Overview

overview

10

Static

static

Ymtzodupze...gv.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    282s
  • max time network
    293s
  • platform
    windows10-1703_x64
  • resource
    win10-20220718-en
  • resource tags

    arch:x64arch:x86image:win10-20220718-enlocale:en-usos:windows10-1703-x64system
  • submitted
    21-07-2022 23:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Ymtzodupzewdafnfcfctgjmwryfuszwvgv.exe

  • Size

    734KB

  • MD5

    db08ce3bbbb90d2099294727f9fed0ca

  • SHA1

    e320c45ce977499f895177389066f779a297d221

  • SHA256

    340df05912b606b10196adf2ccd3bf9f34a24066ea30f4369596e9fcace90f02

  • SHA512

    225d9dc6cbe33124c86c3a4d208f4e8099a9f6f58a437ffce59829ca3098b87a343b6718f12185cb0d611efa89dbfd0d0e4d86bb7a7cdf4e0aa1e33b939662c5

Score
10/10
modiloadernetwirebotnetpersistenceratstealertrojan

Malware Config

Extracted

Family

netwire

C2

213.152.162.181:5133

184.75.221.171:5133

199.249.230.27:5133

185.103.96.143:5133

185.104.184.43:5133
Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-Eee0a2

  • lock_executable

    true

  • mutex

    SeDCqQtm

  • offline_keylogger

    false

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    true

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • NetWire RAT payload 2 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Ymtzodupzewdafnfcfctgjmwryfuszwvgv.exe
    "C:\Users\Admin\AppData\Local\Temp\Ymtzodupzewdafnfcfctgjmwryfuszwvgv.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:512
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\Ymtzodt.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:920
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /K C:\Users\Public\Libraries\YmtzodO.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4036
        • C:\Windows\SysWOW64\net.exe
          net session
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:304
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 session
            5⤵
              PID:3228
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:580

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Public\Libraries\Cdex.bat
      Filesize

      155B

      MD5

      213c60adf1c9ef88dc3c9b2d579959d2

      SHA1

      e4d2ad7b22b1a8b5b1f7a702b303c7364b0ee021

      SHA256

      37c59c8398279916cfce45f8c5e3431058248f5e3bef4d9f5c0f44a7d564f82e

      SHA512

      fe897d9caa306b0e761b2fd61bb5dc32a53bfaad1ce767c6860af4e3ad59c8f3257228a6e1072dab0f990cb51c59c648084ba419ac6bc5c0a99bdffa569217b7

      Download Submit

    • C:\Users\Public\Libraries\YmtzodO.bat
      Filesize

      1KB

      MD5

      df48c09f243ebcc8a165f77a1c2bf889

      SHA1

      455f7db0adcc2a58d006f1630fb0bd55cd868c07

      SHA256

      4ef9821678da07138c19405387f3fb95e409fbd461c7b8d847c05075facd63ca

      SHA512

      735838c7cca953697ded48adfcd037b7f198072a8962f5940ce12e1bb1c7dd8c1f257a829276f5f5456f776f5bd13342222dd6e0dfc8f18a23f464f2c8d8f1cc

      Download Submit

    • C:\Users\Public\Libraries\Ymtzodt.bat
      Filesize

      55B

      MD5

      19ff9c247ac0e94f87d1b098b822c207

      SHA1

      0b07670c0e0addae5b10969aef529be0b9968792

      SHA256

      a36d899a60de308c3f96e10471cff8177e497d41def874111561fed7ed49ce05

      SHA512

      bff7439cce92515f62bafe2cdb9634c71b82b2b7f22a38881fce07412261b84cc4e6c4775047158fbbd3a5bbc198e0b0c2ee57967100caba17475114b7a22cae

      Download Submit

    • memory/304-481-0x0000000000000000-mapping.dmp

      Download

    • memory/512-140-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-149-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-123-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-124-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-125-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-126-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-127-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-128-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-129-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-130-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-131-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-132-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-133-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-134-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-135-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-136-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-137-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-138-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-117-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-139-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-141-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-142-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-143-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-144-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-145-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-146-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-147-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-165-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-164-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-150-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-163-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-153-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-152-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-154-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-155-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-156-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-157-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-158-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-159-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-160-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-161-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-162-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-151-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-122-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-148-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-166-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-168-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-167-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-169-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-171-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-170-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-173-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-172-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-174-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-175-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-176-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-178-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-177-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-179-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-180-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-892-0x0000000005750000-0x0000000005783000-memory.dmp

      Filesize

      204KB

      Download

    • memory/512-121-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-891-0x0000000005710000-0x0000000005745000-memory.dmp

      Filesize

      212KB

      Download

    • memory/512-120-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-119-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/512-118-0x0000000077C40000-0x0000000077DCE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/580-853-0x00000000099F0000-0x00000000099F8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/580-612-0x0000000008030000-0x0000000008380000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/580-610-0x0000000007690000-0x00000000076F6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/580-597-0x00000000078B0000-0x0000000007ED8000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/580-605-0x00000000074F0000-0x0000000007512000-memory.dmp

      Filesize

      136KB

      Download

    • memory/580-611-0x0000000007FC0000-0x0000000008026000-memory.dmp

      Filesize

      408KB

      Download

    • memory/580-617-0x00000000088C0000-0x000000000890B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/580-616-0x0000000007880000-0x000000000789C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/580-593-0x0000000005010000-0x0000000005046000-memory.dmp

      Filesize

      216KB

      Download

    • memory/580-521-0x0000000000000000-mapping.dmp

      Download

    • memory/580-632-0x0000000009750000-0x0000000009783000-memory.dmp

      Filesize

      204KB

      Download

    • memory/580-620-0x0000000008630000-0x00000000086A6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/580-633-0x0000000009730000-0x000000000974E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/580-641-0x0000000009890000-0x0000000009935000-memory.dmp

      Filesize

      660KB

      Download

    • memory/580-645-0x0000000009A60000-0x0000000009AF4000-memory.dmp

      Filesize

      592KB

      Download

    • memory/580-848-0x0000000009A00000-0x0000000009A1A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/920-453-0x0000000000000000-mapping.dmp

      Download

    • memory/3228-501-0x0000000000000000-mapping.dmp

      Download

    • memory/4036-467-0x0000000000000000-mapping.dmp

      Download