Overview

overview

10

Static

static

b638c13884...c1.exe

windows7-x64

10

b638c13884...c1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    176s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-11-2022 10:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b638c1388498bf3e0e078ae3961dbc878d36c9f1298992d38603941dfb018fc1.exe

  • Size

    462KB

  • MD5

    b8f12deba5ed8696877ca4dd96fe16b8

  • SHA1

    23a996e70f7154d9ca4fc3d708ee024493acc4a1

  • SHA256

    b638c1388498bf3e0e078ae3961dbc878d36c9f1298992d38603941dfb018fc1

  • SHA512

    84dc9c09b9cc03f6cccfcd2965fec88fdcad4926bb91be71c21566986cfc140bdc698dfda8ff7960aef4518563336f2dad962e5e29d25fd7223d2950081f7b26

  • SSDEEP

    12288:4BFq3hrSEGkejhVatW+bbSzQSNtvzsjfY942d:463hrSEGkejhWW+bbMX/sjfw42d

Score
10/10
netwirebotnetpersistenceratstealer

Malware Config

Signatures

  • NetWire RAT payload 3 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Executes dropped EXE 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 13 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b638c1388498bf3e0e078ae3961dbc878d36c9f1298992d38603941dfb018fc1.exe
    "C:\Users\Admin\AppData\Local\Temp\b638c1388498bf3e0e078ae3961dbc878d36c9f1298992d38603941dfb018fc1.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4184
    • C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\voicemail.mp3"
      2⤵
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:116
    • C:\Users\Admin\AppData\Local\Temp\b638c1388498bf3e0e078ae3961dbc878d36c9f1298992d38603941dfb018fc1.exe
      "C:\Users\Admin\AppData\Local\Temp\b638c1388498bf3e0e078ae3961dbc878d36c9f1298992d38603941dfb018fc1.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2356
      • C:\Users\Admin\AppData\Roaming\Intel\intelcp.exe
        "C:\Users\Admin\AppData\Roaming\Intel\intelcp.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of SetThreadContext
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:524
        • C:\Program Files\VideoLAN\VLC\vlc.exe
          "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\voicemail.mp3"
          4⤵
            PID:4052
          • C:\Users\Admin\AppData\Roaming\Intel\intelcp.exe
            "C:\Users\Admin\AppData\Roaming\Intel\intelcp.exe"
            4⤵
            • Executes dropped EXE
            • Modifies Installed Components in the registry
            • Adds Run key to start application
            PID:2316
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x3cc 0x4c0
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4432

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    2
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\voicemail.mp3
      Filesize

      327KB

      MD5

      0b9fc618adcd45ab7da9927b660047a8

      SHA1

      c794f0acfc8aa3a5cc66cfcdbebdacf404c0574c

      SHA256

      5098cf2e58b8b1bcb786de56490d0e4598323edb5fafb08fce2ce4b2f3b26618

      SHA512

      b9ec70e4620e00b380c5dc3d8069bd7e698c9452f4bcdc471d2a90070855f8762d994588d2a1938dd2df51d6109fb5577247a357f48a97a396ef9127df2512c7

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Intel\intelcp.exe
      Filesize

      462KB

      MD5

      b8f12deba5ed8696877ca4dd96fe16b8

      SHA1

      23a996e70f7154d9ca4fc3d708ee024493acc4a1

      SHA256

      b638c1388498bf3e0e078ae3961dbc878d36c9f1298992d38603941dfb018fc1

      SHA512

      84dc9c09b9cc03f6cccfcd2965fec88fdcad4926bb91be71c21566986cfc140bdc698dfda8ff7960aef4518563336f2dad962e5e29d25fd7223d2950081f7b26

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Intel\intelcp.exe
      Filesize

      462KB

      MD5

      b8f12deba5ed8696877ca4dd96fe16b8

      SHA1

      23a996e70f7154d9ca4fc3d708ee024493acc4a1

      SHA256

      b638c1388498bf3e0e078ae3961dbc878d36c9f1298992d38603941dfb018fc1

      SHA512

      84dc9c09b9cc03f6cccfcd2965fec88fdcad4926bb91be71c21566986cfc140bdc698dfda8ff7960aef4518563336f2dad962e5e29d25fd7223d2950081f7b26

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Intel\intelcp.exe
      Filesize

      462KB

      MD5

      b8f12deba5ed8696877ca4dd96fe16b8

      SHA1

      23a996e70f7154d9ca4fc3d708ee024493acc4a1

      SHA256

      b638c1388498bf3e0e078ae3961dbc878d36c9f1298992d38603941dfb018fc1

      SHA512

      84dc9c09b9cc03f6cccfcd2965fec88fdcad4926bb91be71c21566986cfc140bdc698dfda8ff7960aef4518563336f2dad962e5e29d25fd7223d2950081f7b26

      Download Submit
    • memory/116-135-0x0000000000000000-mapping.dmp
      Download
    • memory/524-141-0x0000000000000000-mapping.dmp
      Download
    • memory/2316-148-0x0000000000000000-mapping.dmp
      Download
    • memory/2316-153-0x0000000000400000-0x0000000000417000-memory.dmp
      Filesize

      92KB

      Download
    • memory/2356-140-0x0000000000400000-0x0000000000417000-memory.dmp
      Filesize

      92KB

      Download
    • memory/2356-139-0x0000000000400000-0x0000000000417000-memory.dmp
      Filesize

      92KB

      Download
    • memory/2356-137-0x0000000000400000-0x0000000000417000-memory.dmp
      Filesize

      92KB

      Download
    • memory/2356-136-0x0000000000000000-mapping.dmp
      Download
    • memory/4052-147-0x0000000000000000-mapping.dmp
      Download
    • memory/4184-134-0x00000000023E0000-0x00000000023E6000-memory.dmp
      Filesize

      24KB

      Download