Overview

overview

10

Static

static

Remittance...df.exe

windows7-x64

10

Remittance...df.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    98s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-10-2022 08:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Remittance AdviceInvoice and parking List pdf.exe

  • Size

    1.0MB

  • MD5

    ce1250f42f8fa8bc70082cf2b591c471

  • SHA1

    70a550c5d3ed62257fd1dfd9213a99444104d69b

  • SHA256

    8a339775bd331c2bac7f1e0152dbdd6d8037ef2098a6b455b1cce45107cb5e6e

  • SHA512

    187c386f97562b7fd84467ff3bc4865d84a0ba7d14f3266ca0423a9574908e5bfeda7d14d739686b7e0d90e61abafcc9943fa62c081ac59decd463a45180e4cb

  • SSDEEP

    12288:O2iNzJLbODG3PnKgGtW07tZMtQ/VP/281jPRSPCfdrXPm3u:O1fukPnvt0ZZ4Q/VP/28OPCN+3

Score
10/10
netwirebotnetratstealer

Malware Config

Extracted

Family

netwire

C2

kimlee11.duckdns.org:8839

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • lock_executable

    false

  • offline_keylogger

    false

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • NetWire RAT payload 5 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Remittance AdviceInvoice and parking List pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Remittance AdviceInvoice and parking List pdf.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4736
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ATtzwttIOonXlr.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2732
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ATtzwttIOonXlr" /XML "C:\Users\Admin\AppData\Local\Temp\tmp48A2.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2488
    • C:\Users\Admin\AppData\Local\Temp\Remittance AdviceInvoice and parking List pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\Remittance AdviceInvoice and parking List pdf.exe"
      2⤵
        PID:3656
      • C:\Users\Admin\AppData\Local\Temp\Remittance AdviceInvoice and parking List pdf.exe
        "C:\Users\Admin\AppData\Local\Temp\Remittance AdviceInvoice and parking List pdf.exe"
        2⤵
          PID:3248

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmp48A2.tmp
        Filesize

        1KB

        MD5

        2e815a80873034bfc36988eab407615c

        SHA1

        7c175459878eee803f10912314b682e45c698697

        SHA256

        46b864e15d0dc3f0fc8d59501ba672210801ae20ed5ce868afeb540efa05db65

        SHA512

        ea197ba3678261bf9e0ccb0ee6c5fbbb055d45530b743de60381f2e2f5b32adde28c6b3c441c3f0bac81d40a795973ec4418122f57c35911efa84ed60b8cb474

        Download Submit
      • memory/2488-139-0x0000000000000000-mapping.dmp
        Download
      • memory/2732-147-0x00000000057A0000-0x00000000057C2000-memory.dmp
        Filesize

        136KB

        Download
      • memory/2732-138-0x0000000000000000-mapping.dmp
        Download
      • memory/2732-148-0x0000000005840000-0x00000000058A6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/2732-161-0x0000000007D90000-0x0000000007D98000-memory.dmp
        Filesize

        32KB

        Download
      • memory/2732-160-0x0000000007DB0000-0x0000000007DCA000-memory.dmp
        Filesize

        104KB

        Download
      • memory/2732-159-0x0000000007CA0000-0x0000000007CAE000-memory.dmp
        Filesize

        56KB

        Download
      • memory/2732-140-0x0000000002E80000-0x0000000002EB6000-memory.dmp
        Filesize

        216KB

        Download
      • memory/2732-158-0x0000000007CF0000-0x0000000007D86000-memory.dmp
        Filesize

        600KB

        Download
      • memory/2732-142-0x0000000005BD0000-0x00000000061F8000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/2732-157-0x0000000007AE0000-0x0000000007AEA000-memory.dmp
        Filesize

        40KB

        Download
      • memory/2732-156-0x0000000007A70000-0x0000000007A8A000-memory.dmp
        Filesize

        104KB

        Download
      • memory/2732-150-0x0000000006770000-0x000000000678E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/2732-155-0x00000000080C0000-0x000000000873A000-memory.dmp
        Filesize

        6.5MB

        Download
      • memory/2732-154-0x0000000006D30000-0x0000000006D4E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/2732-153-0x0000000072380000-0x00000000723CC000-memory.dmp
        Filesize

        304KB

        Download
      • memory/2732-152-0x0000000006D50000-0x0000000006D82000-memory.dmp
        Filesize

        200KB

        Download
      • memory/3248-151-0x0000000000400000-0x000000000044F000-memory.dmp
        Filesize

        316KB

        Download
      • memory/3248-162-0x0000000000400000-0x000000000044F000-memory.dmp
        Filesize

        316KB

        Download
      • memory/3248-144-0x0000000000000000-mapping.dmp
        Download
      • memory/3248-146-0x0000000000400000-0x000000000044F000-memory.dmp
        Filesize

        316KB

        Download
      • memory/3248-145-0x0000000000400000-0x000000000044F000-memory.dmp
        Filesize

        316KB

        Download
      • memory/3248-149-0x0000000000400000-0x000000000044F000-memory.dmp
        Filesize

        316KB

        Download
      • memory/3656-143-0x0000000000000000-mapping.dmp
        Download
      • memory/4736-136-0x000000000A280000-0x000000000A31C000-memory.dmp
        Filesize

        624KB

        Download
      • memory/4736-133-0x00000000058B0000-0x0000000005E54000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/4736-134-0x00000000053A0000-0x0000000005432000-memory.dmp
        Filesize

        584KB

        Download
      • memory/4736-132-0x00000000008A0000-0x00000000009A6000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/4736-137-0x000000000A6B0000-0x000000000A716000-memory.dmp
        Filesize

        408KB

        Download
      • memory/4736-135-0x0000000005340000-0x000000000534A000-memory.dmp
        Filesize

        40KB

        Download