Analysis

  • max time kernel
    146s
  • max time network
    48s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    12-10-2022 04:30

General

  • Target

    3f2a653458d88060d8e2dcfde4a2b396.exe

  • Size

    793KB

  • MD5

    3f2a653458d88060d8e2dcfde4a2b396

  • SHA1

    8b514d159d3aad5ed0eb8b0b5ee7db53e183738e

  • SHA256

    af18d799c7288fc034106f041f1595591719fb64adebebc3f78b634229a7f83d

  • SHA512

    a4be00914fe7719d7983997e211fe1869eea4a09e31fb40989bb87c325053d76908d70173154713e8fe617739c4559759f1521333646b5d9e1a53c64cb0656a1

  • SSDEEP

    12288:RejUauu2iNaLrA7Ed3Oml1OktIQvRCUKPnN5CdTenWlCqjJ5nS4TU41WjZfX6SyG:Mjzuu1QSEd3OmTO8IQvRZKPNa0WrjrS

Malware Config

Extracted

Family

netwire

C2

37.0.14.206:3384

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

    %AppData%\Install\Host.exe

  • lock_executable

    false

  • offline_keylogger

    false

  • password

    Password234

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • NetWire RAT payload 7 IoCs
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3f2a653458d88060d8e2dcfde4a2b396.exe
    "C:\Users\Admin\AppData\Local\Temp\3f2a653458d88060d8e2dcfde4a2b396.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1264
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DpaItRCg" /XML "C:\Users\Admin\AppData\Local\Temp\tmp731E.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1672
    • C:\Users\Admin\AppData\Local\Temp\3f2a653458d88060d8e2dcfde4a2b396.exe
      "{path}"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1756
      • C:\Users\Admin\AppData\Roaming\Install\Host.exe
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        3⤵
        • Executes dropped EXE
        PID:452

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp731E.tmp

    Filesize

    1KB

    MD5

    9e3e4a8c3b2e0b97e3d4fe3e309cfc81

    SHA1

    f45d813383a9a4a65bcd416c02b5f529a7e065f2

    SHA256

    05102414e35ab2a37a21a62113069ecf02ce577a1851c65821f2dcf8dbc1fd2b

    SHA512

    0c8f7c05b18ccf718578b62d7234ded0b3947a71c1e15e03b26f697fba1a23c78715ea1d672f3981db514296a08af5f2a8f7232e71712558385d7acc99d5af09

  • C:\Users\Admin\AppData\Roaming\Install\Host.exe

    Filesize

    793KB

    MD5

    3f2a653458d88060d8e2dcfde4a2b396

    SHA1

    8b514d159d3aad5ed0eb8b0b5ee7db53e183738e

    SHA256

    af18d799c7288fc034106f041f1595591719fb64adebebc3f78b634229a7f83d

    SHA512

    a4be00914fe7719d7983997e211fe1869eea4a09e31fb40989bb87c325053d76908d70173154713e8fe617739c4559759f1521333646b5d9e1a53c64cb0656a1

  • C:\Users\Admin\AppData\Roaming\Install\Host.exe

    Filesize

    793KB

    MD5

    3f2a653458d88060d8e2dcfde4a2b396

    SHA1

    8b514d159d3aad5ed0eb8b0b5ee7db53e183738e

    SHA256

    af18d799c7288fc034106f041f1595591719fb64adebebc3f78b634229a7f83d

    SHA512

    a4be00914fe7719d7983997e211fe1869eea4a09e31fb40989bb87c325053d76908d70173154713e8fe617739c4559759f1521333646b5d9e1a53c64cb0656a1

  • \Users\Admin\AppData\Roaming\Install\Host.exe

    Filesize

    793KB

    MD5

    3f2a653458d88060d8e2dcfde4a2b396

    SHA1

    8b514d159d3aad5ed0eb8b0b5ee7db53e183738e

    SHA256

    af18d799c7288fc034106f041f1595591719fb64adebebc3f78b634229a7f83d

    SHA512

    a4be00914fe7719d7983997e211fe1869eea4a09e31fb40989bb87c325053d76908d70173154713e8fe617739c4559759f1521333646b5d9e1a53c64cb0656a1

  • memory/452-81-0x00000000010A0000-0x000000000116C000-memory.dmp

    Filesize

    816KB

  • memory/1264-55-0x0000000075601000-0x0000000075603000-memory.dmp

    Filesize

    8KB

  • memory/1264-56-0x0000000000480000-0x00000000004A0000-memory.dmp

    Filesize

    128KB

  • memory/1264-57-0x0000000004F30000-0x0000000004FC8000-memory.dmp

    Filesize

    608KB

  • memory/1264-58-0x0000000000E50000-0x0000000000E9A000-memory.dmp

    Filesize

    296KB

  • memory/1264-54-0x0000000001050000-0x000000000111C000-memory.dmp

    Filesize

    816KB

  • memory/1756-68-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB

  • memory/1756-71-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB

  • memory/1756-75-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB

  • memory/1756-66-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB

  • memory/1756-69-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB

  • memory/1756-79-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB

  • memory/1756-64-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB

  • memory/1756-62-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB

  • memory/1756-61-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB