Overview

overview

10

Static

static

344ef31452...a6.exe

windows7-x64

10

344ef31452...a6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    83s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    01-11-2022 06:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    344ef31452df3e0c965b58f6db0c11a6.exe

  • Size

    750KB

  • MD5

    344ef31452df3e0c965b58f6db0c11a6

  • SHA1

    74b3cd8bcaaaba8b587766c52577a2b7403c4055

  • SHA256

    bc0a8e730ebbe66a98f6aa755671661158a982983898e45d306f79ec608250fe

  • SHA512

    0750eb8b33d39b575e4be582484f98d846b2c47812fbc45ef12d2683ed3e3864284c4d3bc56ea2db0eea509b9628d81a8e442a8fa64caa708c9203fac7bce5e5

  • SSDEEP

    12288:c5QEPzaWzvEz2tPQlShdMW3LXMdy9pLnEyL:ctcYgMdTnEyL

Score
10/10
netwirebotnetratstealer

Malware Config

Extracted

Family

netwire

C2

212.193.30.230:3363

212.193.30.230:3362
Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    Cantbeme@1

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • NetWire RAT payload 9 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\344ef31452df3e0c965b58f6db0c11a6.exe
    "C:\Users\Admin\AppData\Local\Temp\344ef31452df3e0c965b58f6db0c11a6.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:604
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ttRnxTIb.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1544
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ttRnxTIb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3229.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1416
    • C:\Users\Admin\AppData\Local\Temp\344ef31452df3e0c965b58f6db0c11a6.exe
      "C:\Users\Admin\AppData\Local\Temp\344ef31452df3e0c965b58f6db0c11a6.exe"
      2⤵
        PID:1440

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp3229.tmp
      Filesize

      1KB

      MD5

      a82af5c0ae59aaf2f9d20a0e488546a5

      SHA1

      a6ae07df35366ebeb7ac1ec516fc6631c70478a7

      SHA256

      2f60188fbd4fc1f71a7286dcd1230d8e900dca1c988bd3826b5954447959fd3b

      SHA512

      f9bb37f4bd884bf36a4a9c2066450147824d10be9f356f483d63f8add80788ed92803255a83fbe5077ee2138e428b76a9363ced63052c37bdd050a613dd97761

      Download Submit
    • memory/604-63-0x0000000004A90000-0x0000000004AC0000-memory.dmp
      Filesize

      192KB

      Download
    • memory/604-55-0x0000000075F81000-0x0000000075F83000-memory.dmp
      Filesize

      8KB

      Download
    • memory/604-56-0x0000000000970000-0x0000000000986000-memory.dmp
      Filesize

      88KB

      Download
    • memory/604-57-0x0000000000920000-0x000000000092C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/604-58-0x0000000005B50000-0x0000000005BBA000-memory.dmp
      Filesize

      424KB

      Download
    • memory/604-54-0x0000000000E30000-0x0000000000EF2000-memory.dmp
      Filesize

      776KB

      Download
    • memory/1416-61-0x0000000000000000-mapping.dmp
      Download
    • memory/1440-73-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/1440-78-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/1440-65-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/1440-67-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/1440-69-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/1440-70-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/1440-71-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/1440-82-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/1440-74-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/1440-75-0x000000000040242D-mapping.dmp
      Download
    • memory/1440-64-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/1440-79-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/1544-80-0x000000006F090000-0x000000006F63B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1544-81-0x000000006F090000-0x000000006F63B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1544-59-0x0000000000000000-mapping.dmp
      Download