Analysis

  • max time kernel
    151s
  • max time network
    130s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    22-09-2022 10:39

General

  • Target

    c3da75b39650dd66fa445a7a120b6383.exe

  • Size

    1.2MB

  • MD5

    c3da75b39650dd66fa445a7a120b6383

  • SHA1

    22e7e85a8ba70a9d5e4c1cfb74365418ef5f45fe

  • SHA256

    67f5ddf21cf15cefce056ddbe7bbcb3a3a7cd3551c0c1aec77360de58d820786

  • SHA512

    a6e6cf1b95a314bc3bf81cee1aadc3657df3d40dba3518480cbe1e121cda6dc3a8a50cc3e3f5d13188a788783db612c1b1d51d3652c92de865a2ed8ca555bac4

  • SSDEEP

    24576:MAOcZXgZd9/IhSnxay31+k97w84cKSVlioyvt1qztey4Zodu:a3YSMA1+YUcKsscey4Zh

Malware Config

Signatures

  • NetWire RAT payload 5 IoCs
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c3da75b39650dd66fa445a7a120b6383.exe
    "C:\Users\Admin\AppData\Local\Temp\c3da75b39650dd66fa445a7a120b6383.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2044
    • C:\Users\Admin\4_71\gbaxx.pif
      "C:\Users\Admin\4_71\gbaxx.pif" aqxxu.gci
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:956
      • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • outlook_office_path
        • outlook_win_path
        PID:1640

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\4_71\aqxxu.gci
    Filesize

    226.8MB

    MD5

    370cc30e19b9eb90227bc3ff8686280a

    SHA1

    b44e78a9f062f2cb4a0f67201276b7bcf81bcb54

    SHA256

    2865f37fdfb83c7481753c4a27d95d26104b385a87d8dd06f849a63f9964ac0f

    SHA512

    53387dd4d717ec4335d6ee41c1df089584acdf743f8aeb57efec2499777ffc85f6de51cb25bbb2635079394f461c2a13638f7af06858814bdf8744b9172bcd9c

  • C:\Users\Admin\4_71\gbaxx.pif
    Filesize

    1.3MB

    MD5

    92b9ea22338dcd34bc1d8bef60a635a4

    SHA1

    b7da7f7f1533e073463ba02f986e5c17e15d39c3

    SHA256

    21dd8e3960c9e3f987a40d30fdb7ebbe9139dfa9b5e5700e36cbd209f36269d0

    SHA512

    ff8922aab4ef89f6c67921274a35c558f88e419e43312252a744123e25981f2f297c6bc00ac57d462f66cf99ce24cc642a2fbf84861c0875d30486271fb712f5

  • C:\Users\Admin\4_71\qsxmcps.oui
    Filesize

    255KB

    MD5

    a06e1db61565c81aee8af18c64a65b8a

    SHA1

    775d179131afe20d03361bd355d6a4ae9de07d40

    SHA256

    a43b300e39bc4a56b73a4f20910888e2da961534508eb51ff65917b3b16e6b27

    SHA512

    930f7872c5f48dab379b9dcc890c09527a58e1d3c5ad3884584dbcd5416641732a6882ab931319fef0b79e0eedd883931182fb97c32f7b3001059bc98a9f2182

  • C:\Users\Admin\4_71\vjxctlj.icm
    Filesize

    59KB

    MD5

    15d718c9cd8d542707d1678c7e07977c

    SHA1

    b75383d90e81780b7273cbf9897ae5e49c08c2ad

    SHA256

    0479c71d29a13c33f1d41443fe86cad1eaaaa479ae2babc56ca89540e5db5470

    SHA512

    96c163a2c3faa1904de26bd3196aa5f45e79d06cd81607812c617c121e44d017da6f8f95b7e13b6da7a76adb88490cf8db38095e486b7def1001770ec2f096af

  • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    Filesize

    44KB

    MD5

    0e06054beb13192588e745ee63a84173

    SHA1

    30b7d4d1277bafd04a83779fd566a1f834a8d113

    SHA256

    c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

    SHA512

    251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

  • \Users\Admin\4_71\gbaxx.pif
    Filesize

    1.3MB

    MD5

    92b9ea22338dcd34bc1d8bef60a635a4

    SHA1

    b7da7f7f1533e073463ba02f986e5c17e15d39c3

    SHA256

    21dd8e3960c9e3f987a40d30fdb7ebbe9139dfa9b5e5700e36cbd209f36269d0

    SHA512

    ff8922aab4ef89f6c67921274a35c558f88e419e43312252a744123e25981f2f297c6bc00ac57d462f66cf99ce24cc642a2fbf84861c0875d30486271fb712f5

  • \Users\Admin\4_71\gbaxx.pif
    Filesize

    1.3MB

    MD5

    92b9ea22338dcd34bc1d8bef60a635a4

    SHA1

    b7da7f7f1533e073463ba02f986e5c17e15d39c3

    SHA256

    21dd8e3960c9e3f987a40d30fdb7ebbe9139dfa9b5e5700e36cbd209f36269d0

    SHA512

    ff8922aab4ef89f6c67921274a35c558f88e419e43312252a744123e25981f2f297c6bc00ac57d462f66cf99ce24cc642a2fbf84861c0875d30486271fb712f5

  • \Users\Admin\4_71\gbaxx.pif
    Filesize

    1.3MB

    MD5

    92b9ea22338dcd34bc1d8bef60a635a4

    SHA1

    b7da7f7f1533e073463ba02f986e5c17e15d39c3

    SHA256

    21dd8e3960c9e3f987a40d30fdb7ebbe9139dfa9b5e5700e36cbd209f36269d0

    SHA512

    ff8922aab4ef89f6c67921274a35c558f88e419e43312252a744123e25981f2f297c6bc00ac57d462f66cf99ce24cc642a2fbf84861c0875d30486271fb712f5

  • \Users\Admin\4_71\gbaxx.pif
    Filesize

    1.3MB

    MD5

    92b9ea22338dcd34bc1d8bef60a635a4

    SHA1

    b7da7f7f1533e073463ba02f986e5c17e15d39c3

    SHA256

    21dd8e3960c9e3f987a40d30fdb7ebbe9139dfa9b5e5700e36cbd209f36269d0

    SHA512

    ff8922aab4ef89f6c67921274a35c558f88e419e43312252a744123e25981f2f297c6bc00ac57d462f66cf99ce24cc642a2fbf84861c0875d30486271fb712f5

  • \Users\Admin\AppData\Local\Temp\RegSvcs.exe
    Filesize

    44KB

    MD5

    0e06054beb13192588e745ee63a84173

    SHA1

    30b7d4d1277bafd04a83779fd566a1f834a8d113

    SHA256

    c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

    SHA512

    251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

  • memory/956-59-0x0000000000000000-mapping.dmp
  • memory/1640-66-0x0000000000410000-0x00000000008D0000-memory.dmp
    Filesize

    4.8MB

  • memory/1640-69-0x00000000004126D0-mapping.dmp
  • memory/1640-68-0x0000000000410000-0x00000000008D0000-memory.dmp
    Filesize

    4.8MB

  • memory/1640-73-0x0000000000410000-0x00000000008D0000-memory.dmp
    Filesize

    4.8MB

  • memory/1640-74-0x0000000000410000-0x00000000008D0000-memory.dmp
    Filesize

    4.8MB

  • memory/1640-75-0x0000000000410000-0x00000000008D0000-memory.dmp
    Filesize

    4.8MB

  • memory/2044-54-0x0000000075F81000-0x0000000075F83000-memory.dmp
    Filesize

    8KB