Overview

overview

10

Static

static

Product_Or...08.exe

windows7-x64

10

Product_Or...08.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    9s
  • max time network
    9s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-10-2022 11:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Product_Order_Quotation_X1208.exe

  • Size

    322KB

  • MD5

    709714b4261957287537f7f78e6dbdfb

  • SHA1

    82f2efbbf0c86913932567caf70ae6f66665bec9

  • SHA256

    72c3b0ef24972aa0269b5084d27257fa83229ddca82ae020de2194e9ed7cbb0f

  • SHA512

    e969eba70b15e3b346931a5f812f38c20be028b30cc2512d1410d2cbdabd0664d3e9d3a56b6cd83f4e0b88ac66cb5326802d2c0a831deb138ee64b8586141601

  • SSDEEP

    6144:my1lpFvAAkTIo9OVP8YW5hQ9wDdRrz7sn1q0eop5MvuMpGxByK/tdA8F8Tz:mAn2oZ8J5ySDdx+sySvfi0GTA8F8Tz

Score
10/10
netwirebotnetpersistenceratstealerupx

Malware Config

Extracted

Family

netwire

C2

franrnar.com.tw:1009

Attributes
  • activex_autorun

    false

  • copy_executable

    true

  • delete_original

    true

  • host_id

    HostId-%Rand%

  • install_path

    %AppData%\Microsoft\windows\explorer.exe

  • keylogger_dir

    %AppData%\Microsoft\windows\Logs\

  • lock_executable

    true

  • mutex

    LqICFQGC

  • offline_keylogger

    true

  • password

    GetTheFuckOFf

  • registry_autorun

    true

  • startup_name

    iexplorer

  • use_mutex

    true

Signatures

  • NetWire RAT payload 4 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Executes dropped EXE 2 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Product_Order_Quotation_X1208.exe
    "C:\Users\Admin\AppData\Local\Temp\Product_Order_Quotation_X1208.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5044
    • C:\Users\Admin\AppData\Local\Temp\Product_Order_Quotation_X1208.exe
      "C:\Users\Admin\AppData\Local\Temp\Product_Order_Quotation_X1208.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4224
      • C:\Users\Admin\AppData\Roaming\Microsoft\windows\explorer.exe
        -m "C:\Users\Admin\AppData\Local\Temp\Product_Order_Quotation_X1208.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1952
        • C:\Users\Admin\AppData\Roaming\Microsoft\windows\explorer.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\windows\explorer.exe" C:\Users\Admin\AppData\Local\Temp\Product_Order_Quotation_X1208.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          PID:1608

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
    Filesize

    322KB

    MD5

    709714b4261957287537f7f78e6dbdfb

    SHA1

    82f2efbbf0c86913932567caf70ae6f66665bec9

    SHA256

    72c3b0ef24972aa0269b5084d27257fa83229ddca82ae020de2194e9ed7cbb0f

    SHA512

    e969eba70b15e3b346931a5f812f38c20be028b30cc2512d1410d2cbdabd0664d3e9d3a56b6cd83f4e0b88ac66cb5326802d2c0a831deb138ee64b8586141601

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
    Filesize

    322KB

    MD5

    709714b4261957287537f7f78e6dbdfb

    SHA1

    82f2efbbf0c86913932567caf70ae6f66665bec9

    SHA256

    72c3b0ef24972aa0269b5084d27257fa83229ddca82ae020de2194e9ed7cbb0f

    SHA512

    e969eba70b15e3b346931a5f812f38c20be028b30cc2512d1410d2cbdabd0664d3e9d3a56b6cd83f4e0b88ac66cb5326802d2c0a831deb138ee64b8586141601

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\windows\explorer.exe
    Filesize

    322KB

    MD5

    709714b4261957287537f7f78e6dbdfb

    SHA1

    82f2efbbf0c86913932567caf70ae6f66665bec9

    SHA256

    72c3b0ef24972aa0269b5084d27257fa83229ddca82ae020de2194e9ed7cbb0f

    SHA512

    e969eba70b15e3b346931a5f812f38c20be028b30cc2512d1410d2cbdabd0664d3e9d3a56b6cd83f4e0b88ac66cb5326802d2c0a831deb138ee64b8586141601

    Download Submit
  • memory/1608-151-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/1608-150-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/1608-148-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/1608-144-0x0000000000000000-mapping.dmp
    Download
  • memory/1952-143-0x0000000075140000-0x00000000756F1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1952-138-0x0000000000000000-mapping.dmp
    Download
  • memory/1952-149-0x0000000075140000-0x00000000756F1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/4224-137-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/4224-142-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/4224-136-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/4224-134-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/4224-133-0x0000000000000000-mapping.dmp
    Download
  • memory/5044-140-0x0000000075140000-0x00000000756F1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/5044-132-0x0000000075140000-0x00000000756F1000-memory.dmp
    Filesize

    5.7MB

    Download