Overview

overview

10

Static

static

bf6a763be3...39.exe

windows7-x64

10

bf6a763be3...39.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-10-2022 22:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bf6a763be37b940d0ab0ca6d8d5cbba15366861f36acf4e98e4249f92f445e39.exe

  • Size

    194KB

  • MD5

    668d157ae4a5f12573f9711d5c545c20

  • SHA1

    ad7ff5f2fdb495a21c13656bb6ab8269b37b580e

  • SHA256

    bf6a763be37b940d0ab0ca6d8d5cbba15366861f36acf4e98e4249f92f445e39

  • SHA512

    245cd610ec06f30662b7be887f86b4b75f9c2947240837b7699df1a58301f4d2c6a1c2dbfea30a5df629f48a2eb11445bf0a638e4ad8a603069a8949a7f9735b

  • SSDEEP

    3072:JjQONxHpxhA2H/hegAuhIR/M5eWsJzayw8zcXyNYCQk2eDwXJQ6p:ScHm2Y0hPeWKzayFzvCCvzSJQ

Score
10/10
netwirebotnetpersistenceratstealer

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • NetWire RAT payload 3 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bf6a763be37b940d0ab0ca6d8d5cbba15366861f36acf4e98e4249f92f445e39.exe
    "C:\Users\Admin\AppData\Local\Temp\bf6a763be37b940d0ab0ca6d8d5cbba15366861f36acf4e98e4249f92f445e39.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4572
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      2⤵
      • Drops file in Windows directory
      PID:4456
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\csc.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3024
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\csc.exe"
        3⤵
        • Modifies WinLogon for persistence
        PID:788

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/788-140-0x0000000000000000-mapping.dmp
    Download
  • memory/3024-139-0x0000000000000000-mapping.dmp
    Download
  • memory/4456-134-0x0000000000000000-mapping.dmp
    Download
  • memory/4456-135-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/4456-137-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/4456-138-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/4572-132-0x0000000075440000-0x00000000759F1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/4572-133-0x0000000075440000-0x00000000759F1000-memory.dmp
    Filesize

    5.7MB

    Download