Overview

overview

10

Static

static

5d739779a8...ee.exe

windows7-x64

10

5d739779a8...ee.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    189s
  • max time network
    186s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    28-11-2022 18:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5d739779a8a2311068a9ad74e1883ab37a3d7efab328d89afca7adb6cec4afee.exe

  • Size

    1.0MB

  • MD5

    e882b1be3d9ef5322e321b0408d5458f

  • SHA1

    7ff64295488d3007f9b2e628077bbd7b43076042

  • SHA256

    5d739779a8a2311068a9ad74e1883ab37a3d7efab328d89afca7adb6cec4afee

  • SHA512

    03936cc91aecdd656bf707345f5cf923555acd55cc8c0ece893e362aeac6801789276157324476402acde85595638ff512795ea4cbc01e2bf66dc320c612d26e

  • SSDEEP

    12288:hK2mhAMJ/cPl9zgJTh0RY8h7UZYE82Y5UKUL4n4y3Xp3SbSlk+y7:Q2O/Gl9zvl7g6zwm4m53Sb2kv7

Score
10/10
netwirebotnetevasionpersistenceratstealertrojan

Malware Config

Signatures

  • NetWire RAT payload 5 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5d739779a8a2311068a9ad74e1883ab37a3d7efab328d89afca7adb6cec4afee.exe
    "C:\Users\Admin\AppData\Local\Temp\5d739779a8a2311068a9ad74e1883ab37a3d7efab328d89afca7adb6cec4afee.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1208
    • C:\Users\Admin\1tzqd6ljwdu8z2\owfcw.exe
      "C:\Users\Admin\1tzqd6ljwdu8z2\owfcw.exe" kfynretwaxd
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:564
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        3⤵
        • Drops file in Windows directory
        PID:292

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\1TZQD6~1\MPNVMV~1.VZN
    Filesize

    81KB

    MD5

    d2149d00ae3c5b469583fbcfc14e7aa7

    SHA1

    525b5b57ddce04777188d59e06287b826fb27992

    SHA256

    710bd2ace80b2316a5e130eb60fa0b8190e3de4b1f8877feafdf23282d952b1f

    SHA512

    8133982d258ab05bd24ff34b60c46a5e1018be4bc09669247c224c8336c823e01594fea28d76e51de02f7c4b4b4add8de6b54aac4c3b7e9ff583e07a523f0658

    Download Submit
  • C:\Users\Admin\1TZQD6~1\bxntptcw.RBS
    Filesize

    91B

    MD5

    8fbedee5fc515f81989f6b73a0eaa736

    SHA1

    1346870f5dc04deaa39e4f7ed8fc3c90297c0fba

    SHA256

    f22220786f36c7ad17b5a3a03a952148f53bbe706e438c0190f736b90363127b

    SHA512

    abf6592179ba22c08aea1c3eea00f286a747123ac54011e972d446b412be7f4aba63049dccbc96bd608def3eb5c3c043f0f7668e8e8c7bd1f8bc503b28e5d7be

    Download Submit
  • C:\Users\Admin\1tzqd6ljwdu8z2\kfynretwaxd
    Filesize

    306.2MB

    MD5

    be850d84059a32dc2c09b507a3df25a5

    SHA1

    6761137fbb4d307531f668ed11f6825cd6041329

    SHA256

    5e213f5e648fc74d3fcbde04e30d096caea1902ab9e584b18bc236888c7371c3

    SHA512

    92eeb4e0b4e5d367f15cae7d89910f7f4daa00eec69a24332bc6e95c2342c52cefcf67e3a28f5002e3dd87b48c941f40836b7a85a8f9f2cb2eae8d86b64aa3ba

    Download Submit
  • C:\Users\Admin\1tzqd6ljwdu8z2\owfcw.exe
    Filesize

    732KB

    MD5

    71d8f6d5dc35517275bc38ebcc815f9f

    SHA1

    cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

    SHA256

    fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

    SHA512

    4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

    Download Submit
  • \Users\Admin\1tzqd6ljwdu8z2\owfcw.exe
    Filesize

    732KB

    MD5

    71d8f6d5dc35517275bc38ebcc815f9f

    SHA1

    cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

    SHA256

    fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

    SHA512

    4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

    Download Submit
  • \Users\Admin\1tzqd6ljwdu8z2\owfcw.exe
    Filesize

    732KB

    MD5

    71d8f6d5dc35517275bc38ebcc815f9f

    SHA1

    cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

    SHA256

    fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

    SHA512

    4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

    Download Submit
  • \Users\Admin\1tzqd6ljwdu8z2\owfcw.exe
    Filesize

    732KB

    MD5

    71d8f6d5dc35517275bc38ebcc815f9f

    SHA1

    cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

    SHA256

    fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

    SHA512

    4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

    Download Submit
  • \Users\Admin\1tzqd6ljwdu8z2\owfcw.exe
    Filesize

    732KB

    MD5

    71d8f6d5dc35517275bc38ebcc815f9f

    SHA1

    cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

    SHA256

    fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

    SHA512

    4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

    Download Submit
  • memory/292-65-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/292-66-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/292-68-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/292-70-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/292-72-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/292-73-0x0000000000402196-mapping.dmp
    Download
  • memory/292-76-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/292-78-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/564-59-0x0000000000000000-mapping.dmp
    Download
  • memory/1208-54-0x0000000075F51000-0x0000000075F53000-memory.dmp
    Filesize

    8KB

    Download