Overview

overview

10

Static

static

sstw5VHmkS2cGiF.exe

windows7_x64

10

sstw5VHmkS2cGiF.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    132s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    29-06-2022 06:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sstw5VHmkS2cGiF.exe

  • Size

    973KB

  • MD5

    89e0f3ba3b0356030882a5d993c44a96

  • SHA1

    5aa37d9479803a1fa692974323849d1eaad34328

  • SHA256

    4a762e8f8af34dcfcd469d9e9bfb43c977cd878d939527053a46dd580e654c80

  • SHA512

    aced63ee766f6c64c795653a889fa11c70f4c227c77c6cd432825837465b7ddb056856f87ea93c79e511f8c65d7dabda7bf47ad881265c556edde9cd22408e0b

Score
10/10
netwirebotnetratstealer

Malware Config

Extracted

Family

netwire

C2

20220627.duckdns.org:4736

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • lock_executable

    false

  • mutex

    KmOVkegF

  • offline_keylogger

    false

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • NetWire RAT payload 5 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\sstw5VHmkS2cGiF.exe
    "C:\Users\Admin\AppData\Local\Temp\sstw5VHmkS2cGiF.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1636
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\sstw5VHmkS2cGiF.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2760
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\KTNWVfSfr.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2388
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KTNWVfSfr" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD7F6.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1236
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
        PID:3484
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        2⤵
          PID:1220

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        968cb9309758126772781b83adb8a28f

        SHA1

        8da30e71accf186b2ba11da1797cf67f8f78b47c

        SHA256

        92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

        SHA512

        4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        18KB

        MD5

        24a6b5e6dac186de9d337db990c36dd4

        SHA1

        4f7032570484d5a2938a8c7a56a3368bbb06c7ec

        SHA256

        8dc0a9e9856ab1631d36e23fa3ad7f3b4d169b2765cd0f4915c3555aec5aa5ec

        SHA512

        c2efff8b54ecd152d859ee559602c7c80825742d540bbb4b8f893b41388c2a011a6613342c51bd57d15c236a2c29b42b990b8f440e176d5469171fb4cef99d08

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmpD7F6.tmp
        Filesize

        1KB

        MD5

        13f4a9bb0eed3ad9a4d7765097b92a35

        SHA1

        15662cbb3b8925173eb1fc09f149020aa3ed81c7

        SHA256

        50ff2d2813643bec21b56ae4bfc848bda5212d9eb618f982aa7d49f02b50f4e4

        SHA512

        321e5b3786353a8946c920ed6b7ffa3f40606b4d4d929aa8212d9b336f2294109924682d64174268c0e468b63f230d88cc4e690ee2b751a54e3c954295b24872

        Download Submit

      • memory/1220-144-0x0000000000000000-mapping.dmp

        Download

      • memory/1220-146-0x0000000000400000-0x0000000000450000-memory.dmp

        Filesize

        320KB

        Download

      • memory/1220-147-0x0000000000400000-0x0000000000450000-memory.dmp

        Filesize

        320KB

        Download

      • memory/1220-163-0x0000000000400000-0x0000000000450000-memory.dmp

        Filesize

        320KB

        Download

      • memory/1220-145-0x0000000000400000-0x0000000000450000-memory.dmp

        Filesize

        320KB

        Download

      • memory/1220-149-0x0000000000400000-0x0000000000450000-memory.dmp

        Filesize

        320KB

        Download

      • memory/1236-136-0x0000000000000000-mapping.dmp

        Download

      • memory/1636-133-0x00000000073D0000-0x000000000746C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/1636-130-0x00000000000C0000-0x00000000001BA000-memory.dmp

        Filesize

        1000KB

        Download

      • memory/1636-132-0x0000000004D40000-0x0000000004DD2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/1636-131-0x0000000005250000-0x00000000057F4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/2388-141-0x00000000059F0000-0x0000000005A56000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2388-150-0x0000000007170000-0x00000000071A2000-memory.dmp

        Filesize

        200KB

        Download

      • memory/2388-135-0x0000000000000000-mapping.dmp

        Download

      • memory/2388-140-0x00000000050C0000-0x00000000050E2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2388-160-0x00000000077C0000-0x00000000077C8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2388-138-0x0000000005350000-0x0000000005978000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/2388-152-0x00000000723C0000-0x000000007240C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/2388-159-0x00000000077E0000-0x00000000077FA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2388-157-0x0000000007720000-0x00000000077B6000-memory.dmp

        Filesize

        600KB

        Download

      • memory/2388-156-0x0000000007510000-0x000000000751A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2388-154-0x0000000007AE0000-0x000000000815A000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/2760-155-0x00000000073B0000-0x00000000073CA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2760-153-0x00000000065F0000-0x000000000660E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2760-158-0x00000000075E0000-0x00000000075EE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2760-151-0x00000000723C0000-0x000000007240C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/2760-148-0x00000000060B0000-0x00000000060CE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2760-137-0x00000000027B0000-0x00000000027E6000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2760-142-0x0000000005A80000-0x0000000005AE6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2760-134-0x0000000000000000-mapping.dmp

        Download

      • memory/3484-143-0x0000000000000000-mapping.dmp

        Download