Overview

overview

10

Static

static

sstw5VHmkS2cGiF.exe

windows7_x64

10

sstw5VHmkS2cGiF.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    92s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    29-06-2022 06:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sstw5VHmkS2cGiF.exe

  • Size

    973KB

  • MD5

    89e0f3ba3b0356030882a5d993c44a96

  • SHA1

    5aa37d9479803a1fa692974323849d1eaad34328

  • SHA256

    4a762e8f8af34dcfcd469d9e9bfb43c977cd878d939527053a46dd580e654c80

  • SHA512

    aced63ee766f6c64c795653a889fa11c70f4c227c77c6cd432825837465b7ddb056856f87ea93c79e511f8c65d7dabda7bf47ad881265c556edde9cd22408e0b

Score
10/10
netwirebotnetratstealer

Malware Config

Extracted

Family

netwire

C2

20220627.duckdns.org:4736

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • lock_executable

    false

  • mutex

    KmOVkegF

  • offline_keylogger

    false

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • NetWire RAT payload 5 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\sstw5VHmkS2cGiF.exe
    "C:\Users\Admin\AppData\Local\Temp\sstw5VHmkS2cGiF.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2524
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\sstw5VHmkS2cGiF.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2236
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\KTNWVfSfr.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1316
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KTNWVfSfr" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBDB7.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:4712
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
        PID:4816

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scripting

    1
    T1064

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Scripting

    1
    T1064

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      968cb9309758126772781b83adb8a28f

      SHA1

      8da30e71accf186b2ba11da1797cf67f8f78b47c

      SHA256

      92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

      SHA512

      4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      18KB

      MD5

      2a97857af406fe4019538ea063d35264

      SHA1

      6f4147b33a5b628bddff0a639b6f9e819942c3c3

      SHA256

      b2e6462238dfd0c681ea72861e3eccd49df0c8f0589a5d86e062578fb62d50a8

      SHA512

      eb83c13c5abc65f512b9f2198f40c3bbd781ed4e5c4bc175468cbdf5b207466432e5ca24ad333a35fae25e0144f6da7f4c1aaec23299e85191adbffca289ffc4

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tmpBDB7.tmp
      Filesize

      1KB

      MD5

      7af7a7c5ec1b53bc9704e5b374b939fe

      SHA1

      1164a870ddef5e66853f615c77a1021209a778e6

      SHA256

      c1a2ef508b331b1cda9fec3bc254e18518523996aee43eea9ff5f2d17c7e56b2

      SHA512

      2e57669e54c6a1cda621e3452e15c4bd09b5fd86d809fbb52cdfeb0a9c8f380ca9028bd2702205bbf4f9d531d3597ae6e3f187fa2809c97d70bcdedb13374d99

      Download Submit
    • memory/1316-159-0x0000000007E30000-0x0000000007E38000-memory.dmp
      Filesize

      32KB

      Download
    • memory/1316-158-0x0000000007E50000-0x0000000007E6A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/1316-135-0x0000000000000000-mapping.dmp
      Download
    • memory/1316-157-0x0000000007D40000-0x0000000007D4E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/1316-156-0x0000000007D90000-0x0000000007E26000-memory.dmp
      Filesize

      600KB

      Download
    • memory/1316-138-0x00000000059F0000-0x0000000006018000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/1316-149-0x0000000006DE0000-0x0000000006E12000-memory.dmp
      Filesize

      200KB

      Download
    • memory/1316-152-0x0000000006DC0000-0x0000000006DDE000-memory.dmp
      Filesize

      120KB

      Download
    • memory/1316-141-0x0000000006150000-0x00000000061B6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1316-151-0x0000000071C10000-0x0000000071C5C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/1316-143-0x00000000061C0000-0x0000000006226000-memory.dmp
      Filesize

      408KB

      Download
    • memory/2236-154-0x0000000006FC0000-0x0000000006FDA000-memory.dmp
      Filesize

      104KB

      Download
    • memory/2236-137-0x00000000023E0000-0x0000000002416000-memory.dmp
      Filesize

      216KB

      Download
    • memory/2236-134-0x0000000000000000-mapping.dmp
      Download
    • memory/2236-155-0x0000000007030000-0x000000000703A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2236-148-0x0000000005CC0000-0x0000000005CDE000-memory.dmp
      Filesize

      120KB

      Download
    • memory/2236-153-0x0000000007610000-0x0000000007C8A000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/2236-140-0x0000000004D00000-0x0000000004D22000-memory.dmp
      Filesize

      136KB

      Download
    • memory/2236-150-0x0000000071C10000-0x0000000071C5C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/2524-130-0x0000000000080000-0x000000000017A000-memory.dmp
      Filesize

      1000KB

      Download
    • memory/2524-133-0x0000000007000000-0x000000000709C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/2524-132-0x0000000004CF0000-0x0000000004D82000-memory.dmp
      Filesize

      584KB

      Download
    • memory/2524-131-0x00000000051E0000-0x0000000005784000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/4712-136-0x0000000000000000-mapping.dmp
      Download
    • memory/4816-142-0x0000000000000000-mapping.dmp
      Download
    • memory/4816-144-0x0000000000400000-0x0000000000450000-memory.dmp
      Filesize

      320KB

      Download
    • memory/4816-147-0x0000000000400000-0x0000000000450000-memory.dmp
      Filesize

      320KB

      Download
    • memory/4816-145-0x0000000000400000-0x0000000000450000-memory.dmp
      Filesize

      320KB

      Download
    • memory/4816-146-0x0000000000400000-0x0000000000450000-memory.dmp
      Filesize

      320KB

      Download
    • memory/4816-162-0x0000000000400000-0x0000000000450000-memory.dmp
      Filesize

      320KB

      Download