Overview

overview

10

Static

static

fd2d9b3b23...79.exe

windows7-x64

10

fd2d9b3b23...79.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-11-2022 13:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fd2d9b3b2366b8b23e0f5f6f562f972aceaa9c3f2b6e7a523e2b072a03422e79.exe

  • Size

    562KB

  • MD5

    3f37a617c0ac47ca476dfc3ce9a214fd

  • SHA1

    830a64c95ba3d812de2021dc1e931b76326d9b2b

  • SHA256

    fd2d9b3b2366b8b23e0f5f6f562f972aceaa9c3f2b6e7a523e2b072a03422e79

  • SHA512

    6898844b8fc4c28e78e490e827e7b361ab089018a77134c992d9dbbced0f9cd1da3bcf2140aa0593937a104acf01efcbb0b2613a7b2621d93f9f2a7e2983e0d0

  • SSDEEP

    12288:aEBDwqBGbanzcvPvcj+h/QEUo6den53XydJCoR:LwOGtcihQEURdOFo

Score
10/10
netwirebotnetpersistenceratstealer

Malware Config

Extracted

Family

netwire

C2

185.84.181.94:4376

Attributes
  • activex_autorun

    true

  • activex_key

    {FX1MI827-36FJ-SX70-S6O1-DTD67404Y543}

  • copy_executable

    true

  • delete_original

    true

  • host_id

    Panelsan

  • install_path

    %AppData%\Install\Mswords.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    true

  • mutex

    EiFjmhwr

  • offline_keylogger

    true

  • password

    <(/82?TM{V

  • registry_autorun

    true

  • startup_name

    Mswords

  • use_mutex

    true

Signatures

  • NetWire RAT payload 1 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Executes dropped EXE 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fd2d9b3b2366b8b23e0f5f6f562f972aceaa9c3f2b6e7a523e2b072a03422e79.exe
    "C:\Users\Admin\AppData\Local\Temp\fd2d9b3b2366b8b23e0f5f6f562f972aceaa9c3f2b6e7a523e2b072a03422e79.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3972
    • C:\Users\Admin\AppData\Local\Temp\fd2d9b3b2366b8b23e0f5f6f562f972aceaa9c3f2b6e7a523e2b072a03422e79.exe
      C:\Users\Admin\AppData\Local\Temp\fd2d9b3b2366b8b23e0f5f6f562f972aceaa9c3f2b6e7a523e2b072a03422e79.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1352
      • C:\Users\Admin\AppData\Roaming\Install\Mswords.exe
        -m "C:\Users\Admin\AppData\Local\Temp\fd2d9b3b2366b8b23e0f5f6f562f972aceaa9c3f2b6e7a523e2b072a03422e79.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4188
        • C:\Users\Admin\AppData\Roaming\Install\Mswords.exe
          m "C:\Users\Admin\AppData\Local\Temp\fd2d9b3b2366b8b23e0f5f6f562f972aceaa9c3f2b6e7a523e2b072a03422e79.exe"
          4⤵
          • Executes dropped EXE
          • Modifies Installed Components in the registry
          • Adds Run key to start application
          PID:4308

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Install\Mswords.exe
    Filesize

    562KB

    MD5

    3f37a617c0ac47ca476dfc3ce9a214fd

    SHA1

    830a64c95ba3d812de2021dc1e931b76326d9b2b

    SHA256

    fd2d9b3b2366b8b23e0f5f6f562f972aceaa9c3f2b6e7a523e2b072a03422e79

    SHA512

    6898844b8fc4c28e78e490e827e7b361ab089018a77134c992d9dbbced0f9cd1da3bcf2140aa0593937a104acf01efcbb0b2613a7b2621d93f9f2a7e2983e0d0

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Install\Mswords.exe
    Filesize

    562KB

    MD5

    3f37a617c0ac47ca476dfc3ce9a214fd

    SHA1

    830a64c95ba3d812de2021dc1e931b76326d9b2b

    SHA256

    fd2d9b3b2366b8b23e0f5f6f562f972aceaa9c3f2b6e7a523e2b072a03422e79

    SHA512

    6898844b8fc4c28e78e490e827e7b361ab089018a77134c992d9dbbced0f9cd1da3bcf2140aa0593937a104acf01efcbb0b2613a7b2621d93f9f2a7e2983e0d0

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Install\Mswords.exe
    Filesize

    562KB

    MD5

    3f37a617c0ac47ca476dfc3ce9a214fd

    SHA1

    830a64c95ba3d812de2021dc1e931b76326d9b2b

    SHA256

    fd2d9b3b2366b8b23e0f5f6f562f972aceaa9c3f2b6e7a523e2b072a03422e79

    SHA512

    6898844b8fc4c28e78e490e827e7b361ab089018a77134c992d9dbbced0f9cd1da3bcf2140aa0593937a104acf01efcbb0b2613a7b2621d93f9f2a7e2983e0d0

    Download Submit
  • memory/1352-138-0x0000000000400000-0x000000000042C000-memory.dmp
    Filesize

    176KB

    Download
  • memory/1352-142-0x0000000077130000-0x00000000772D3000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/1352-135-0x0000000000000000-mapping.dmp
    Download
  • memory/1352-148-0x0000000077130000-0x00000000772D3000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3972-136-0x0000000077130000-0x00000000772D3000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3972-134-0x00000000022B0000-0x00000000022B6000-memory.dmp
    Filesize

    24KB

    Download
  • memory/4188-145-0x0000000000000000-mapping.dmp
    Download
  • memory/4188-153-0x0000000077130000-0x00000000772D3000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4308-151-0x0000000000000000-mapping.dmp
    Download
  • memory/4308-161-0x0000000077130000-0x00000000772D3000-memory.dmp
    Filesize

    1.6MB

    Download