Analysis

  • max time kernel
    150s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    26-09-2022 08:50

General

  • Target

    3fbd38a88a5302483a14d8fa2510faf9.exe

  • Size

    1MB

  • MD5

    3fbd38a88a5302483a14d8fa2510faf9

  • SHA1

    776a02c79a42da5ec021aa1cbd7ac19367d6cb07

  • SHA256

    3d10c53032ea46fb31e8b921c09466bf4a93347f5809c181a0d41ac8e423a153

  • SHA512

    24b06af982e636f5faca9eca61958dc87a5ac4a272c789be842ff2c0f5e4f4cb5baf37186690d0c7c83ad65a45eef0ddc71d2f364da0c0d13e44c4335c515bb3

  • SSDEEP

    24576:UAOcZXcxP6qNenHO4jTZpFY1q8LPHYOoW6Viduv:CH9CHO4HZXYIwQOolIduv

Malware Config

Extracted

Family

netwire

C2

37.0.14.206:3384

Attributes
activex_autorun
false
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
true
offline_keylogger
true
password
Password234
registry_autorun
false
use_mutex
false

Signatures

  • NetWire RAT payload ⋅ 4 IoCs
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

  • Executes dropped EXE ⋅ 2 IoCs
  • Loads dropped DLL ⋅ 6 IoCs
  • Adds Run key to start application ⋅ 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext ⋅ 1 IoCs
  • Enumerates physical storage devices ⋅ 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses ⋅ 64 IoCs
  • Suspicious use of WriteProcessMemory ⋅ 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3fbd38a88a5302483a14d8fa2510faf9.exe
    "C:\Users\Admin\AppData\Local\Temp\3fbd38a88a5302483a14d8fa2510faf9.exe"
    Loads dropped DLL
    Suspicious use of WriteProcessMemory
    PID:1960
    • C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif
      "C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif" murcqfuubq.swk
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1320
      • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        PID:1212
        • C:\Users\Admin\AppData\Roaming\Install\Host.exe
          "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
          PID:1048

Network

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Execution

          Exfiltration

            Impact

              Initial Access

                Lateral Movement

                  Privilege Escalation

                    Replay Monitor

                    00:00 00:00

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\2_92\murcqfuubq.swk
                      MD5

                      22d7f4d3b1978cb2578357748b304b1f

                      SHA1

                      ff421d4585f434ac10d8f580b30af4e3c24a5a47

                      SHA256

                      638acd438935e740a086738ea8758be983c2bd4cfeaedf761e39aec7ceabdfe1

                      SHA512

                      fab8b70160b06f2e6c102564b1a22801aa9053cdb8a4188e74b64104319e79d0bc735d0417b6c07c75e276d831fec1ceeffc7edddf005d0762eed5e525768215

                    • C:\Users\Admin\AppData\Local\Temp\2_92\mwghanevcv.cpl
                      MD5

                      b7e12759d7875eb5a0b4f8098084e180

                      SHA1

                      057eb45ee662fcfa885538ea98f179516e2992b5

                      SHA256

                      942a4068b017964d5c48244ba37f2580e231c31f68cf0809ae8d36987f4a5592

                      SHA512

                      74fae86f94f7b74b2451e78e44154844b0362e7fe5e55827004adc22dc7d4e8e90b7e410fdafc3c179cf202c23c6ce6cc8b1e6bd719b2c913a02cb7e726551fa

                    • C:\Users\Admin\AppData\Local\Temp\2_92\vaphlv.fwo
                      MD5

                      e3e028ff79d82e2d2e178a19bc0321d3

                      SHA1

                      a32c1c22a60a04b170f296de36dd4207367a705d

                      SHA256

                      4ebe8964c0606c2e56df8706682558665bd45ee63b004299e880433c266c27b8

                      SHA512

                      88617fb7d1244896fde88b49bb8bc07be65dfc02fc696a30457c771338471e2539a4b99bc557a0c72f9dde1fcc7d2013f1116edd8e98a14dc2e50126d065c217

                    • C:\Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif
                      MD5

                      dae073ff3ec1441bd6dd60a1c84bca94

                      SHA1

                      ffe7f1c111bd4e52877b6fa7cf078b3c7487b95a

                      SHA256

                      3dc837914c42318fc2133b9d8455e14a86981b67898080791d1dcdc7b31b28d5

                      SHA512

                      104fd5255b5716887eb510469626c9b1613e8a66f24b32c22ff26c190243658bf1ac6699ac04b9a903f2cd192719eb84c0c34b2143ba4206bf1f0874dfd33466

                    • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
                      MD5

                      0e06054beb13192588e745ee63a84173

                      SHA1

                      30b7d4d1277bafd04a83779fd566a1f834a8d113

                      SHA256

                      c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

                      SHA512

                      251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

                    • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
                      MD5

                      0e06054beb13192588e745ee63a84173

                      SHA1

                      30b7d4d1277bafd04a83779fd566a1f834a8d113

                      SHA256

                      c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

                      SHA512

                      251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

                    • \Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif
                      MD5

                      dae073ff3ec1441bd6dd60a1c84bca94

                      SHA1

                      ffe7f1c111bd4e52877b6fa7cf078b3c7487b95a

                      SHA256

                      3dc837914c42318fc2133b9d8455e14a86981b67898080791d1dcdc7b31b28d5

                      SHA512

                      104fd5255b5716887eb510469626c9b1613e8a66f24b32c22ff26c190243658bf1ac6699ac04b9a903f2cd192719eb84c0c34b2143ba4206bf1f0874dfd33466

                    • \Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif
                      MD5

                      dae073ff3ec1441bd6dd60a1c84bca94

                      SHA1

                      ffe7f1c111bd4e52877b6fa7cf078b3c7487b95a

                      SHA256

                      3dc837914c42318fc2133b9d8455e14a86981b67898080791d1dcdc7b31b28d5

                      SHA512

                      104fd5255b5716887eb510469626c9b1613e8a66f24b32c22ff26c190243658bf1ac6699ac04b9a903f2cd192719eb84c0c34b2143ba4206bf1f0874dfd33466

                    • \Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif
                      MD5

                      dae073ff3ec1441bd6dd60a1c84bca94

                      SHA1

                      ffe7f1c111bd4e52877b6fa7cf078b3c7487b95a

                      SHA256

                      3dc837914c42318fc2133b9d8455e14a86981b67898080791d1dcdc7b31b28d5

                      SHA512

                      104fd5255b5716887eb510469626c9b1613e8a66f24b32c22ff26c190243658bf1ac6699ac04b9a903f2cd192719eb84c0c34b2143ba4206bf1f0874dfd33466

                    • \Users\Admin\AppData\Local\Temp\2_92\xckjkc.pif
                      MD5

                      dae073ff3ec1441bd6dd60a1c84bca94

                      SHA1

                      ffe7f1c111bd4e52877b6fa7cf078b3c7487b95a

                      SHA256

                      3dc837914c42318fc2133b9d8455e14a86981b67898080791d1dcdc7b31b28d5

                      SHA512

                      104fd5255b5716887eb510469626c9b1613e8a66f24b32c22ff26c190243658bf1ac6699ac04b9a903f2cd192719eb84c0c34b2143ba4206bf1f0874dfd33466

                    • \Users\Admin\AppData\Local\Temp\RegSvcs.exe
                      MD5

                      0e06054beb13192588e745ee63a84173

                      SHA1

                      30b7d4d1277bafd04a83779fd566a1f834a8d113

                      SHA256

                      c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

                      SHA512

                      251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

                    • \Users\Admin\AppData\Roaming\Install\Host.exe
                      MD5

                      0e06054beb13192588e745ee63a84173

                      SHA1

                      30b7d4d1277bafd04a83779fd566a1f834a8d113

                      SHA256

                      c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

                      SHA512

                      251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

                    • memory/1048-77-0x0000000000000000-mapping.dmp
                    • memory/1212-73-0x0000000000280000-0x0000000000902000-memory.dmp
                    • memory/1212-69-0x000000000028242D-mapping.dmp
                    • memory/1212-68-0x0000000000280000-0x0000000000902000-memory.dmp
                    • memory/1212-66-0x0000000000280000-0x0000000000902000-memory.dmp
                    • memory/1212-75-0x0000000000280000-0x0000000000902000-memory.dmp
                    • memory/1320-59-0x0000000000000000-mapping.dmp
                    • memory/1960-54-0x00000000751A1000-0x00000000751A3000-memory.dmp