Overview

overview

10

Static

static

7056199cb9...58.exe

windows7-x64

10

7056199cb9...58.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    160s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    31-07-2022 04:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7056199cb966a7dfff3cf82ee196d197616a32f9b877b98dabd0001cfd595058.exe

  • Size

    696KB

  • MD5

    c28a5732c77812eddfc367dc058ac025

  • SHA1

    3d1302756ebea2c6a372d2f9368b638a83d4c9ef

  • SHA256

    7056199cb966a7dfff3cf82ee196d197616a32f9b877b98dabd0001cfd595058

  • SHA512

    85823f4d2877cb6ec9320b87236f371012c0929eb0734b7367d0af4a1cf7b5f6a1570b33e34104b7162c5ba4e88a58d42a731ab2fdaae587169abc4a8559a3a2

Score
10/10
netwirebotnetpersistenceratstealer

Malware Config

Signatures

  • NetWire RAT payload 6 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7056199cb966a7dfff3cf82ee196d197616a32f9b877b98dabd0001cfd595058.exe
    "C:\Users\Admin\AppData\Local\Temp\7056199cb966a7dfff3cf82ee196d197616a32f9b877b98dabd0001cfd595058.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1392
    • C:\Users\Admin\AppData\Local\Temp\7056199cb966a7dfff3cf82ee196d197616a32f9b877b98dabd0001cfd595058.exe
      "C:\Users\Admin\AppData\Local\Temp\7056199cb966a7dfff3cf82ee196d197616a32f9b877b98dabd0001cfd595058.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of WriteProcessMemory
      PID:1816
      • C:\Users\Admin\AppData\Roaming\Install\Host.exe
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1524
        • C:\Users\Admin\AppData\Roaming\Install\Host.exe
          "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          PID:1592

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Install\Host.exe
    Filesize

    696KB

    MD5

    c28a5732c77812eddfc367dc058ac025

    SHA1

    3d1302756ebea2c6a372d2f9368b638a83d4c9ef

    SHA256

    7056199cb966a7dfff3cf82ee196d197616a32f9b877b98dabd0001cfd595058

    SHA512

    85823f4d2877cb6ec9320b87236f371012c0929eb0734b7367d0af4a1cf7b5f6a1570b33e34104b7162c5ba4e88a58d42a731ab2fdaae587169abc4a8559a3a2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Install\Host.exe
    Filesize

    696KB

    MD5

    c28a5732c77812eddfc367dc058ac025

    SHA1

    3d1302756ebea2c6a372d2f9368b638a83d4c9ef

    SHA256

    7056199cb966a7dfff3cf82ee196d197616a32f9b877b98dabd0001cfd595058

    SHA512

    85823f4d2877cb6ec9320b87236f371012c0929eb0734b7367d0af4a1cf7b5f6a1570b33e34104b7162c5ba4e88a58d42a731ab2fdaae587169abc4a8559a3a2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Install\Host.exe
    Filesize

    696KB

    MD5

    c28a5732c77812eddfc367dc058ac025

    SHA1

    3d1302756ebea2c6a372d2f9368b638a83d4c9ef

    SHA256

    7056199cb966a7dfff3cf82ee196d197616a32f9b877b98dabd0001cfd595058

    SHA512

    85823f4d2877cb6ec9320b87236f371012c0929eb0734b7367d0af4a1cf7b5f6a1570b33e34104b7162c5ba4e88a58d42a731ab2fdaae587169abc4a8559a3a2

    Download Submit

  • \Users\Admin\AppData\Roaming\Install\Host.exe
    Filesize

    696KB

    MD5

    c28a5732c77812eddfc367dc058ac025

    SHA1

    3d1302756ebea2c6a372d2f9368b638a83d4c9ef

    SHA256

    7056199cb966a7dfff3cf82ee196d197616a32f9b877b98dabd0001cfd595058

    SHA512

    85823f4d2877cb6ec9320b87236f371012c0929eb0734b7367d0af4a1cf7b5f6a1570b33e34104b7162c5ba4e88a58d42a731ab2fdaae587169abc4a8559a3a2

    Download Submit

  • \Users\Admin\AppData\Roaming\Install\Host.exe
    Filesize

    696KB

    MD5

    c28a5732c77812eddfc367dc058ac025

    SHA1

    3d1302756ebea2c6a372d2f9368b638a83d4c9ef

    SHA256

    7056199cb966a7dfff3cf82ee196d197616a32f9b877b98dabd0001cfd595058

    SHA512

    85823f4d2877cb6ec9320b87236f371012c0929eb0734b7367d0af4a1cf7b5f6a1570b33e34104b7162c5ba4e88a58d42a731ab2fdaae587169abc4a8559a3a2

    Download Submit

  • memory/1392-66-0x0000000077220000-0x00000000773A0000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1392-58-0x0000000077040000-0x00000000771E9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1392-56-0x00000000003C0000-0x00000000003CD000-memory.dmp

    Filesize

    52KB

    Download

  • memory/1392-57-0x0000000075B61000-0x0000000075B63000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1392-59-0x0000000077220000-0x00000000773A0000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1392-62-0x00000000003C0000-0x00000000003CD000-memory.dmp

    Filesize

    52KB

    Download

  • memory/1524-86-0x0000000077040000-0x00000000771E9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1524-89-0x0000000077220000-0x00000000773A0000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1524-92-0x0000000077220000-0x00000000773A0000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1524-91-0x0000000000310000-0x000000000031D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/1524-77-0x0000000000000000-mapping.dmp

    Download

  • memory/1592-88-0x00000000004138C4-mapping.dmp

    Download

  • memory/1592-95-0x0000000000400000-0x00000000004AE000-memory.dmp

    Filesize

    696KB

    Download

  • memory/1592-96-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1592-102-0x0000000077040000-0x00000000771E9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1592-103-0x0000000000400000-0x00000000004AE000-memory.dmp

    Filesize

    696KB

    Download

  • memory/1816-83-0x0000000000400000-0x00000000004AE000-memory.dmp

    Filesize

    696KB

    Download

  • memory/1816-68-0x0000000000400000-0x00000000004AE000-memory.dmp

    Filesize

    696KB

    Download

  • memory/1816-69-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1816-82-0x0000000077220000-0x00000000773A0000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1816-65-0x0000000077040000-0x00000000771E9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1816-67-0x0000000000220000-0x000000000022D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/1816-80-0x0000000000220000-0x000000000022D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/1816-61-0x00000000004138C4-mapping.dmp

    Download