Overview

overview

10

Static

static

1

40c913b683...62.exe

windows7_x64

10

40c913b683...62.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    162s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    08-07-2022 14:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    40c913b6837bb03dd168536710d88a05faa6a6956b1c210758a0979a6782bf62.exe

  • Size

    175KB

  • MD5

    1d92475e5f11ddf8256835c4bfb196a3

  • SHA1

    c40bc3e3fd25bf6b872b0e7953c9f5d833b522de

  • SHA256

    40c913b6837bb03dd168536710d88a05faa6a6956b1c210758a0979a6782bf62

  • SHA512

    170fac19f61ade42c378811c6f11e91f62319c0b7ad77a9f1138db867bbd21ad48c54d1b3689b8e1d77be483e1a0b39bfe90dc6935e662c5f87aa823b8fc58d6

Score
10/10
netwirebotnetpersistenceratstealer

Malware Config

Extracted

Family

netwire

C2

37.233.101.73:8888

213.152.162.104:8747

213.152.162.170:8747

213.152.162.109:8747

213.152.162.89:8747

109.232.227.138:8747

109.232.227.133:8747

213.152.161.211:8747

213.152.162.94:8747

213.152.161.35:8747

213.152.180.5:8747
Attributes
  • activex_autorun

    true

  • activex_key

    {H15R52OJ-8CJI-H436-22TJ-P25072J3Q326}

  • copy_executable

    true

  • delete_original

    true

  • host_id

    IP

  • install_path

    %AppData%\Install\Host.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    true

  • mutex

    bmhJQHdn

  • offline_keylogger

    true

  • password

    DAWAJkurwoKASEniePIERDOL

  • registry_autorun

    true

  • startup_name

    NetWire

  • use_mutex

    true

Signatures

  • NetWire RAT payload 3 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Executes dropped EXE 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 6 IoCs
    installer
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\40c913b6837bb03dd168536710d88a05faa6a6956b1c210758a0979a6782bf62.exe
    "C:\Users\Admin\AppData\Local\Temp\40c913b6837bb03dd168536710d88a05faa6a6956b1c210758a0979a6782bf62.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:3572
    • C:\Users\Admin\AppData\Local\Temp\40c913b6837bb03dd168536710d88a05faa6a6956b1c210758a0979a6782bf62.exe
      "C:\Users\Admin\AppData\Local\Temp\40c913b6837bb03dd168536710d88a05faa6a6956b1c210758a0979a6782bf62.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3780
      • C:\Users\Admin\AppData\Roaming\Install\Host.exe
        -m "C:\Users\Admin\AppData\Local\Temp\40c913b6837bb03dd168536710d88a05faa6a6956b1c210758a0979a6782bf62.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:3772
        • C:\Users\Admin\AppData\Roaming\Install\Host.exe
          -m "C:\Users\Admin\AppData\Local\Temp\40c913b6837bb03dd168536710d88a05faa6a6956b1c210758a0979a6782bf62.exe"
          4⤵
          • Executes dropped EXE
          • Modifies Installed Components in the registry
          • Adds Run key to start application
          PID:3292

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nIqpNzmw
    Filesize

    106KB

    MD5

    8f96258abd217b7d018f28f3f23742aa

    SHA1

    d80e6b314de6d0a781ce6771cf3b37abf8220332

    SHA256

    c9c2c007f6d6e7472c857d8942ccb4d9c678a08781fad6b52f1570a5556ab596

    SHA512

    a27fb703bc31b8ee519579e67b9a86e0717b5a975ac7237c8cdd063f9412cec0687bfd3664e876bf62e2798aaef302e395c626dceed1e06c702820529ce6d808

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsh73ED.tmp\System.dll
    Filesize

    11KB

    MD5

    3f176d1ee13b0d7d6bd92e1c7a0b9bae

    SHA1

    fe582246792774c2c9dd15639ffa0aca90d6fd0b

    SHA256

    fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

    SHA512

    0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nss9BB9.tmp\System.dll
    Filesize

    11KB

    MD5

    3f176d1ee13b0d7d6bd92e1c7a0b9bae

    SHA1

    fe582246792774c2c9dd15639ffa0aca90d6fd0b

    SHA256

    fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

    SHA512

    0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Install\Host.exe
    Filesize

    175KB

    MD5

    1d92475e5f11ddf8256835c4bfb196a3

    SHA1

    c40bc3e3fd25bf6b872b0e7953c9f5d833b522de

    SHA256

    40c913b6837bb03dd168536710d88a05faa6a6956b1c210758a0979a6782bf62

    SHA512

    170fac19f61ade42c378811c6f11e91f62319c0b7ad77a9f1138db867bbd21ad48c54d1b3689b8e1d77be483e1a0b39bfe90dc6935e662c5f87aa823b8fc58d6

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Install\Host.exe
    Filesize

    175KB

    MD5

    1d92475e5f11ddf8256835c4bfb196a3

    SHA1

    c40bc3e3fd25bf6b872b0e7953c9f5d833b522de

    SHA256

    40c913b6837bb03dd168536710d88a05faa6a6956b1c210758a0979a6782bf62

    SHA512

    170fac19f61ade42c378811c6f11e91f62319c0b7ad77a9f1138db867bbd21ad48c54d1b3689b8e1d77be483e1a0b39bfe90dc6935e662c5f87aa823b8fc58d6

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Install\Host.exe
    Filesize

    175KB

    MD5

    1d92475e5f11ddf8256835c4bfb196a3

    SHA1

    c40bc3e3fd25bf6b872b0e7953c9f5d833b522de

    SHA256

    40c913b6837bb03dd168536710d88a05faa6a6956b1c210758a0979a6782bf62

    SHA512

    170fac19f61ade42c378811c6f11e91f62319c0b7ad77a9f1138db867bbd21ad48c54d1b3689b8e1d77be483e1a0b39bfe90dc6935e662c5f87aa823b8fc58d6

    Download Submit

  • memory/3292-138-0x0000000000000000-mapping.dmp

    Download

  • memory/3292-140-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3292-141-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3772-132-0x0000000000000000-mapping.dmp

    Download

  • memory/3780-131-0x0000000000000000-mapping.dmp

    Download

  • memory/3780-134-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download