Behavioral Report

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24-09-2022 02:05

Sharing

Copy URL

Twitter E-mail

Report Files Registry Network Processes Mutex Misc

General

Target

invoice_7833.exe
Size

1MB
MD5

2bb20b6123c38e8980b9f92e9a16f957
SHA1

3097deacf4adcdb35d8cb9d726cdf9f62efeaca6
SHA256

c43c2232e4c6cf97b7bd145ab5a72c8d5c408c77b7a56725160c192a6f6434a3
SHA512

f402382f7d5802130c6db3ada51678304b4d51558dacbfcd4237012153b2e66f88d525f6c23383a7792a2d70daab5cd8117c8347c85d34eabbd37d222b3879d4
SSDEEP

24576:5AOcZgAgB9ZkeKEptML955rCmtMyGpLAWDXxo8FVCaWXZWcVX:zTAgBgApyLseZG/VokCp79

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family	netwire
C2	212.193.30.230:3345 212.193.30.230:3345
Attributes	activex_autorun false copy_executable false delete_original false host_id HostId-%Rand% keylogger_dir %AppData%\Logs\ lock_executable false offline_keylogger true password Password@9 registry_autorun false use_mutex false

Signatures

NetWire RAT payload ⋅ 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1500-68-0x0000000000290000-0x000000000086C000-memory.dmp	netwire
behavioral1/memory/1500-69-0x000000000029242D-mapping.dmp	netwire
behavioral1/memory/1500-73-0x0000000000290000-0x000000000086C000-memory.dmp	netwire
behavioral1/memory/1500-74-0x0000000000290000-0x000000000086C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE ⋅ 2 IoCs

Processes:

btlawc.pifRegSvcs.exe

pid process

1656 btlawc.pif
1500 RegSvcs.exe
Loads dropped DLL ⋅ 5 IoCs

Processes:

invoice_7833.exebtlawc.pif

pid process

1404 invoice_7833.exe
1404 invoice_7833.exe
1404 invoice_7833.exe
1404 invoice_7833.exe
1656 btlawc.pif

pid	process
1404	invoice_7833.exe
1404	invoice_7833.exe
1404	invoice_7833.exe
1404	invoice_7833.exe
1656	btlawc.pif

Adds Run key to start application ⋅ 2 TTPs 2 IoCs

persistence

TTPs:

Registry Run Keys / Startup Folder Modify Registry

Processes:

btlawc.pif

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	btlawc.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8_410\\btlawc.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\8_410\\RVKJVX~1.ADO"	btlawc.pif

Suspicious use of SetThreadContext ⋅ 1 IoCs

Processes:

btlawc.pif

description pid process target process

PID 1656 set thread context of 1500 1656 btlawc.pif RegSvcs.exe
Enumerates physical storage devices ⋅ 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

TTPs:

System Information Discovery

description	pid	process	target process
PID 1656 set thread context of 1500	1656	btlawc.pif	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses ⋅ 64 IoCs

Processes:

btlawc.pif

pid	process
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif
1656	btlawc.pif

Suspicious use of WriteProcessMemory ⋅ 16 IoCs

Processes:

invoice_7833.exebtlawc.pif

description	pid	process	target process
PID 1404 wrote to memory of 1656	1404	invoice_7833.exe	btlawc.pif
PID 1404 wrote to memory of 1656	1404	invoice_7833.exe	btlawc.pif
PID 1404 wrote to memory of 1656	1404	invoice_7833.exe	btlawc.pif
PID 1404 wrote to memory of 1656	1404	invoice_7833.exe	btlawc.pif
PID 1404 wrote to memory of 1656	1404	invoice_7833.exe	btlawc.pif
PID 1404 wrote to memory of 1656	1404	invoice_7833.exe	btlawc.pif
PID 1404 wrote to memory of 1656	1404	invoice_7833.exe	btlawc.pif
PID 1656 wrote to memory of 1500	1656	btlawc.pif	RegSvcs.exe
PID 1656 wrote to memory of 1500	1656	btlawc.pif	RegSvcs.exe
PID 1656 wrote to memory of 1500	1656	btlawc.pif	RegSvcs.exe
PID 1656 wrote to memory of 1500	1656	btlawc.pif	RegSvcs.exe
PID 1656 wrote to memory of 1500	1656	btlawc.pif	RegSvcs.exe
PID 1656 wrote to memory of 1500	1656	btlawc.pif	RegSvcs.exe
PID 1656 wrote to memory of 1500	1656	btlawc.pif	RegSvcs.exe
PID 1656 wrote to memory of 1500	1656	btlawc.pif	RegSvcs.exe
PID 1656 wrote to memory of 1500	1656	btlawc.pif	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\invoice_7833.exe

"C:\Users\Admin\AppData\Local\Temp\invoice_7833.exe"

Loads dropped DLL
Suspicious use of WriteProcessMemory

PID:1404

C:\Users\Admin\AppData\Local\Temp\8_410\btlawc.pif

"C:\Users\Admin\AppData\Local\Temp\8_410\btlawc.pif" rvkjvxgjb.ado

Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory

PID:1656

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"

Executes dropped EXE

PID:1500

Network

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

Discovery

System Information Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Replay Monitor

00:00 00:00

Downloads

C:\Users\Admin\AppData\Local\Temp\8_410\btlawc.pif
MD5
f28aa08788132e64db4b8918ee2430b1

SHA1
ef32b1023a89dc36d7c5e98e22845fe87c5efef2

SHA256
f99b9fc041c177f0bee2c82d09f451ef0833696111b1b37cbfff8c975232ece2

SHA512
689cf6118061aa9e7d4b78118db99338aa767433df511610d471a989825a84a53119310248ed3870b10e48e77b47c429ef5a276dbc9c4ec53a7588e16093b50f

Download Submit
C:\Users\Admin\AppData\Local\Temp\8_410\iehqknoxj.log
MD5
2700e5dc7d99daa1226ecc071fc14848

SHA1
df0e9b8fcacf21a8d28a9121f83b0a83224b1a69

SHA256
813ba7f9ced0f45900fffbf4cf07c9d4c3f532ec3b444078af1ce3a237365f91

SHA512
48961951cbf5eba1c947053ef5edc15b83601eb5a066530a262831276924b4c9e6fc45fcda4e861a7216a2bd601ee53ae262cbce8f4bda36028521aef613e636

Download Submit
C:\Users\Admin\AppData\Local\Temp\8_410\mnrvwnoo.kdv
MD5
7c7103f63a985d7d365c8b5ffb976033

SHA1
9187fd85513b81a9ef14829d825667e7f2ce40b1

SHA256
42d4d72925bc5153ffa039c5fc070a8ee434d80f57b59624d299901463e91886

SHA512
acb7a771550bf41b005ac69c3d572cb6600da2be93fc08db02c019eb8fa1a70ffc26096931e256ea9c94e6627469c6380cc9fcd8a3ef8bc655b209063654f94f

Download Submit
C:\Users\Admin\AppData\Local\Temp\8_410\rvkjvxgjb.ado
MD5
aab187cdf62195e8be56bdbbefce3d87

SHA1
a7d5d2d7ee9039d962aa30910deb456ab9441933

SHA256
47247cec5c19d4299ddc1d84f427ea86871e2ae36775d15679380ca5e71b5f4e

SHA512
a58d23b9884c781f386269aa2beda5281412253797dc36b75ee9506f831ba2f89ec74e62b0d40c20eb3942b18efd047fa3f0a9a75514b287b174c3b21f687558

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
\Users\Admin\AppData\Local\Temp\8_410\btlawc.pif
MD5
f28aa08788132e64db4b8918ee2430b1

SHA1
ef32b1023a89dc36d7c5e98e22845fe87c5efef2

SHA256
f99b9fc041c177f0bee2c82d09f451ef0833696111b1b37cbfff8c975232ece2

SHA512
689cf6118061aa9e7d4b78118db99338aa767433df511610d471a989825a84a53119310248ed3870b10e48e77b47c429ef5a276dbc9c4ec53a7588e16093b50f

Download Submit
\Users\Admin\AppData\Local\Temp\8_410\btlawc.pif
MD5
f28aa08788132e64db4b8918ee2430b1

SHA1
ef32b1023a89dc36d7c5e98e22845fe87c5efef2

SHA256
f99b9fc041c177f0bee2c82d09f451ef0833696111b1b37cbfff8c975232ece2

SHA512
689cf6118061aa9e7d4b78118db99338aa767433df511610d471a989825a84a53119310248ed3870b10e48e77b47c429ef5a276dbc9c4ec53a7588e16093b50f

Download Submit
\Users\Admin\AppData\Local\Temp\8_410\btlawc.pif
MD5
f28aa08788132e64db4b8918ee2430b1

SHA1
ef32b1023a89dc36d7c5e98e22845fe87c5efef2

SHA256
f99b9fc041c177f0bee2c82d09f451ef0833696111b1b37cbfff8c975232ece2

SHA512
689cf6118061aa9e7d4b78118db99338aa767433df511610d471a989825a84a53119310248ed3870b10e48e77b47c429ef5a276dbc9c4ec53a7588e16093b50f

Download Submit
\Users\Admin\AppData\Local\Temp\8_410\btlawc.pif
MD5
f28aa08788132e64db4b8918ee2430b1

SHA1
ef32b1023a89dc36d7c5e98e22845fe87c5efef2

SHA256
f99b9fc041c177f0bee2c82d09f451ef0833696111b1b37cbfff8c975232ece2

SHA512
689cf6118061aa9e7d4b78118db99338aa767433df511610d471a989825a84a53119310248ed3870b10e48e77b47c429ef5a276dbc9c4ec53a7588e16093b50f

Download Submit
\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
memory/1404-54-0x0000000074F01000-0x0000000074F03000-memory.dmp

Download
memory/1500-66-0x0000000000290000-0x000000000086C000-memory.dmp

Download
memory/1500-68-0x0000000000290000-0x000000000086C000-memory.dmp

Download
memory/1500-69-0x000000000029242D-mapping.dmp

Download
memory/1500-73-0x0000000000290000-0x000000000086C000-memory.dmp

Download
memory/1500-74-0x0000000000290000-0x000000000086C000-memory.dmp

Download
memory/1656-59-0x0000000000000000-mapping.dmp

Download