Overview

overview

10

Static

static

SecuriteIn...34.exe

windows7-x64

3

SecuriteIn...34.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-08-2022 09:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.W32.AIDetectNet.01.15534.exe

  • Size

    713KB

  • MD5

    aebb05f6834535c412ba7ccea11c5eec

  • SHA1

    306b3aca470ccb23f88c18999da1d4b53346a79d

  • SHA256

    279f8bd4621f977e47756985c0cbf14e03c7f15c5200e83f03517a73649aa893

  • SHA512

    91b24bf1647211c507c0c69c5b4058cf5785cc58327e7cb1789ef772eeb832cdfed70b9f43d957597be04795cb995b77a07528176564f5800bc3cde245c0ca12

  • SSDEEP

    12288:EAGfi8JQfIT/0e5hz9bUVXhu8gqmU5qZ4Fb4eRO/zqA8RrBncXnPy:ofi8SfIT/0shbM4J4qMtRaeA8tB8Py

Score
10/10
netwirebotnetratstealer

Malware Config

Extracted

Family

netwire

C2

212.193.30.230:3363

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    Password@2

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • NetWire RAT payload 3 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.15534.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.15534.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3248
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XIhCRld.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4208
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XIhCRld" /XML "C:\Users\Admin\AppData\Local\Temp\tmp21AC.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3848
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.15534.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.15534.exe"
      2⤵
        PID:876
      • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.15534.exe
        "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.15534.exe"
        2⤵
          PID:3644

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmp21AC.tmp
        Filesize

        1KB

        MD5

        f3275756ae5a53a6c05a8946bc67405a

        SHA1

        9520adb68a82688b0fab82615734f3197f3c76e2

        SHA256

        8fafa1f37e733387eaa2e4cb37167300fa4e0aa4cbdd27cb72d156e740c81668

        SHA512

        fcffef2a6c86de1815536f4ee13454caf476cb5e28c8452a1ad8c5b081310135fe013729aa5b13a3ca482f3dca2f04e088425b34cc469b6765773959fa67ac0a

        Download Submit

      • memory/876-142-0x0000000000000000-mapping.dmp

        Download

      • memory/3248-133-0x0000000005D00000-0x00000000062A4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/3248-134-0x0000000005640000-0x00000000056D2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/3248-135-0x00000000056F0000-0x00000000056FA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3248-136-0x0000000007850000-0x00000000078EC000-memory.dmp

        Filesize

        624KB

        Download

      • memory/3248-132-0x0000000000C00000-0x0000000000CB8000-memory.dmp

        Filesize

        736KB

        Download

      • memory/3644-144-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/3644-150-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/3644-146-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/3644-143-0x0000000000000000-mapping.dmp

        Download

      • memory/3848-138-0x0000000000000000-mapping.dmp

        Download

      • memory/4208-147-0x0000000004EC0000-0x0000000004EE2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4208-154-0x0000000006530000-0x000000000654E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4208-139-0x0000000002680000-0x00000000026B6000-memory.dmp

        Filesize

        216KB

        Download

      • memory/4208-148-0x0000000004F60000-0x0000000004FC6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4208-149-0x00000000056B0000-0x0000000005716000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4208-137-0x0000000000000000-mapping.dmp

        Download

      • memory/4208-151-0x0000000005FA0000-0x0000000005FBE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4208-152-0x0000000006550000-0x0000000006582000-memory.dmp

        Filesize

        200KB

        Download

      • memory/4208-153-0x0000000071120000-0x000000007116C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/4208-141-0x0000000005080000-0x00000000056A8000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/4208-155-0x0000000007960000-0x0000000007FDA000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/4208-156-0x0000000007310000-0x000000000732A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4208-157-0x0000000007380000-0x000000000738A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4208-158-0x00000000075A0000-0x0000000007636000-memory.dmp

        Filesize

        600KB

        Download

      • memory/4208-159-0x0000000007550000-0x000000000755E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4208-160-0x0000000007660000-0x000000000767A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4208-161-0x0000000007640000-0x0000000007648000-memory.dmp

        Filesize

        32KB

        Download