Overview

overview

10

Static

static

R003823878.exe

windows7_x64

10

R003823878.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    145s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    11-07-2022 07:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    R003823878.exe

  • Size

    1.0MB

  • MD5

    a7f457fd81ebd6f2421b746009ed4ecc

  • SHA1

    bd4770a2a85889f3a4a64c959664374d1e54bc20

  • SHA256

    1b42a4d2223224b52932bc3a9ad029615b656ff77d27127a89ea040f3b2cf0e4

  • SHA512

    ec09d3eafe442d746de989d8165fbff489ab2ce856f771f7ec84dcfde8c628b8a63de10008165c90c8e5d47084dd2659dadaa300a5784e7bd2b4220d68eafd0c

Score
10/10
netwirebotnetratstealer

Malware Config

Extracted

Family

netwire

C2

xman2.duckdns.org:4433

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • lock_executable

    false

  • offline_keylogger

    false

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • NetWire RAT payload 7 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\R003823878.exe
    "C:\Users\Admin\AppData\Local\Temp\R003823878.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:556
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\jDcdSUrvgqF.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1600
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jDcdSUrvgqF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEB88.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1572
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
        PID:852
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        2⤵
          PID:828

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmpEB88.tmp
        Filesize

        1KB

        MD5

        72e4dec7dc400e193cbb4d24c8d54cf1

        SHA1

        a4177b2262cf1e77da1176ef4bce53b1eb66143c

        SHA256

        ebb8f217dc66b35090e5368e2666bc58ab767c7f51e2a4b96aee638f76e51808

        SHA512

        003ba259ff8b16f97f98e345a047efa5e4d8e953d4501dfc20078cd72b7ac6a2c7a58eada926929f3aa717a22348d83b8e5cde683011ebdaf4896a7c028f1002

        Download Submit

      • memory/556-55-0x00000000755C1000-0x00000000755C3000-memory.dmp

        Filesize

        8KB

        Download

      • memory/556-56-0x00000000003F0000-0x0000000000410000-memory.dmp

        Filesize

        128KB

        Download

      • memory/556-57-0x0000000000430000-0x000000000043E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/556-58-0x0000000005F10000-0x0000000005FA2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/556-54-0x0000000001060000-0x000000000116C000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/556-63-0x0000000001000000-0x000000000104A000-memory.dmp

        Filesize

        296KB

        Download

      • memory/828-74-0x0000000000400000-0x0000000000450000-memory.dmp

        Filesize

        320KB

        Download

      • memory/828-72-0x0000000000400000-0x0000000000450000-memory.dmp

        Filesize

        320KB

        Download

      • memory/828-64-0x0000000000400000-0x0000000000450000-memory.dmp

        Filesize

        320KB

        Download

      • memory/828-65-0x0000000000400000-0x0000000000450000-memory.dmp

        Filesize

        320KB

        Download

      • memory/828-67-0x0000000000400000-0x0000000000450000-memory.dmp

        Filesize

        320KB

        Download

      • memory/828-69-0x0000000000400000-0x0000000000450000-memory.dmp

        Filesize

        320KB

        Download

      • memory/828-71-0x0000000000400000-0x0000000000450000-memory.dmp

        Filesize

        320KB

        Download

      • memory/828-81-0x0000000000400000-0x0000000000450000-memory.dmp

        Filesize

        320KB

        Download

      • memory/828-78-0x0000000000400000-0x0000000000450000-memory.dmp

        Filesize

        320KB

        Download

      • memory/828-75-0x000000000041AE7B-mapping.dmp

        Download

      • memory/1572-60-0x0000000000000000-mapping.dmp

        Download

      • memory/1600-59-0x0000000000000000-mapping.dmp

        Download

      • memory/1600-79-0x000000006E8D0000-0x000000006EE7B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1600-80-0x000000006E8D0000-0x000000006EE7B000-memory.dmp

        Filesize

        5.7MB

        Download