Overview

overview

10

Static

static

448ad90bea...96.exe

windows7-x64

10

448ad90bea...96.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-11-2022 05:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    448ad90bea1254e5759445568842b73ea15c18385abcfd53a85fcdf4afa90596.exe

  • Size

    973KB

  • MD5

    02e2a53027968cb04ed45cbc0c77ba27

  • SHA1

    bf08129c289b00c9e84722071eb191de9e44071e

  • SHA256

    448ad90bea1254e5759445568842b73ea15c18385abcfd53a85fcdf4afa90596

  • SHA512

    a3eb3287285fa353e334b0105327250300a2219c727153fc703e6ac5d41ea3e087ed4432aff5694661aa08ce29d0b208f9091c435ea12fc3698e27bf10229cbd

  • SSDEEP

    12288:lK2mhAMJ/cPlopNHvo8h7UZYE82Y5UKUL4n4y3Xp3SbSlDCnj:k2O/GlopNHv/7g6zwm4m53Sb2Dwj

Score
10/10
netwirebotnetevasionpersistenceratstealertrojan

Malware Config

Signatures

  • NetWire RAT payload 3 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Executes dropped EXE 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\448ad90bea1254e5759445568842b73ea15c18385abcfd53a85fcdf4afa90596.exe
    "C:\Users\Admin\AppData\Local\Temp\448ad90bea1254e5759445568842b73ea15c18385abcfd53a85fcdf4afa90596.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:432
    • C:\Users\Admin\oh9z1vv32772i\jqupjn.exe
      "C:\Users\Admin\oh9z1vv32772i\jqupjn.exe" kqlfqsuvnoil
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1172
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • Modifies Installed Components in the registry
        • Adds Run key to start application
        • Drops file in Windows directory
        PID:3640

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\OH9Z1V~1\kawe.UYJ
    Filesize

    81KB

    MD5

    15c6d858c874152a8866644826b4e620

    SHA1

    d71924a5f93df862656b3fe2a4275caf212f0b7f

    SHA256

    538c983ae8af5ef1b7fe1b5dc50c8a3321bc310a058f05944c322ec3b0e2f417

    SHA512

    419584f15f886c9406160e4177af7973a96e402fef30abc7a461f392573f3f680def906d00cfa0003ebe0ea4b87af509dc55ffd67e85fa1abac459874f8bd9bb

    Download Submit
  • C:\Users\Admin\OH9Z1V~1\zvsbyzhb.LPW
    Filesize

    146B

    MD5

    fdf32a0a0b1f67838cfc15520531f23d

    SHA1

    5f9488b8546a4c82f602749698d6d91391a84720

    SHA256

    0d82cbe8347654a8186e803270279c96948a0fe281563aa7f897d58b68b33e9d

    SHA512

    f398dfe9b09ae29f23db87327a6c5f1fbac4c02efd15c9f88d913bb7c4613f59bfbc8154dddf0e58ecd9222a0e9f851f6f550194b81a4969e9e4c455974c88cd

    Download Submit
  • C:\Users\Admin\oh9z1vv32772i\jqupjn.exe
    Filesize

    732KB

    MD5

    71d8f6d5dc35517275bc38ebcc815f9f

    SHA1

    cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

    SHA256

    fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

    SHA512

    4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

    Download Submit
  • C:\Users\Admin\oh9z1vv32772i\jqupjn.exe
    Filesize

    732KB

    MD5

    71d8f6d5dc35517275bc38ebcc815f9f

    SHA1

    cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

    SHA256

    fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

    SHA512

    4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

    Download Submit
  • C:\Users\Admin\oh9z1vv32772i\kqlfqsuvnoil
    Filesize

    646.7MB

    MD5

    9086db7a54ae22dc3afd391a226f3c82

    SHA1

    58708c77cd5f5efd33495d00fd83d3d8507210ad

    SHA256

    b483de9afeef46550d238fb854e1b747bf69bdf7f1a48d098d3662d1f5906162

    SHA512

    d4304853e6efdb33a08f8e1dff962c17445bed08e971fc030fd798fa90af010cfba22e80b35471e11b96a2424ef8fa909d8937e00c61c856fe7e9c497153dd08

    Download Submit
  • memory/1172-132-0x0000000000000000-mapping.dmp
    Download
  • memory/3640-138-0x0000000000000000-mapping.dmp
    Download
  • memory/3640-139-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/3640-141-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/3640-142-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download