Overview

overview

10

Static

static

IM202208.exe

windows7-x64

10

IM202208.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    81s
  • max time network
    96s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    19-08-2022 09:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    IM202208.exe

  • Size

    727KB

  • MD5

    c1ca174fbfc7936f8d9d0aad755f29cf

  • SHA1

    16ad7f314c9c2742886523ac256fbb4a5f4bfdb0

  • SHA256

    d08f75542680080f9d3393fc3bb0ced3c30335db5030c1f38a8d7a7aadb15794

  • SHA512

    e2ff294837639043c1b24cfee2eae281284ac9a563ad5e8d31a8ce7538f60447cb747508021b98326a78923e99159109fc908c390a8f3d570d7d91b6d24fa280

Score
10/10
netwirebotnetratstealer

Malware Config

Extracted

Family

netwire

C2

212.193.30.230:3363

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    Password@2

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • NetWire RAT payload 9 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\IM202208.exe
    "C:\Users\Admin\AppData\Local\Temp\IM202208.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1940
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uunNVGIyv.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1732
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uunNVGIyv" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEC14.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1340
    • C:\Users\Admin\AppData\Local\Temp\IM202208.exe
      "C:\Users\Admin\AppData\Local\Temp\IM202208.exe"
      2⤵
        PID:1644

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpEC14.tmp
      Filesize

      1KB

      MD5

      fcafaf35949c969f2732b46e0cd6d978

      SHA1

      32123216b7129643785fa2ec3d98dc54941d5e28

      SHA256

      a3185d6531670281fbfdc003d963f80ecbf11832a711b11d410a7e252e84b53c

      SHA512

      a3b71eb1497ea339c0ffd4bfaee9d734eb7f6ff63b9df2ca2dbe382ba751eaee2e445cfdb7183fee45a00bcf37547e62dd3c01733f8bb6a36727be1b74273f64

      Download Submit

    • memory/1340-60-0x0000000000000000-mapping.dmp

      Download

    • memory/1644-73-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1644-69-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1644-75-0x000000000040242D-mapping.dmp

      Download

    • memory/1644-71-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1644-70-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1644-79-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1644-78-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1644-64-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1644-65-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1644-67-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1644-74-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1732-80-0x000000006EFE0000-0x000000006F58B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1732-59-0x0000000000000000-mapping.dmp

      Download

    • memory/1732-81-0x000000006EFE0000-0x000000006F58B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1940-55-0x0000000075C61000-0x0000000075C63000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1940-54-0x00000000012C0000-0x000000000137C000-memory.dmp

      Filesize

      752KB

      Download

    • memory/1940-63-0x0000000005E30000-0x0000000005E7E000-memory.dmp

      Filesize

      312KB

      Download

    • memory/1940-57-0x0000000000270000-0x000000000027C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1940-56-0x00000000002D0000-0x00000000002EA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1940-58-0x000000000A430000-0x000000000A4C2000-memory.dmp

      Filesize

      584KB

      Download