Overview

overview

10

Static

static

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    183s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-10-2022 04:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    af18d799c7288fc034106f041f1595591719fb64adebebc3f78b634229a7f83d.exe

  • Size

    793KB

  • MD5

    3f2a653458d88060d8e2dcfde4a2b396

  • SHA1

    8b514d159d3aad5ed0eb8b0b5ee7db53e183738e

  • SHA256

    af18d799c7288fc034106f041f1595591719fb64adebebc3f78b634229a7f83d

  • SHA512

    a4be00914fe7719d7983997e211fe1869eea4a09e31fb40989bb87c325053d76908d70173154713e8fe617739c4559759f1521333646b5d9e1a53c64cb0656a1

  • SSDEEP

    12288:RejUauu2iNaLrA7Ed3Oml1OktIQvRCUKPnN5CdTenWlCqjJ5nS4TU41WjZfX6SyG:Mjzuu1QSEd3OmTO8IQvRZKPNa0WrjrS

Score
10/10
netwirebotnetratstealer

Malware Config

Extracted

Family

netwire

C2

37.0.14.206:3384

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

    %AppData%\Install\Host.exe

  • lock_executable

    false

  • offline_keylogger

    false

  • password

    Password234

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • NetWire RAT payload 5 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\af18d799c7288fc034106f041f1595591719fb64adebebc3f78b634229a7f83d.exe
    "C:\Users\Admin\AppData\Local\Temp\af18d799c7288fc034106f041f1595591719fb64adebebc3f78b634229a7f83d.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4904
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DpaItRCg" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6F01.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2756
    • C:\Users\Admin\AppData\Local\Temp\af18d799c7288fc034106f041f1595591719fb64adebebc3f78b634229a7f83d.exe
      "{path}"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:3552
      • C:\Users\Admin\AppData\Roaming\Install\Host.exe
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        3⤵
        • Executes dropped EXE
        PID:1940

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp6F01.tmp
    Filesize

    1KB

    MD5

    6a6bfbcd5a3edf4c9b6ee5176de88025

    SHA1

    6b498daeeefdc9988977fd32cd9fda1b714117f6

    SHA256

    4bcd0ee26f24f38ce6eea1cdf753208af1d8bd271dc936dbb3a5ea138308dad9

    SHA512

    03b53e846ae2ecbf5204994365e03e804f3aa50016c1917257c82ba0d18b7cb9e2c61f161f05c086b50ffb5e35cc5c67d920f5d5dc044c706b442f5c76d6fd50

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Install\Host.exe
    Filesize

    793KB

    MD5

    3f2a653458d88060d8e2dcfde4a2b396

    SHA1

    8b514d159d3aad5ed0eb8b0b5ee7db53e183738e

    SHA256

    af18d799c7288fc034106f041f1595591719fb64adebebc3f78b634229a7f83d

    SHA512

    a4be00914fe7719d7983997e211fe1869eea4a09e31fb40989bb87c325053d76908d70173154713e8fe617739c4559759f1521333646b5d9e1a53c64cb0656a1

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Install\Host.exe
    Filesize

    793KB

    MD5

    3f2a653458d88060d8e2dcfde4a2b396

    SHA1

    8b514d159d3aad5ed0eb8b0b5ee7db53e183738e

    SHA256

    af18d799c7288fc034106f041f1595591719fb64adebebc3f78b634229a7f83d

    SHA512

    a4be00914fe7719d7983997e211fe1869eea4a09e31fb40989bb87c325053d76908d70173154713e8fe617739c4559759f1521333646b5d9e1a53c64cb0656a1

    Download Submit
  • memory/1940-144-0x0000000000000000-mapping.dmp
    Download
  • memory/2756-137-0x0000000000000000-mapping.dmp
    Download
  • memory/3552-140-0x0000000000400000-0x000000000044F000-memory.dmp
    Filesize

    316KB

    Download
  • memory/3552-139-0x0000000000000000-mapping.dmp
    Download
  • memory/3552-141-0x0000000000400000-0x000000000044F000-memory.dmp
    Filesize

    316KB

    Download
  • memory/3552-142-0x0000000000400000-0x000000000044F000-memory.dmp
    Filesize

    316KB

    Download
  • memory/3552-143-0x0000000000400000-0x000000000044F000-memory.dmp
    Filesize

    316KB

    Download
  • memory/3552-147-0x0000000000400000-0x000000000044F000-memory.dmp
    Filesize

    316KB

    Download
  • memory/4904-136-0x0000000007E40000-0x0000000007E4A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4904-132-0x0000000000EF0000-0x0000000000FBC000-memory.dmp
    Filesize

    816KB

    Download
  • memory/4904-135-0x0000000007F00000-0x0000000007F9C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/4904-134-0x0000000007E60000-0x0000000007EF2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4904-133-0x0000000008330000-0x00000000088D4000-memory.dmp
    Filesize

    5.6MB

    Download