Overview

overview

10

Static

static

Invoice #08 1232.exe

windows7-x64

10

Invoice #08 1232.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • resource tags

    arch:x64arch:x86image:win7-20220414-enlocale:en-usos:windows7-x64system
  • submitted
    16-07-2022 14:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Invoice #08 1232.exe

  • Size

    1.0MB

  • MD5

    1ff3931b973f49044b0721f73ac067f1

  • SHA1

    97bfeed429c997b3a254fae324e68cfed9cd8d22

  • SHA256

    24093405b5488debd355b39f704bfc4beddc4c60ebec6d56e0c7b25e29a7758a

  • SHA512

    9f9896ba6834d8b3c563df160105864c5e2c7b23958bf7d1395628b8e95edc68606920b66e68e6bf47c2f399ed55419b37a3a3aefc792ba6d8aba2dbc72207a4

Score
10/10
netwirebotnetratstealer

Malware Config

Signatures

  • NetWire RAT payload 8 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Invoice #08 1232.exe
    "C:\Users\Admin\AppData\Local\Temp\Invoice #08 1232.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1092
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Invoice #08 1232.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1440
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\CVwLzxmhtirbHE.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1188
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CVwLzxmhtirbHE" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAFE0.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1988
    • C:\Users\Admin\AppData\Local\Temp\Invoice #08 1232.exe
      "C:\Users\Admin\AppData\Local\Temp\Invoice #08 1232.exe"
      2⤵
        PID:1852

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpAFE0.tmp
      Filesize

      1KB

      MD5

      3180abc4de000ef01542bf1149c2d59c

      SHA1

      d533f488b76ca58a1eecf52415e0478ac2b1956f

      SHA256

      268a52dd0845c0455d95f82a1f75908912d953f6183fcc73b9ae6a5dbcb4df9a

      SHA512

      5ff21cda765f76d485cf3667ff6ccab83d557779d22e3f8f44a36a29547aac02f7dfcdd49f6adba1790dca74abceb769508befcc6188f50b3599ef2dbe5e4149

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      Filesize

      7KB

      MD5

      fa14a0e501dca6998efba9f450da21ed

      SHA1

      8dc146022cdabd8b726a6b0a3241d9f84b4653c1

      SHA256

      174225fd6d6b27170fd4cf51d7924afe1e979eaa180eb5428843d1d7455584ec

      SHA512

      2953ea948e6f6f9b6b1d84f36dc257796e3f9f461295f461c70169a920b0cec41e56e2311681b60587324a5a6908dd07f9b387c302fbaa31fc49624e0ae1e878

      Download Submit

    • memory/1092-57-0x0000000000500000-0x0000000000514000-memory.dmp

      Filesize

      80KB

      Download

    • memory/1092-58-0x0000000000520000-0x000000000052E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1092-59-0x0000000005C80000-0x0000000005D06000-memory.dmp

      Filesize

      536KB

      Download

    • memory/1092-56-0x00000000004E0000-0x00000000004F4000-memory.dmp

      Filesize

      80KB

      Download

    • memory/1092-55-0x00000000752A1000-0x00000000752A3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1092-67-0x0000000005DD0000-0x0000000005E10000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1092-54-0x0000000000C80000-0x0000000000D88000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1188-72-0x000000006F040000-0x000000006F5EB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1188-62-0x0000000000000000-mapping.dmp

      Download

    • memory/1188-75-0x000000006F040000-0x000000006F5EB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1440-60-0x0000000000000000-mapping.dmp

      Download

    • memory/1440-69-0x000000006F040000-0x000000006F5EB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1440-74-0x000000006F040000-0x000000006F5EB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1852-70-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

      Download

    • memory/1852-73-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

      Download

    • memory/1852-68-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

      Download

    • memory/1852-76-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

      Download

    • memory/1852-78-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

      Download

    • memory/1852-79-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

      Download

    • memory/1852-81-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

      Download

    • memory/1852-82-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

      Download

    • memory/1852-84-0x00000000004014C0-mapping.dmp

      Download

    • memory/1852-83-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

      Download

    • memory/1852-87-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

      Download

    • memory/1852-88-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

      Download

    • memory/1988-63-0x0000000000000000-mapping.dmp

      Download