Overview

overview

10

Static

static

41afcc620b...bb.exe

windows7_x64

10

41afcc620b...bb.exe

windows10-2004_x64

10

Resubmissions

11-07-2022 14:55

220711-sar47sabcq 10

08-07-2022 11:16

220708-nc4tkacaar 10

Analysis

  • max time kernel
    42s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    08-07-2022 11:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    41afcc620b9a87add5322f3f17d563bb.exe

  • Size

    75KB

  • MD5

    41afcc620b9a87add5322f3f17d563bb

  • SHA1

    308238e449d97520e21cfb601feb15193bf89a68

  • SHA256

    7418fd3ec75f43bed921ecf2df4ba922fbd86c2e1e158bf309bbee13d4374125

  • SHA512

    1dde37ed40097e22543f95f29db4fe7b5f7c0c68f11e738491f36a2121a6fa54578d4dadb3988f84f42b903559326684b374704d46a2c4fc7d6e12f87a397754

Score
10/10
netwirebotnetratstealer

Malware Config

Extracted

Family

netwire

C2

194.5.98.176:3363

194.5.98.176:3365
Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    power2022

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • NetWire RAT payload 8 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\41afcc620b9a87add5322f3f17d563bb.exe
    "C:\Users\Admin\AppData\Local\Temp\41afcc620b9a87add5322f3f17d563bb.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:968
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1324
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      2⤵
        PID:976
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        2⤵
          PID:1728

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/968-54-0x0000000000FE0000-0x0000000000FF8000-memory.dmp

        Filesize

        96KB

        Download

      • memory/968-55-0x0000000075B61000-0x0000000075B63000-memory.dmp

        Filesize

        8KB

        Download

      • memory/968-56-0x00000000051C0000-0x000000000523C000-memory.dmp

        Filesize

        496KB

        Download

      • memory/968-57-0x0000000000990000-0x00000000009D0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/968-58-0x0000000000BB0000-0x0000000000BFC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/1324-59-0x0000000000000000-mapping.dmp

        Download

      • memory/1324-61-0x000000006FD30000-0x00000000702DB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1324-62-0x000000006FD30000-0x00000000702DB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1324-63-0x000000006FD30000-0x00000000702DB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1728-64-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/1728-65-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/1728-67-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/1728-69-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/1728-70-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/1728-71-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/1728-73-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/1728-74-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/1728-75-0x000000000040242D-mapping.dmp

        Download

      • memory/1728-78-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/1728-79-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download