Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    24-09-2022 02:05

General

  • Target

    invoice_7833.exe

  • Size

    1.2MB

  • MD5

    2bb20b6123c38e8980b9f92e9a16f957

  • SHA1

    3097deacf4adcdb35d8cb9d726cdf9f62efeaca6

  • SHA256

    c43c2232e4c6cf97b7bd145ab5a72c8d5c408c77b7a56725160c192a6f6434a3

  • SHA512

    f402382f7d5802130c6db3ada51678304b4d51558dacbfcd4237012153b2e66f88d525f6c23383a7792a2d70daab5cd8117c8347c85d34eabbd37d222b3879d4

  • SSDEEP

    24576:5AOcZgAgB9ZkeKEptML955rCmtMyGpLAWDXxo8FVCaWXZWcVX:zTAgBgApyLseZG/VokCp79

Malware Config

Extracted

Family

netwire

C2

212.193.30.230:3345

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    Password@9

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • NetWire RAT payload 4 IoCs
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\invoice_7833.exe
    "C:\Users\Admin\AppData\Local\Temp\invoice_7833.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1404
    • C:\Users\Admin\AppData\Local\Temp\8_410\btlawc.pif
      "C:\Users\Admin\AppData\Local\Temp\8_410\btlawc.pif" rvkjvxgjb.ado
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1656
      • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        3⤵
        • Executes dropped EXE
        PID:1500

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\8_410\btlawc.pif

    Filesize

    906KB

    MD5

    f28aa08788132e64db4b8918ee2430b1

    SHA1

    ef32b1023a89dc36d7c5e98e22845fe87c5efef2

    SHA256

    f99b9fc041c177f0bee2c82d09f451ef0833696111b1b37cbfff8c975232ece2

    SHA512

    689cf6118061aa9e7d4b78118db99338aa767433df511610d471a989825a84a53119310248ed3870b10e48e77b47c429ef5a276dbc9c4ec53a7588e16093b50f

  • C:\Users\Admin\AppData\Local\Temp\8_410\iehqknoxj.log

    Filesize

    59KB

    MD5

    2700e5dc7d99daa1226ecc071fc14848

    SHA1

    df0e9b8fcacf21a8d28a9121f83b0a83224b1a69

    SHA256

    813ba7f9ced0f45900fffbf4cf07c9d4c3f532ec3b444078af1ce3a237365f91

    SHA512

    48961951cbf5eba1c947053ef5edc15b83601eb5a066530a262831276924b4c9e6fc45fcda4e861a7216a2bd601ee53ae262cbce8f4bda36028521aef613e636

  • C:\Users\Admin\AppData\Local\Temp\8_410\mnrvwnoo.kdv

    Filesize

    321KB

    MD5

    7c7103f63a985d7d365c8b5ffb976033

    SHA1

    9187fd85513b81a9ef14829d825667e7f2ce40b1

    SHA256

    42d4d72925bc5153ffa039c5fc070a8ee434d80f57b59624d299901463e91886

    SHA512

    acb7a771550bf41b005ac69c3d572cb6600da2be93fc08db02c019eb8fa1a70ffc26096931e256ea9c94e6627469c6380cc9fcd8a3ef8bc655b209063654f94f

  • C:\Users\Admin\AppData\Local\Temp\8_410\rvkjvxgjb.ado

    Filesize

    178.1MB

    MD5

    aab187cdf62195e8be56bdbbefce3d87

    SHA1

    a7d5d2d7ee9039d962aa30910deb456ab9441933

    SHA256

    47247cec5c19d4299ddc1d84f427ea86871e2ae36775d15679380ca5e71b5f4e

    SHA512

    a58d23b9884c781f386269aa2beda5281412253797dc36b75ee9506f831ba2f89ec74e62b0d40c20eb3942b18efd047fa3f0a9a75514b287b174c3b21f687558

  • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

    Filesize

    44KB

    MD5

    0e06054beb13192588e745ee63a84173

    SHA1

    30b7d4d1277bafd04a83779fd566a1f834a8d113

    SHA256

    c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

    SHA512

    251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

  • \Users\Admin\AppData\Local\Temp\8_410\btlawc.pif

    Filesize

    906KB

    MD5

    f28aa08788132e64db4b8918ee2430b1

    SHA1

    ef32b1023a89dc36d7c5e98e22845fe87c5efef2

    SHA256

    f99b9fc041c177f0bee2c82d09f451ef0833696111b1b37cbfff8c975232ece2

    SHA512

    689cf6118061aa9e7d4b78118db99338aa767433df511610d471a989825a84a53119310248ed3870b10e48e77b47c429ef5a276dbc9c4ec53a7588e16093b50f

  • \Users\Admin\AppData\Local\Temp\8_410\btlawc.pif

    Filesize

    906KB

    MD5

    f28aa08788132e64db4b8918ee2430b1

    SHA1

    ef32b1023a89dc36d7c5e98e22845fe87c5efef2

    SHA256

    f99b9fc041c177f0bee2c82d09f451ef0833696111b1b37cbfff8c975232ece2

    SHA512

    689cf6118061aa9e7d4b78118db99338aa767433df511610d471a989825a84a53119310248ed3870b10e48e77b47c429ef5a276dbc9c4ec53a7588e16093b50f

  • \Users\Admin\AppData\Local\Temp\8_410\btlawc.pif

    Filesize

    906KB

    MD5

    f28aa08788132e64db4b8918ee2430b1

    SHA1

    ef32b1023a89dc36d7c5e98e22845fe87c5efef2

    SHA256

    f99b9fc041c177f0bee2c82d09f451ef0833696111b1b37cbfff8c975232ece2

    SHA512

    689cf6118061aa9e7d4b78118db99338aa767433df511610d471a989825a84a53119310248ed3870b10e48e77b47c429ef5a276dbc9c4ec53a7588e16093b50f

  • \Users\Admin\AppData\Local\Temp\8_410\btlawc.pif

    Filesize

    906KB

    MD5

    f28aa08788132e64db4b8918ee2430b1

    SHA1

    ef32b1023a89dc36d7c5e98e22845fe87c5efef2

    SHA256

    f99b9fc041c177f0bee2c82d09f451ef0833696111b1b37cbfff8c975232ece2

    SHA512

    689cf6118061aa9e7d4b78118db99338aa767433df511610d471a989825a84a53119310248ed3870b10e48e77b47c429ef5a276dbc9c4ec53a7588e16093b50f

  • \Users\Admin\AppData\Local\Temp\RegSvcs.exe

    Filesize

    44KB

    MD5

    0e06054beb13192588e745ee63a84173

    SHA1

    30b7d4d1277bafd04a83779fd566a1f834a8d113

    SHA256

    c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

    SHA512

    251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

  • memory/1404-54-0x0000000074F01000-0x0000000074F03000-memory.dmp

    Filesize

    8KB

  • memory/1500-66-0x0000000000290000-0x000000000086C000-memory.dmp

    Filesize

    5.9MB

  • memory/1500-68-0x0000000000290000-0x000000000086C000-memory.dmp

    Filesize

    5.9MB

  • memory/1500-69-0x000000000029242D-mapping.dmp

  • memory/1500-73-0x0000000000290000-0x000000000086C000-memory.dmp

    Filesize

    5.9MB

  • memory/1500-74-0x0000000000290000-0x000000000086C000-memory.dmp

    Filesize

    5.9MB

  • memory/1656-59-0x0000000000000000-mapping.dmp