Overview

overview

10

Static

static

59b5570fd7...b6.exe

windows7-x64

59b5570fd7...b6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-07-2022 09:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    59b5570fd782ef0503a49fd7470200b6.exe

  • Size

    75KB

  • MD5

    59b5570fd782ef0503a49fd7470200b6

  • SHA1

    1738e6b2ecb79b85e950a9734469404002cbb195

  • SHA256

    f621b17f07a862cf0dd4c87aaef881dc2a39e36f73900025169aa34c99d0a650

  • SHA512

    2fd88fce69174fd1f84866ebc99e1f31e2ef8e4af4606871953d4eafa56b029f2bd039bab14c6b847368ecddab148b08bf4c28f6e820e18f14784c40a8a42135

Score
10/10
netwirebotnetratstealer

Malware Config

Extracted

Family

netwire

C2

194.5.98.188:3364

194.5.98.188:3366
Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    j5m52xuc

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • NetWire RAT payload 3 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\59b5570fd782ef0503a49fd7470200b6.exe
    "C:\Users\Admin\AppData\Local\Temp\59b5570fd782ef0503a49fd7470200b6.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3288
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3296
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      2⤵
        PID:4948

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3288-130-0x00000000000A0000-0x00000000000B8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/3296-131-0x0000000000000000-mapping.dmp

      Download

    • memory/3296-132-0x0000000004C10000-0x0000000004C46000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3296-133-0x0000000005310000-0x0000000005938000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/3296-134-0x0000000005A30000-0x0000000005A52000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3296-135-0x0000000005AD0000-0x0000000005B36000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3296-136-0x0000000005BB0000-0x0000000005C16000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3296-137-0x00000000061D0000-0x00000000061EE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3296-138-0x0000000007810000-0x0000000007E8A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/3296-139-0x00000000066A0000-0x00000000066BA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4948-140-0x0000000000000000-mapping.dmp

      Download

    • memory/4948-141-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4948-143-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4948-144-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download