Analysis
-
max time kernel
91s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
01-11-2022 06:46
General
-
Target
344ef31452df3e0c965b58f6db0c11a6.exe
-
Size
750KB
-
MD5
344ef31452df3e0c965b58f6db0c11a6
-
SHA1
74b3cd8bcaaaba8b587766c52577a2b7403c4055
-
SHA256
bc0a8e730ebbe66a98f6aa755671661158a982983898e45d306f79ec608250fe
-
SHA512
0750eb8b33d39b575e4be582484f98d846b2c47812fbc45ef12d2683ed3e3864284c4d3bc56ea2db0eea509b9628d81a8e442a8fa64caa708c9203fac7bce5e5
-
SSDEEP
12288:c5QEPzaWzvEz2tPQlShdMW3LXMdy9pLnEyL:ctcYgMdTnEyL
Malware Config
Extracted
netwire
212.193.30.230:3363
212.193.30.230:3362
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
Cantbeme@1
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 4 IoCs
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\344ef31452df3e0c965b58f6db0c11a6.exe"C:\Users\Admin\AppData\Local\Temp\344ef31452df3e0c965b58f6db0c11a6.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ttRnxTIb.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ttRnxTIb" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB6AD.tmp"2⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\Temp\344ef31452df3e0c965b58f6db0c11a6.exe"C:\Users\Admin\AppData\Local\Temp\344ef31452df3e0c965b58f6db0c11a6.exe"2⤵
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD53fe80c9d7c0b88367adb3cda8936aded
SHA1313f300ee49e868accbe1cef5ee4b8926362b36b
SHA256645c5237c26596e97dd94f317f5ea2315fc0a505d543c7f7a5e18edbf02e50c4
SHA512bc475c87fa978d57574fa81821b79276bad8a171e6d0cf5219fecc173563c6b2d9b79da68fe622cd6d8a896c513c65d8ab868a2d9c4484c86f6f61297ee57f97
-
Filesize
408KB
-
Filesize
120KB
-
Filesize
32KB
-
Filesize
56KB
-
-
Filesize
600KB
-
Filesize
216KB
-
Filesize
40KB
-
Filesize
6.2MB
-
Filesize
104KB
-
Filesize
6.5MB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
104KB
-
Filesize
304KB
-
Filesize
200KB
-
Filesize
120KB
-
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
-
Filesize
204KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
624KB
-
Filesize
776KB
-
Filesize
40KB