Overview

overview

10

Static

static

SecuriteIn...39.exe

windows7-x64

10

SecuriteIn...39.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    167s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    19-09-2022 17:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Win32.RATX-gen.6439.exe

  • Size

    953KB

  • MD5

    705e29680f4f0f0310b4680e05f053d0

  • SHA1

    15ab85f450c8fd3e7d25a7889dc658fdfcee9ede

  • SHA256

    444eb9da59786055bffa5f9d294fc26edc82a7b31975383efb7f2b9764402cf5

  • SHA512

    1290bd274a3b4d426edd46d5597f05d8e056cbae92c5eda29616264cdf28fc6387f282e4188dff740e1aeed86974ffdb22ca70dab0e9e2c7a49ff218d932779e

  • SSDEEP

    12288:KFnvWXswpJFQLW3pTLPRVS6IsoDJdrDpvdoxZYg1+kWA/hP1SBh71B:+Wx73ZdmnbAagsA/h9s

Score
10/10
netwirebotnetratstealer

Malware Config

Extracted

Family

netwire

C2

podzeye2.duckdns.org:4411

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • lock_executable

    false

  • offline_keylogger

    false

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • NetWire RAT payload 7 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6439.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6439.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:912
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\LoLOUy.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2036
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LoLOUy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp259B.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:956
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
        PID:468

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scripting

    1
    T1064

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Scripting

    1
    T1064

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp259B.tmp
      Filesize

      1KB

      MD5

      35f49252e09dec80798bc548eb073eaa

      SHA1

      88c00b84ddcdc3df3b040f3594ca2eaf89427fc8

      SHA256

      1e8f39a5d7e6290adaae14f662b0937cba73567b187504337bee0c13db8afbea

      SHA512

      73fdd2059a6f658a4de40ec9a478c8269caa1c2028aff620c59fa183df682f36d6902719da097eee0a947d4134e13ee6556091f463d2b2a6d2f1c5d75f7d1791

      Download Submit
    • memory/468-75-0x000000000041AE7B-mapping.dmp
      Download
    • memory/468-67-0x0000000000400000-0x0000000000450000-memory.dmp
      Filesize

      320KB

      Download
    • memory/468-74-0x0000000000400000-0x0000000000450000-memory.dmp
      Filesize

      320KB

      Download
    • memory/468-72-0x0000000000400000-0x0000000000450000-memory.dmp
      Filesize

      320KB

      Download
    • memory/468-64-0x0000000000400000-0x0000000000450000-memory.dmp
      Filesize

      320KB

      Download
    • memory/468-71-0x0000000000400000-0x0000000000450000-memory.dmp
      Filesize

      320KB

      Download
    • memory/468-69-0x0000000000400000-0x0000000000450000-memory.dmp
      Filesize

      320KB

      Download
    • memory/468-78-0x0000000000400000-0x0000000000450000-memory.dmp
      Filesize

      320KB

      Download
    • memory/468-81-0x0000000000400000-0x0000000000450000-memory.dmp
      Filesize

      320KB

      Download
    • memory/468-65-0x0000000000400000-0x0000000000450000-memory.dmp
      Filesize

      320KB

      Download
    • memory/912-63-0x0000000008050000-0x000000000809A000-memory.dmp
      Filesize

      296KB

      Download
    • memory/912-55-0x0000000075661000-0x0000000075663000-memory.dmp
      Filesize

      8KB

      Download
    • memory/912-56-0x00000000005C0000-0x00000000005D6000-memory.dmp
      Filesize

      88KB

      Download
    • memory/912-58-0x0000000007CC0000-0x0000000007D64000-memory.dmp
      Filesize

      656KB

      Download
    • memory/912-54-0x0000000000270000-0x0000000000364000-memory.dmp
      Filesize

      976KB

      Download
    • memory/912-57-0x0000000001F00000-0x0000000001F0C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/956-60-0x0000000000000000-mapping.dmp
      Download
    • memory/2036-79-0x000000006F2D0000-0x000000006F87B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2036-80-0x000000006F2D0000-0x000000006F87B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2036-59-0x0000000000000000-mapping.dmp
      Download