Overview

overview

10

Static

static

INV384878348938.exe

windows7-x64

10

INV384878348938.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    137s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    12/10/2022, 14:48

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    INV384878348938.exe

  • Size

    1017KB

  • MD5

    dc5955217a168760ffeddb431d90ab01

  • SHA1

    ae82750bc7a1c1df086464a65998388e72e5af68

  • SHA256

    7081a319ab13e92853c07ab0d9d947178e4d615ad77e640109184acdb325b223

  • SHA512

    e8d591c304af4a00eb81dbe970b7dafea60342358ac11f4a6ab70471c226ae1e0904353aa894404645e1528985bd2a13062bf089296c7ceab90ca8b45c073703

  • SSDEEP

    12288:ALp/8q4UYJIrqMnyNaPHlwsdC9MsbpE7+RdWj/WZsnNK1cWb/v0paqVPxuo6J9S:cYoqAyNaPHlhdYMsbyaRcMsA1cWj9S

Score
10/10
netwirebotnetratstealer

Malware Config

Extracted

Family

netwire

C2

podzeye2.duckdns.org:4433

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • lock_executable

    false

  • offline_keylogger

    false

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • NetWire RAT payload 7 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\INV384878348938.exe
    "C:\Users\Admin\AppData\Local\Temp\INV384878348938.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1380
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\KFLUADQenQDO.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1116
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KFLUADQenQDO" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF1BF.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1136
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
        PID:620
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        2⤵
          PID:2032
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
          2⤵
            PID:1328
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
            2⤵
              PID:1852
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
              2⤵
                PID:112

            Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\tmpF1BF.tmp
                    Filesize

                    1KB

                    MD5

                    cea4f7e6f4d319b4e6616a03cf77ae8f

                    SHA1

                    49108b96ce1c5ab35aa2fe1c939eb37b24f99d6c

                    SHA256

                    86c225fef3be8f1c8c362563d6f74032920b88cd65924775253a03bfbc7c8200

                    SHA512

                    03af8dd688a100dfa15b0c76c35ddb4e3cc7abe1c69401c2d00943790038f5f76b79a935c56dcb93ce16c00802032b75a018d534ea81564a73d8cc382f0e79bd

                    Download Submit

                  • memory/112-72-0x0000000000400000-0x0000000000450000-memory.dmp

                    Filesize

                    320KB

                    Download

                  • memory/112-80-0x0000000000400000-0x0000000000450000-memory.dmp

                    Filesize

                    320KB

                    Download

                  • memory/112-64-0x0000000000400000-0x0000000000450000-memory.dmp

                    Filesize

                    320KB

                    Download

                  • memory/112-78-0x0000000000400000-0x0000000000450000-memory.dmp

                    Filesize

                    320KB

                    Download

                  • memory/112-65-0x0000000000400000-0x0000000000450000-memory.dmp

                    Filesize

                    320KB

                    Download

                  • memory/112-74-0x0000000000400000-0x0000000000450000-memory.dmp

                    Filesize

                    320KB

                    Download

                  • memory/112-71-0x0000000000400000-0x0000000000450000-memory.dmp

                    Filesize

                    320KB

                    Download

                  • memory/112-69-0x0000000000400000-0x0000000000450000-memory.dmp

                    Filesize

                    320KB

                    Download

                  • memory/112-67-0x0000000000400000-0x0000000000450000-memory.dmp

                    Filesize

                    320KB

                    Download

                  • memory/1116-81-0x000000006D1F0000-0x000000006D79B000-memory.dmp

                    Filesize

                    5.7MB

                    Download

                  • memory/1116-79-0x000000006D1F0000-0x000000006D79B000-memory.dmp

                    Filesize

                    5.7MB

                    Download

                  • memory/1380-54-0x00000000003A0000-0x00000000004A4000-memory.dmp

                    Filesize

                    1.0MB

                    Download

                  • memory/1380-56-0x00000000004E0000-0x00000000004FA000-memory.dmp

                    Filesize

                    104KB

                    Download

                  • memory/1380-63-0x0000000004EC0000-0x0000000004F0A000-memory.dmp

                    Filesize

                    296KB

                    Download

                  • memory/1380-55-0x00000000757A1000-0x00000000757A3000-memory.dmp

                    Filesize

                    8KB

                    Download

                  • memory/1380-58-0x0000000004C70000-0x0000000004D14000-memory.dmp

                    Filesize

                    656KB

                    Download

                  • memory/1380-57-0x00000000002C0000-0x00000000002CC000-memory.dmp

                    Filesize

                    48KB

                    Download