Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-07-2022 04:48

General

  • Target

    647f075a30a3b628fa2b988223dde0f69bb0149b33fced9a78806de23ab7937c.exe

  • Size

    1.2MB

  • MD5

    1bea501f52f6075bb7ca051ad4454e8c

  • SHA1

    73f2f06dfa4a91bda577df01ac6b55189126f9ed

  • SHA256

    647f075a30a3b628fa2b988223dde0f69bb0149b33fced9a78806de23ab7937c

  • SHA512

    130ad7fd52c0f72fbb4bc13387bcc2d36d4dede4f2000bf2bba4d5a1f97f4e0ff71b18541179264be5e0502a2584444766c1e564fb90ba2623ed4875c9e78dde

Malware Config

Extracted

Family

netwire

C2

info1.nowddns.com:5552

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    Sms v2.0

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

    wBXPRhxS

  • offline_keylogger

    true

  • password

    caster

  • registry_autorun

    false

  • use_mutex

    true

Signatures

  • NetWire RAT payload 4 IoCs
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

  • Disables Task Manager via registry modification
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\647f075a30a3b628fa2b988223dde0f69bb0149b33fced9a78806de23ab7937c.exe
    "C:\Users\Admin\AppData\Local\Temp\647f075a30a3b628fa2b988223dde0f69bb0149b33fced9a78806de23ab7937c.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4280
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14712696\pgq.vbs"
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4708
      • C:\Users\Admin\AppData\Local\Temp\14712696\svs.exe
        "C:\Users\Admin\AppData\Local\Temp\14712696\svs.exe" dxv=fcp
        3⤵
        • Executes dropped EXE
        • Drops startup file
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3656
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
          4⤵
            PID:1216

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\14712696\dxv=fcp

      Filesize

      231.6MB

      MD5

      a0b360650307f2420a717b5223750b35

      SHA1

      234d738a69eeb2be318cf0d3cf783f49f886baf3

      SHA256

      9e0d70431e0fa822181aee13e1151a448fe44e0b428cb26e30c42f179795252b

      SHA512

      0fc11dd30f87ba84fe3b35726db801b10e1a695372efedda5e765fdafc6e8eab911d409a7e9db838dcb6b377a4d6994e1e0d8c43029c79912fdaa3754466351f

    • C:\Users\Admin\AppData\Local\Temp\14712696\pgq.vbs

      Filesize

      15KB

      MD5

      951531e0d8e5c2334809b69a14cb8982

      SHA1

      cccc13d65996eb191b53de2ac83f13b9e74544f3

      SHA256

      d43f2e9c8875597cd359ae6ea8e9ef070df705781bc94ba9030193ebd63e37b9

      SHA512

      b3fe88f41a6e71a1b79bf26d13651b20324dc98a1dca59cdaad5afd4937876d11000d8b44b909efe67ce60830c402a3de8c856093662addd63d88f87644ba97e

    • C:\Users\Admin\AppData\Local\Temp\14712696\srp.pdf

      Filesize

      333KB

      MD5

      117b51a098b81a23f0e91b0ef98661a2

      SHA1

      36c10109497186038fa0412d14934b67a05fc871

      SHA256

      a03a929be89bbb86680468e5a2f4854edc445868d7bf48b0d5c2367507c8e2c3

      SHA512

      f7f30695d542a5cd70ddd50b99ca99fc85a25e6d4ca675d9dc8b4f4a67b0454047c22f372cd0875c01b79b651fc1c847909111a1ac8cfe80fcbb73068f2f3e3d

    • C:\Users\Admin\AppData\Local\Temp\14712696\svs.exe

      Filesize

      732KB

      MD5

      71d8f6d5dc35517275bc38ebcc815f9f

      SHA1

      cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

      SHA256

      fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

      SHA512

      4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

    • C:\Users\Admin\AppData\Local\Temp\14712696\svs.exe

      Filesize

      732KB

      MD5

      71d8f6d5dc35517275bc38ebcc815f9f

      SHA1

      cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

      SHA256

      fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

      SHA512

      4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

    • memory/1216-137-0x0000000000F80000-0x00000000016AC000-memory.dmp

      Filesize

      7.2MB

    • memory/1216-138-0x0000000000F82BCB-mapping.dmp

    • memory/1216-140-0x0000000000F80000-0x00000000016AC000-memory.dmp

      Filesize

      7.2MB

    • memory/1216-141-0x0000000000F80000-0x00000000016AC000-memory.dmp

      Filesize

      7.2MB

    • memory/3656-133-0x0000000000000000-mapping.dmp

    • memory/4708-130-0x0000000000000000-mapping.dmp