac8

    SHA256

    44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82

    SHA512

    60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390

    Download Submit
  • \Users\Admin\AppData\Local\Temp\tapestries.dll
    Filesize

    79KB

    MD5

    de483549656bf835dc68066cf8ec272d

    SHA1

    4d85bae725f0fa326985a2e2b978561a8e7761e8

    SHA256

    5ff1e02cdb416efe370170341c6fe22d0044c4e7066a06cd62a698735597f85c

    SHA512

    c42fb330a2a916e5a345cdaa4afddd83c6213a69bad6d6ed76aaa4fa5c4be0e8241ba356275aed9a848c11dae272f681486e22b1e5a0fba70e2a3f59c66fd538

    Download Submit
  • \Users\Admin\AppData\Local\Temp\tapestries.dll
    Filesize

    79KB

    MD5

    de483549656bf835dc68066cf8ec272d

    SHA1

    4d85bae725f0fa326985a2e2b978561a8e7761e8

    SHA256

    5ff1e02cdb416efe370170341c6fe22d0044c4e7066a06cd62a698735597f85c

    SHA512

    c42fb330a2a916e5a345cdaa4afddd83c6213a69bad6d6ed76aaa4fa5c4be0e8241ba356275aed9a848c11dae272f681486e22b1e5a0fba70e2a3f59c66fd538

    Download Submit
  • \Users\Admin\AppData\Roaming\Install\Notepad.exe
    Filesize

    149KB

    MD5

    9128ba0138be09b05ea45364e482d01d

    SHA1

    94b47559d6367e2f02f0002810f4cb9cee339fa1

    SHA256

    3777a3e8d9718ad94254a20ae962f68a513da63668d8621c2b93a4a582ca9573

    SHA512

    d677b5db63a188978ebd31ca5a839eedc60f6033cc13839b4df9a067afd85cbf652f1e1d9b66dcb2e699edd5b60b179c9462f74f5b389b80d5381c78a3f56db9

    Download Submit
  • memory/1268-71-0x0000000000000000-mapping.dmp
    Download
  • memory/1536-61-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1536-72-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1536-69-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1536-66-0x00000000004021DA-mapping.dmp
    Download
  • memory/1536-65-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1536-63-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1536-59-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1536-58-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1920-90-0x00000000004021DA-mapping.dmp
    Download
  • memory/1920-95-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1920-96-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1980-54-0x00000000768D1000-0x00000000768D3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1980-57-0x00000000003B0000-0x00000000003CC000-memory.dmp
    Filesize

    112KB

    Download