Overview

overview

10

Static

static

1

3777a3e8d9...73.exe

windows7_x64

10

3777a3e8d9...73.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    163s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    25-06-2022 23:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3777a3e8d9718ad94254a20ae962f68a513da63668d8621c2b93a4a582ca9573.exe

  • Size

    149KB

  • MD5

    9128ba0138be09b05ea45364e482d01d

  • SHA1

    94b47559d6367e2f02f0002810f4cb9cee339fa1

  • SHA256

    3777a3e8d9718ad94254a20ae962f68a513da63668d8621c2b93a4a582ca9573

  • SHA512

    d677b5db63a188978ebd31ca5a839eedc60f6033cc13839b4df9a067afd85cbf652f1e1d9b66dcb2e699edd5b60b179c9462f74f5b389b80d5381c78a3f56db9

Score
10/10
netwirebotnetpersistenceratstealer

Malware Config

Signatures

  • NetWire RAT payload 4 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Executes dropped EXE 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 6 IoCs
    installer
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3777a3e8d9718ad94254a20ae962f68a513da63668d8621c2b93a4a582ca9573.exe
    "C:\Users\Admin\AppData\Local\Temp\3777a3e8d9718ad94254a20ae962f68a513da63668d8621c2b93a4a582ca9573.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1392
    • C:\Users\Admin\AppData\Local\Temp\3777a3e8d9718ad94254a20ae962f68a513da63668d8621c2b93a4a582ca9573.exe
      C:\Users\Admin\AppData\Local\Temp\3777a3e8d9718ad94254a20ae962f68a513da63668d8621c2b93a4a582ca9573.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1020
      • C:\Users\Admin\AppData\Roaming\Install\Notepad.exe
        "C:\Users\Admin\AppData\Roaming\Install\Notepad.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4616
        • C:\Users\Admin\AppData\Roaming\Install\Notepad.exe
          C:\Users\Admin\AppData\Roaming\Install\Notepad.exe
          4⤵
          • Executes dropped EXE
          • Modifies Installed Components in the registry
          • Adds Run key to start application
          PID:892

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\HauberkPunctilio
    Filesize

    1KB

    MD5

    7faf3470e1e405dcf83f35aac7611210

    SHA1

    b53016b654d9c8077da583852eccff50051a62cb

    SHA256

    90f6f3d8343f87281343aef85eafa0548c3b4390d78d1b00ea2e661e96a537cb

    SHA512

    52e3865fc2bce349536c13b9ff891d6037e768080867b016122e31cc5ab1fc8a97983b10ab0690852c170ae1e86ddf5e4d7b47cdca639d53101f802a230571f4

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\nsg7C08.tmp\System.dll
    Filesize

    11KB

    MD5

    883eff06ac96966270731e4e22817e11

    SHA1

    523c87c98236cbc04430e87ec19b977595092ac8

    SHA256

    44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82

    SHA512

    60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\nsp470D.tmp\System.dll
    Filesize

    11KB

    MD5

    883eff06ac96966270731e4e22817e11

    SHA1

    523c87c98236cbc04430e87ec19b977595092ac8

    SHA256

    44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82

    SHA512

    60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tapestries.dll
    Filesize

    79KB

    MD5

    de483549656bf835dc68066cf8ec272d

    SHA1

    4d85bae725f0fa326985a2e2b978561a8e7761e8

    SHA256

    5ff1e02cdb416efe370170341c6fe22d0044c4e7066a06cd62a698735597f85c

    SHA512

    c42fb330a2a916e5a345cdaa4afddd83c6213a69bad6d6ed76aaa4fa5c4be0e8241ba356275aed9a848c11dae272f681486e22b1e5a0fba70e2a3f59c66fd538

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tapestries.dll
    Filesize

    79KB

    MD5

    de483549656bf835dc68066cf8ec272d

    SHA1

    4d85bae725f0fa326985a2e2b978561a8e7761e8

    SHA256

    5ff1e02cdb416efe370170341c6fe22d0044c4e7066a06cd62a698735597f85c

    SHA512

    c42fb330a2a916e5a345cdaa4afddd83c6213a69bad6d6ed76aaa4fa5c4be0e8241ba356275aed9a848c11dae272f681486e22b1e5a0fba70e2a3f59c66fd538

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tapestries.dll
    Filesize

    79KB

    MD5

    de483549656bf835dc68066cf8ec272d

    SHA1

    4d85bae725f0fa326985a2e2b978561a8e7761e8

    SHA256

    5ff1e02cdb416efe370170341c6fe22d0044c4e7066a06cd62a698735597f85c

    SHA512

    c42fb330a2a916e5a345cdaa4afddd83c6213a69bad6d6ed76aaa4fa5c4be0e8241ba356275aed9a848c11dae272f681486e22b1e5a0fba70e2a3f59c66fd538

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tapestries.dll
    Filesize

    79KB

    MD5

    de483549656bf835dc68066cf8ec272d

    SHA1

    4d85bae725f0fa326985a2e2b978561a8e7761e8

    SHA256

    5ff1e02cdb416efe370170341c6fe22d0044c4e7066a06cd62a698735597f85c

    SHA512

    c42fb330a2a916e5a345cdaa4afddd83c6213a69bad6d6ed76aaa4fa5c4be0e8241ba356275aed9a848c11dae272f681486e22b1e5a0fba70e2a3f59c66fd538

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tapestries.dll
    Filesize

    79KB

    MD5

    de483549656bf835dc68066cf8ec272d

    SHA1

    4d85bae725f0fa326985a2e2b978561a8e7761e8

    SHA256

    5ff1e02cdb416efe370170341c6fe22d0044c4e7066a06cd62a698735597f85c

    SHA512

    c42fb330a2a916e5a345cdaa4afddd83c6213a69bad6d6ed76aaa4fa5c4be0e8241ba356275aed9a848c11dae272f681486e22b1e5a0fba70e2a3f59c66fd538

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tweakChkDsk_zh-tw.p5p
    Filesize

    84KB

    MD5

    c71c109ad65b043d3c39fbec8dfca5cb

    SHA1

    04b79de74f78dbfe5b6309da7871758ecadf2c8e

    SHA256

    e59c7467b81886e047680ad33fe15940febd5e95a57b575754aad0881934d578

    SHA512

    d2710bb608522006e6b06dfe7f64560a3d6abf5c8132a953a0099908f6321cb2e8de764038ff626c9e34e9d8773ee5b7c7bddebb2e4c720b7ade8a5c6e23d2da

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Install\Notepad.exe
    Filesize

    149KB

    MD5

    9128ba0138be09b05ea45364e482d01d

    SHA1

    94b47559d6367e2f02f0002810f4cb9cee339fa1

    SHA256

    3777a3e8d9718ad94254a20ae962f68a513da63668d8621c2b93a4a582ca9573

    SHA512

    d677b5db63a188978ebd31ca5a839eedc60f6033cc13839b4df9a067afd85cbf652f1e1d9b66dcb2e699edd5b60b179c9462f74f5b389b80d5381c78a3f56db9

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Install\Notepad.exe
    Filesize

    149KB

    MD5

    9128ba0138be09b05ea45364e482d01d

    SHA1

    94b47559d6367e2f02f0002810f4cb9cee339fa1

    SHA256

    3777a3e8d9718ad94254a20ae962f68a513da63668d8621c2b93a4a582ca9573

    SHA512

    d677b5db63a188978ebd31ca5a839eedc60f6033cc13839b4df9a067afd85cbf652f1e1d9b66dcb2e699edd5b60b179c9462f74f5b389b80d5381c78a3f56db9

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Install\Notepad.exe
    Filesize

    149KB

    MD5

    9128ba0138be09b05ea45364e482d01d

    SHA1

    94b47559d6367e2f02f0002810f4cb9cee339fa1

    SHA256

    3777a3e8d9718ad94254a20ae962f68a513da63668d8621c2b93a4a582ca9573

    SHA512

    d677b5db63a188978ebd31ca5a839eedc60f6033cc13839b4df9a067afd85cbf652f1e1d9b66dcb2e699edd5b60b179c9462f74f5b389b80d5381c78a3f56db9

    Download Submit
  • memory/892-150-0x0000000000000000-mapping.dmp
    Download
  • memory/892-155-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1020-141-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1020-138-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1020-136-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1020-135-0x0000000000000000-mapping.dmp
    Download
  • memory/1392-134-0x00000000022B0000-0x00000000022CC000-memory.dmp
    Filesize

    112KB

    Download
  • memory/4616-149-0x0000000002ED0000-0x0000000002EEC000-memory.dmp
    Filesize

    112KB

    Download
  • memory/4616-139-0x0000000000000000-mapping.dmp
    Download