Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-09-2022 02:05

General

  • Target

    invoice_7833.exe

  • Size

    1MB

  • MD5

    2bb20b6123c38e8980b9f92e9a16f957

  • SHA1

    3097deacf4adcdb35d8cb9d726cdf9f62efeaca6

  • SHA256

    c43c2232e4c6cf97b7bd145ab5a72c8d5c408c77b7a56725160c192a6f6434a3

  • SHA512

    f402382f7d5802130c6db3ada51678304b4d51558dacbfcd4237012153b2e66f88d525f6c23383a7792a2d70daab5cd8117c8347c85d34eabbd37d222b3879d4

  • SSDEEP

    24576:5AOcZgAgB9ZkeKEptML955rCmtMyGpLAWDXxo8FVCaWXZWcVX:zTAgBgApyLseZG/VokCp79

Malware Config

Extracted

Family

netwire

C2

212.193.30.230:3345

Attributes
activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password@9
registry_autorun
false
use_mutex
false

Signatures

  • NetWire RAT payload ⋅ 4 IoCs
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

  • Executes dropped EXE ⋅ 2 IoCs
  • Checks computer location settings ⋅ 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application ⋅ 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext ⋅ 1 IoCs
  • Enumerates physical storage devices ⋅ 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses ⋅ 64 IoCs
  • Suspicious use of WriteProcessMemory ⋅ 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\invoice_7833.exe
    "C:\Users\Admin\AppData\Local\Temp\invoice_7833.exe"
    Checks computer location settings
    Suspicious use of WriteProcessMemory
    PID:3780
    • C:\Users\Admin\AppData\Local\Temp\8_410\btlawc.pif
      "C:\Users\Admin\AppData\Local\Temp\8_410\btlawc.pif" rvkjvxgjb.ado
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2716
      • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        Executes dropped EXE
        PID:1472

Network

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Execution

          Exfiltration

            Impact

              Initial Access

                Lateral Movement

                  Privilege Escalation

                    Replay Monitor

                    00:00 00:00

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\8_410\btlawc.pif
                      MD5

                      f28aa08788132e64db4b8918ee2430b1

                      SHA1

                      ef32b1023a89dc36d7c5e98e22845fe87c5efef2

                      SHA256

                      f99b9fc041c177f0bee2c82d09f451ef0833696111b1b37cbfff8c975232ece2

                      SHA512

                      689cf6118061aa9e7d4b78118db99338aa767433df511610d471a989825a84a53119310248ed3870b10e48e77b47c429ef5a276dbc9c4ec53a7588e16093b50f

                    • C:\Users\Admin\AppData\Local\Temp\8_410\btlawc.pif
                      MD5

                      f28aa08788132e64db4b8918ee2430b1

                      SHA1

                      ef32b1023a89dc36d7c5e98e22845fe87c5efef2

                      SHA256

                      f99b9fc041c177f0bee2c82d09f451ef0833696111b1b37cbfff8c975232ece2

                      SHA512

                      689cf6118061aa9e7d4b78118db99338aa767433df511610d471a989825a84a53119310248ed3870b10e48e77b47c429ef5a276dbc9c4ec53a7588e16093b50f

                    • C:\Users\Admin\AppData\Local\Temp\8_410\iehqknoxj.log
                      MD5

                      2700e5dc7d99daa1226ecc071fc14848

                      SHA1

                      df0e9b8fcacf21a8d28a9121f83b0a83224b1a69

                      SHA256

                      813ba7f9ced0f45900fffbf4cf07c9d4c3f532ec3b444078af1ce3a237365f91

                      SHA512

                      48961951cbf5eba1c947053ef5edc15b83601eb5a066530a262831276924b4c9e6fc45fcda4e861a7216a2bd601ee53ae262cbce8f4bda36028521aef613e636

                    • C:\Users\Admin\AppData\Local\Temp\8_410\mnrvwnoo.kdv
                      MD5

                      7c7103f63a985d7d365c8b5ffb976033

                      SHA1

                      9187fd85513b81a9ef14829d825667e7f2ce40b1

                      SHA256

                      42d4d72925bc5153ffa039c5fc070a8ee434d80f57b59624d299901463e91886

                      SHA512

                      acb7a771550bf41b005ac69c3d572cb6600da2be93fc08db02c019eb8fa1a70ffc26096931e256ea9c94e6627469c6380cc9fcd8a3ef8bc655b209063654f94f

                    • C:\Users\Admin\AppData\Local\Temp\8_410\rvkjvxgjb.ado
                      MD5

                      aab187cdf62195e8be56bdbbefce3d87

                      SHA1

                      a7d5d2d7ee9039d962aa30910deb456ab9441933

                      SHA256

                      47247cec5c19d4299ddc1d84f427ea86871e2ae36775d15679380ca5e71b5f4e

                      SHA512

                      a58d23b9884c781f386269aa2beda5281412253797dc36b75ee9506f831ba2f89ec74e62b0d40c20eb3942b18efd047fa3f0a9a75514b287b174c3b21f687558

                    • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
                      MD5

                      9d352bc46709f0cb5ec974633a0c3c94

                      SHA1

                      1969771b2f022f9a86d77ac4d4d239becdf08d07

                      SHA256

                      2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

                      SHA512

                      13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

                    • memory/1472-138-0x0000000001000000-0x00000000015FB000-memory.dmp
                    • memory/1472-139-0x000000000100242D-mapping.dmp
                    • memory/1472-142-0x0000000001000000-0x00000000015FB000-memory.dmp
                    • memory/1472-143-0x0000000001000000-0x00000000015FB000-memory.dmp
                    • memory/2716-132-0x0000000000000000-mapping.dmp