Overview

overview

10

Static

static

bbd8bfb429...51.exe

windows7-x64

10

bbd8bfb429...51.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    158s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    28-11-2022 13:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bbd8bfb4294a7764093ab934ecabe1f7147cfc539238c6426779786b6acd0651.exe

  • Size

    447KB

  • MD5

    754411f368178a09f54d05158e7e17a3

  • SHA1

    b781c408c69827af768eeca418f564e14eaf5eaf

  • SHA256

    bbd8bfb4294a7764093ab934ecabe1f7147cfc539238c6426779786b6acd0651

  • SHA512

    5d2083dbfc24efa11608ba443a8f2468685a11bda1502fed1c2774e737d64813f26723d8c8d16904cfe616746ad167b34c5c50936faf516934b6bcab113f8c7a

  • SSDEEP

    6144:Wjjf/HVuwmguK4Fsz+XqfwXmP/R8evOYVw:WX1uJeu6fYg8evOYVw

Score
10/10
netwirebotnetratstealer

Malware Config

Signatures

  • NetWire RAT payload 5 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 37 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bbd8bfb4294a7764093ab934ecabe1f7147cfc539238c6426779786b6acd0651.exe
    "C:\Users\Admin\AppData\Local\Temp\bbd8bfb4294a7764093ab934ecabe1f7147cfc539238c6426779786b6acd0651.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1452
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      2⤵
      • Drops file in Windows directory
      PID:2004
    • C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1100
      • C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\\AudioEndpointBuilder
        3⤵
        • Executes dropped EXE
        PID:944

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
    Filesize

    447KB

    MD5

    754411f368178a09f54d05158e7e17a3

    SHA1

    b781c408c69827af768eeca418f564e14eaf5eaf

    SHA256

    bbd8bfb4294a7764093ab934ecabe1f7147cfc539238c6426779786b6acd0651

    SHA512

    5d2083dbfc24efa11608ba443a8f2468685a11bda1502fed1c2774e737d64813f26723d8c8d16904cfe616746ad167b34c5c50936faf516934b6bcab113f8c7a

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
    Filesize

    447KB

    MD5

    754411f368178a09f54d05158e7e17a3

    SHA1

    b781c408c69827af768eeca418f564e14eaf5eaf

    SHA256

    bbd8bfb4294a7764093ab934ecabe1f7147cfc539238c6426779786b6acd0651

    SHA512

    5d2083dbfc24efa11608ba443a8f2468685a11bda1502fed1c2774e737d64813f26723d8c8d16904cfe616746ad167b34c5c50936faf516934b6bcab113f8c7a

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe
    Filesize

    12KB

    MD5

    c2054cedfcb281d110cc4c7d4745cac8

    SHA1

    62c4ceee116166d960d76de5feba706b5812b7af

    SHA256

    20b179fd6a6faffbb65bf310e6138fc2706a6dee3618830bbce7d2d549e32b5f

    SHA512

    65993d5cd049cb753b65f61bef2ba06d91c6faefcec0e105c47208b090b60c5db40206df47387ca087b98f482dba3b8aba81d491722ea925429d902d52a22fbc

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe
    Filesize

    12KB

    MD5

    c2054cedfcb281d110cc4c7d4745cac8

    SHA1

    62c4ceee116166d960d76de5feba706b5812b7af

    SHA256

    20b179fd6a6faffbb65bf310e6138fc2706a6dee3618830bbce7d2d549e32b5f

    SHA512

    65993d5cd049cb753b65f61bef2ba06d91c6faefcec0e105c47208b090b60c5db40206df47387ca087b98f482dba3b8aba81d491722ea925429d902d52a22fbc

    Download Submit
  • \Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
    Filesize

    447KB

    MD5

    754411f368178a09f54d05158e7e17a3

    SHA1

    b781c408c69827af768eeca418f564e14eaf5eaf

    SHA256

    bbd8bfb4294a7764093ab934ecabe1f7147cfc539238c6426779786b6acd0651

    SHA512

    5d2083dbfc24efa11608ba443a8f2468685a11bda1502fed1c2774e737d64813f26723d8c8d16904cfe616746ad167b34c5c50936faf516934b6bcab113f8c7a

    Download Submit
  • \Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe
    Filesize

    12KB

    MD5

    c2054cedfcb281d110cc4c7d4745cac8

    SHA1

    62c4ceee116166d960d76de5feba706b5812b7af

    SHA256

    20b179fd6a6faffbb65bf310e6138fc2706a6dee3618830bbce7d2d549e32b5f

    SHA512

    65993d5cd049cb753b65f61bef2ba06d91c6faefcec0e105c47208b090b60c5db40206df47387ca087b98f482dba3b8aba81d491722ea925429d902d52a22fbc

    Download Submit
  • memory/944-81-0x0000000074550000-0x0000000074AFB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/944-78-0x0000000000000000-mapping.dmp
    Download
  • memory/1100-82-0x0000000074550000-0x0000000074AFB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1100-75-0x0000000074550000-0x0000000074AFB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1100-71-0x0000000000000000-mapping.dmp
    Download
  • memory/1452-54-0x0000000075041000-0x0000000075043000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1452-56-0x0000000074550000-0x0000000074AFB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1452-55-0x0000000074550000-0x0000000074AFB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2004-60-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2004-69-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2004-68-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2004-64-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2004-65-0x0000000000402196-mapping.dmp
    Download
  • memory/2004-62-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2004-58-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2004-57-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download