Overview

overview

10

Static

static

5

16f098e9ce...9d.exe

windows7-x64

10

16f098e9ce...9d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-08-2022 23:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    16f098e9ce7d2c6c0575af51f9dc139d.exe

  • Size

    904KB

  • MD5

    16f098e9ce7d2c6c0575af51f9dc139d

  • SHA1

    19982bb99284f8ba1d0dfb70356a36b798cf7210

  • SHA256

    288719cc7ce53a7dc829be4a5d261e0c9229aca9097b72bea018fa7c9aa84000

  • SHA512

    44535ec96b64d047055018661679e12632113fd3238b3492b6dcc730e1a78b4028deca62d529370e0e3b089984080d4477047bda4ac6a762da14573dcdf8125f

  • SSDEEP

    12288:7aWzgMg7v3qnCiuErQohh0F4JCJ8lnyOcSyck41PNvDWpWTis+0Vz7w:OaHMv6CyrjtnyOcS5k8DWpSnw

Score
10/10
netwirebotnetpersistenceratstealer

Malware Config

Extracted

Family

netwire

C2

musaad1995-60255.portmap.host:60255

Attributes
  • activex_autorun

    false

  • activex_key

    {0Q55O7T5-7PG8-1407-8Y6O-8DDRN68HAD86}

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

    %AppData%\Local\Microsoft\OneDrive\OneDrive.exe

  • keylogger_dir

    OneDrive.lnk

  • lock_executable

    false

  • mutex

    vMnKWPIY

  • offline_keylogger

    false

  • password

    999000

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • NetWire RAT payload 8 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Executes dropped EXE 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 8 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\16f098e9ce7d2c6c0575af51f9dc139d.exe
    "C:\Users\Admin\AppData\Local\Temp\16f098e9ce7d2c6c0575af51f9dc139d.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1248
    • C:\Users\Admin\AppData\Local\Temp\16f098e9ce7d2c6c0575af51f9dc139d.exe
      "C:\Users\Admin\AppData\Local\Temp\16f098e9ce7d2c6c0575af51f9dc139d.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:3540
      • C:\Users\Admin\AppData\Roaming\Local\Microsoft\OneDrive\OneDrive.exe
        "C:\Users\Admin\AppData\Roaming\Local\Microsoft\OneDrive\OneDrive.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4368
        • C:\Users\Admin\AppData\Roaming\Local\Microsoft\OneDrive\OneDrive.exe
          "C:\Users\Admin\AppData\Roaming\Local\Microsoft\OneDrive\OneDrive.exe"
          4⤵
          • Executes dropped EXE
          • Modifies Installed Components in the registry
          • Drops startup file
          • Adds Run key to start application
          PID:4028

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Local\Microsoft\OneDrive\OneDrive.exe
    Filesize

    904KB

    MD5

    16f098e9ce7d2c6c0575af51f9dc139d

    SHA1

    19982bb99284f8ba1d0dfb70356a36b798cf7210

    SHA256

    288719cc7ce53a7dc829be4a5d261e0c9229aca9097b72bea018fa7c9aa84000

    SHA512

    44535ec96b64d047055018661679e12632113fd3238b3492b6dcc730e1a78b4028deca62d529370e0e3b089984080d4477047bda4ac6a762da14573dcdf8125f

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Local\Microsoft\OneDrive\OneDrive.exe
    Filesize

    904KB

    MD5

    16f098e9ce7d2c6c0575af51f9dc139d

    SHA1

    19982bb99284f8ba1d0dfb70356a36b798cf7210

    SHA256

    288719cc7ce53a7dc829be4a5d261e0c9229aca9097b72bea018fa7c9aa84000

    SHA512

    44535ec96b64d047055018661679e12632113fd3238b3492b6dcc730e1a78b4028deca62d529370e0e3b089984080d4477047bda4ac6a762da14573dcdf8125f

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Local\Microsoft\OneDrive\OneDrive.exe
    Filesize

    904KB

    MD5

    16f098e9ce7d2c6c0575af51f9dc139d

    SHA1

    19982bb99284f8ba1d0dfb70356a36b798cf7210

    SHA256

    288719cc7ce53a7dc829be4a5d261e0c9229aca9097b72bea018fa7c9aa84000

    SHA512

    44535ec96b64d047055018661679e12632113fd3238b3492b6dcc730e1a78b4028deca62d529370e0e3b089984080d4477047bda4ac6a762da14573dcdf8125f

    Download Submit
  • memory/1248-137-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/1248-132-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/3540-138-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/3540-133-0x0000000000000000-mapping.dmp
    Download
  • memory/3540-136-0x00000000000C0000-0x0000000000110000-memory.dmp
    Filesize

    320KB

    Download
  • memory/3540-135-0x00000000000C0000-0x0000000000110000-memory.dmp
    Filesize

    320KB

    Download
  • memory/3540-134-0x00000000000C0000-0x0000000000110000-memory.dmp
    Filesize

    320KB

    Download
  • memory/3540-142-0x00000000000C0000-0x0000000000110000-memory.dmp
    Filesize

    320KB

    Download
  • memory/4028-148-0x00000000000C0000-0x0000000000110000-memory.dmp
    Filesize

    320KB

    Download
  • memory/4028-143-0x0000000000000000-mapping.dmp
    Download
  • memory/4028-147-0x00000000000C0000-0x0000000000110000-memory.dmp
    Filesize

    320KB

    Download
  • memory/4028-150-0x00000000000C0000-0x0000000000110000-memory.dmp
    Filesize

    320KB

    Download
  • memory/4028-151-0x00000000000C0000-0x0000000000110000-memory.dmp
    Filesize

    320KB

    Download
  • memory/4368-144-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/4368-139-0x0000000000000000-mapping.dmp
    Download
  • memory/4368-149-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download