Overview

overview

10

Static

static

xox.exe

windows7-x64

10

xox.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-08-2022 04:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    xox.exe

  • Size

    1.3MB

  • MD5

    5c9ad0440fefa31403bd944a1a10a3b8

  • SHA1

    2707299e9ec7fb2173f6afb2e23a4d74865cf5a3

  • SHA256

    2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8

  • SHA512

    9b5b620be47d31f652d0100d891808f9b6baff7177c17604be6b0eb9cc731737e610ff47f83ffe8b9f50da48107087be06e74b75347f8d460b35a83d366c1078

Score
10/10
netwirebotnetpersistenceratstealer

Malware Config

Extracted

Family

netwire

C2

banqueislamik.ddrive.online:3360

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    SALUT

  • lock_executable

    false

  • offline_keylogger

    false

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • NetWire RAT payload 5 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\xox.exe
    "C:\Users\Admin\AppData\Local\Temp\xox.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:60
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\othnl.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\othnl.exe zwkrwa.hep
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4016
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 5 /tn xeezzrd /tr "C:\Users\Admin\xeezzrd\othnl.exe C:\Users\Admin\xeezzrd\zwkrwa.hep"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3068
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /sc minute /mo 5 /tn xeezzrd /tr "C:\Users\Admin\xeezzrd\othnl.exe C:\Users\Admin\xeezzrd\zwkrwa.hep"
          4⤵
          • Creates scheduled task(s)
          PID:4144
      • C:\Users\Admin\othnl.exe
        0
        3⤵
        • Executes dropped EXE
        PID:452

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lyzbolct.osn
    Filesize

    273KB

    MD5

    b87b1eebcce45db72f46c45d7627c854

    SHA1

    dc8e7030defc35a9d1ad6cfb5a354ecd372506a2

    SHA256

    cd591bbfcb167fa8a7c960812967f90440a350458fe4422c6257cc0558f34953

    SHA512

    fa514a1e7f56689cfdbda78a0c3ea9e73668121e94ab8057fe9a0dc77a4ddd0b8b2aa833109c5f41c182c625392e073a9c4d4a13fdfb8b57aeae9e5733cb3467

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\othnl.exe
    Filesize

    918KB

    MD5

    ad5e6eb33f8b6b48fab6d9ab3e1212c1

    SHA1

    712f5e781df0e1cf0a52cc1312f097c290770909

    SHA256

    dd998d69304649d295691a188f8d0b04b4c2ca5dc7fb03494867bd7738200daa

    SHA512

    11822e5ec5b765109db5c132e8c7dd172f883bb7ae57f78be3861099aef24b0625dc943f2d20b4eff2615e5b98f2836322c8ccac526ee6448c04cfc28328c538

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\othnl.exe
    Filesize

    918KB

    MD5

    ad5e6eb33f8b6b48fab6d9ab3e1212c1

    SHA1

    712f5e781df0e1cf0a52cc1312f097c290770909

    SHA256

    dd998d69304649d295691a188f8d0b04b4c2ca5dc7fb03494867bd7738200daa

    SHA512

    11822e5ec5b765109db5c132e8c7dd172f883bb7ae57f78be3861099aef24b0625dc943f2d20b4eff2615e5b98f2836322c8ccac526ee6448c04cfc28328c538

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zwkrwa.hep
    Filesize

    113.7MB

    MD5

    7c0a58bf2315abf9612d58fbfaaeb0eb

    SHA1

    3e8d2de112be00950fd776bba6883449804f5b39

    SHA256

    be8f159ef84167d6a542d7201cf09340b8dd222fec36e5430dc148062a96fb47

    SHA512

    24866cd04234e6cd83d6b3125ec68ec0f2c2f601ac566379a5c820a97e3d503cc7ffeac220921b8aa8c6d0e53530c96d9b3cd38c90d02b433b691d81ec9c3a91

    Download Submit
  • C:\Users\Admin\othnl.exe
    Filesize

    44KB

    MD5

    9d352bc46709f0cb5ec974633a0c3c94

    SHA1

    1969771b2f022f9a86d77ac4d4d239becdf08d07

    SHA256

    2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

    SHA512

    13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

    Download Submit
  • memory/452-139-0x000000000051AE7B-mapping.dmp
    Download
  • memory/452-138-0x0000000000500000-0x0000000001500000-memory.dmp
    Filesize

    16.0MB

    Download
  • memory/452-141-0x0000000000500000-0x0000000001500000-memory.dmp
    Filesize

    16.0MB

    Download
  • memory/452-142-0x0000000000500000-0x0000000001500000-memory.dmp
    Filesize

    16.0MB

    Download
  • memory/452-143-0x0000000000500000-0x0000000001500000-memory.dmp
    Filesize

    16.0MB

    Download
  • memory/3068-135-0x0000000000000000-mapping.dmp
    Download
  • memory/4016-136-0x0000000001193000-0x0000000001198000-memory.dmp
    Filesize

    20KB

    Download
  • memory/4016-130-0x0000000000000000-mapping.dmp
    Download
  • memory/4144-137-0x0000000000000000-mapping.dmp
    Download