Overview

overview

10

Static

static

cc4fc81c68...72.exe

windows7-x64

10

cc4fc81c68...72.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    175s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-07-2022 03:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cc4fc81c6827c57ebc0ddf6a197e2e6277839e3b0f7c2d94a88dd5c91d586e72.exe

  • Size

    521KB

  • MD5

    c784ee0059d15987a9a306e322e0d062

  • SHA1

    cf78fdd65e08005131e4ef42912fc8e07d685fa0

  • SHA256

    cc4fc81c6827c57ebc0ddf6a197e2e6277839e3b0f7c2d94a88dd5c91d586e72

  • SHA512

    6a85028af5becb599a130c3947a2f17d24672b35a676d7397efd9072df7cfe33fe4a3ccb8544e6f671524add7697100546bec351c357017f69f2ee74019b1463

Score
10/10
netwirebotnetcollectionpersistenceratspywarestealer

Malware Config

Extracted

Family

netwire

C2

185.171.25.3:1406

Attributes
  • activex_autorun

    true

  • activex_key

    {IXXTPY86-B7O0-U8M5-0OD1-4Y2C8828J3G0}

  • copy_executable

    true

  • delete_original

    false

  • host_id

    bubu

  • install_path

    %AppData%\Install\Host.exe

  • lock_executable

    false

  • mutex

    tvNRDcbc

  • offline_keylogger

    false

  • password

    Password

  • registry_autorun

    true

  • startup_name

    NetWire

  • use_mutex

    true

Signatures

  • NetWire RAT payload 4 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Executes dropped EXE 4 IoCs
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cc4fc81c6827c57ebc0ddf6a197e2e6277839e3b0f7c2d94a88dd5c91d586e72.exe
    "C:\Users\Admin\AppData\Local\Temp\cc4fc81c6827c57ebc0ddf6a197e2e6277839e3b0f7c2d94a88dd5c91d586e72.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:864
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\fud.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2556
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\server.sfx.exe
        server.sfx.exe -pzghemkatge -dC:\Users\Admin\AppData\Local\Temp
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:1488
        • C:\Users\Admin\AppData\Local\Temp\RarSFX1\server.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX1\server.exe"
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Accesses Microsoft Outlook profiles
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • outlook_office_path
          • outlook_win_path
          PID:4312
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SettingHost.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SettingHost.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:5112
            • C:\Users\Admin\AppData\Roaming\Install\Host.exe
              "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
              6⤵
              • Executes dropped EXE
              • Modifies Installed Components in the registry
              • Adds Run key to start application
              PID:4752

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\fud.bat
    Filesize

    40B

    MD5

    4afa6ae5a7b42cff69ba53484c95ed0f

    SHA1

    d375d066ae2381ec1aa7b22ac9d2f8e6c2e87ad0

    SHA256

    b0f956553e01f3a57b67a2396ed0deff49ce76dd8ea591768f44599a20646b35

    SHA512

    c74f724d3495feb4ab894f4a4c40a045e2773c87cbd62065c3c3b2811367b2e5786b317937f5c27b4da6ec8dcfe0230042340d398e481442ebbc94b4d89d1da1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\server.sfx.exe
    Filesize

    394KB

    MD5

    f1f42a41681126733ac97b8713464cb4

    SHA1

    a4506c5445023e7874e587864bb38ec39c953f1b

    SHA256

    7365b9d3fd21780499118249c0de5358ac9157df9e928302a9ebecf7a5cd33bc

    SHA512

    9147efd6e563a0b7e9b311c47cccaabbd4b09d84d11dc46437e0513ec8ea761fe670088757412072493fa77dbc06810d504348b1def1b53e68edeae57fd6a081

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\server.sfx.exe
    Filesize

    394KB

    MD5

    f1f42a41681126733ac97b8713464cb4

    SHA1

    a4506c5445023e7874e587864bb38ec39c953f1b

    SHA256

    7365b9d3fd21780499118249c0de5358ac9157df9e928302a9ebecf7a5cd33bc

    SHA512

    9147efd6e563a0b7e9b311c47cccaabbd4b09d84d11dc46437e0513ec8ea761fe670088757412072493fa77dbc06810d504348b1def1b53e68edeae57fd6a081

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX1\server.exe
    Filesize

    378KB

    MD5

    3d6fbc940e83a38bdb52038a0fbdc288

    SHA1

    3f8f70c79c61034931420197a8de68699c583aa8

    SHA256

    01585ff657279eb96b6964f666a9f9e1140058bb331affcee152c69e7290dbf6

    SHA512

    70bf16d15d035342299c5da149389ca189813cbb303fd97934827ff18aa5cc79c4d6b84ce034f4938ff85c63e00c6ceae83abf12f0ffbd2b56714556ab38dd98

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX1\server.exe
    Filesize

    378KB

    MD5

    3d6fbc940e83a38bdb52038a0fbdc288

    SHA1

    3f8f70c79c61034931420197a8de68699c583aa8

    SHA256

    01585ff657279eb96b6964f666a9f9e1140058bb331affcee152c69e7290dbf6

    SHA512

    70bf16d15d035342299c5da149389ca189813cbb303fd97934827ff18aa5cc79c4d6b84ce034f4938ff85c63e00c6ceae83abf12f0ffbd2b56714556ab38dd98

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Install\Host.exe
    Filesize

    131KB

    MD5

    9228d1005ce4d3a0cbb648bfeaa22a23

    SHA1

    5f21c987a3087096374be1bd767348dd06b5c419

    SHA256

    ad3e326dc8d9ff012d8d18c6da56aa2531105187e2c8d4dfef393bcaf2c72a7d

    SHA512

    56e1720c66a2a48ae976237da00dd6bdf346e24e8b1fda7939d3ce5247928d23429f5e9bf15031f347b1554f4a23dd5146d5866948deb843eaef525da9057475

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Install\Host.exe
    Filesize

    131KB

    MD5

    9228d1005ce4d3a0cbb648bfeaa22a23

    SHA1

    5f21c987a3087096374be1bd767348dd06b5c419

    SHA256

    ad3e326dc8d9ff012d8d18c6da56aa2531105187e2c8d4dfef393bcaf2c72a7d

    SHA512

    56e1720c66a2a48ae976237da00dd6bdf346e24e8b1fda7939d3ce5247928d23429f5e9bf15031f347b1554f4a23dd5146d5866948deb843eaef525da9057475

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SettingHost.exe
    Filesize

    131KB

    MD5

    9228d1005ce4d3a0cbb648bfeaa22a23

    SHA1

    5f21c987a3087096374be1bd767348dd06b5c419

    SHA256

    ad3e326dc8d9ff012d8d18c6da56aa2531105187e2c8d4dfef393bcaf2c72a7d

    SHA512

    56e1720c66a2a48ae976237da00dd6bdf346e24e8b1fda7939d3ce5247928d23429f5e9bf15031f347b1554f4a23dd5146d5866948deb843eaef525da9057475

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SettingHost.exe
    Filesize

    131KB

    MD5

    9228d1005ce4d3a0cbb648bfeaa22a23

    SHA1

    5f21c987a3087096374be1bd767348dd06b5c419

    SHA256

    ad3e326dc8d9ff012d8d18c6da56aa2531105187e2c8d4dfef393bcaf2c72a7d

    SHA512

    56e1720c66a2a48ae976237da00dd6bdf346e24e8b1fda7939d3ce5247928d23429f5e9bf15031f347b1554f4a23dd5146d5866948deb843eaef525da9057475

    Download Submit

  • memory/1488-132-0x0000000000000000-mapping.dmp

    Download

  • memory/2556-130-0x0000000000000000-mapping.dmp

    Download

  • memory/4312-139-0x00000000732B0000-0x0000000073861000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4312-138-0x00000000732B0000-0x0000000073861000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4312-135-0x0000000000000000-mapping.dmp

    Download

  • memory/4752-143-0x0000000000000000-mapping.dmp

    Download

  • memory/5112-140-0x0000000000000000-mapping.dmp

    Download