Overview

overview

10

Static

static

Invoice #08 1232.exe

windows7-x64

3

Invoice #08 1232.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    129s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-07-2022 14:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Invoice #08 1232.exe

  • Size

    1.0MB

  • MD5

    1ff3931b973f49044b0721f73ac067f1

  • SHA1

    97bfeed429c997b3a254fae324e68cfed9cd8d22

  • SHA256

    24093405b5488debd355b39f704bfc4beddc4c60ebec6d56e0c7b25e29a7758a

  • SHA512

    9f9896ba6834d8b3c563df160105864c5e2c7b23958bf7d1395628b8e95edc68606920b66e68e6bf47c2f399ed55419b37a3a3aefc792ba6d8aba2dbc72207a4

Score
10/10
netwirebotnetratstealer

Malware Config

Signatures

  • NetWire RAT payload 3 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Invoice #08 1232.exe
    "C:\Users\Admin\AppData\Local\Temp\Invoice #08 1232.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3856
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Invoice #08 1232.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4800
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\CVwLzxmhtirbHE.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3736
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CVwLzxmhtirbHE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp955A.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:4852
    • C:\Users\Admin\AppData\Local\Temp\Invoice #08 1232.exe
      "C:\Users\Admin\AppData\Local\Temp\Invoice #08 1232.exe"
      2⤵
        PID:3844

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      968cb9309758126772781b83adb8a28f

      SHA1

      8da30e71accf186b2ba11da1797cf67f8f78b47c

      SHA256

      92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

      SHA512

      4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      18KB

      MD5

      7e63c89796fef5a3b0552724ed02fd46

      SHA1

      a64efce5abaea63293df273f04905ddadc3c89a0

      SHA256

      54b329996120ccd6a7b8204cd413c560054a0ff7ccedf4f3a8130163b8de899c

      SHA512

      adb8070a7439ed73beefd0e1bfdec42527eb152a6385ecac4a2ef7e3d37ae138300ed36957b31d960fd5691a4e8e4f3001a0140a3867965e74408869e7249e22

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp955A.tmp
      Filesize

      1KB

      MD5

      ae89360b15ca98095c5c0a0324b18d47

      SHA1

      7f49cf5221ee0e65b457c3e4b6ba87f00c783bf5

      SHA256

      be3d03f67abbfac9bf9fe6ab41af444d6c6defe36cf1cf1b319b54916bd47a50

      SHA512

      eaf2f3e00990fc5fd1cb338f301531df0b0aba156efac36b584b4d7bbaefdde7367e482f2fc119514a60c0e424cd25fde91c93cb7a341de30e1cdea4736261d6

      Download Submit

    • memory/3736-150-0x0000000006FB0000-0x0000000006FE2000-memory.dmp

      Filesize

      200KB

      Download

    • memory/3736-149-0x0000000005E00000-0x0000000005E1E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3736-154-0x0000000007740000-0x0000000007DBA000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/3736-142-0x0000000004E40000-0x0000000004E62000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3736-137-0x0000000000000000-mapping.dmp

      Download

    • memory/3736-152-0x00000000716F0000-0x000000007173C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3736-160-0x0000000007420000-0x0000000007428000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3736-157-0x0000000007380000-0x0000000007416000-memory.dmp

      Filesize

      600KB

      Download

    • memory/3736-156-0x0000000007170000-0x000000000717A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3736-143-0x00000000056A0000-0x0000000005706000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3844-145-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

      Download

    • memory/3844-144-0x0000000000000000-mapping.dmp

      Download

    • memory/3844-147-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

      Download

    • memory/3844-148-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

      Download

    • memory/3856-135-0x000000000A8B0000-0x000000000A916000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3856-134-0x000000000A590000-0x000000000A62C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/3856-133-0x0000000005600000-0x000000000560A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3856-132-0x0000000005680000-0x0000000005712000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3856-131-0x0000000005B90000-0x0000000006134000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3856-130-0x0000000000B40000-0x0000000000C48000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4800-155-0x0000000007180000-0x000000000719A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4800-153-0x0000000006670000-0x000000000668E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4800-151-0x00000000716F0000-0x000000007173C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4800-140-0x0000000005140000-0x0000000005768000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/4800-158-0x00000000075C0000-0x00000000075CE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4800-159-0x00000000076D0000-0x00000000076EA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4800-138-0x0000000004AD0000-0x0000000004B06000-memory.dmp

      Filesize

      216KB

      Download

    • memory/4800-136-0x0000000000000000-mapping.dmp

      Download

    • memory/4852-139-0x0000000000000000-mapping.dmp

      Download