Overview

overview

10

Static

static

7d27252ef8...50.exe

windows7-x64

10

7d27252ef8...50.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    163s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-11-2022 14:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7d27252ef87acae8a2b583d920e52d8210ee69c4f9591ed20de1cfd55bf01650.exe

  • Size

    257KB

  • MD5

    d699e0316ff32d7b7d551ad6abface4c

  • SHA1

    789f7e7ada8f769ac4709a74cf16c2a086f595e9

  • SHA256

    7d27252ef87acae8a2b583d920e52d8210ee69c4f9591ed20de1cfd55bf01650

  • SHA512

    e8d35c8acd950fcc3d81eb5a3b1047723d68b5de8906d825787ab87add3796abe700271fb666190732538e740b345c60a3a5fce8d0f79ac210abdcd536fc9fd1

  • SSDEEP

    6144:5V6vBUSGrwSKVICKku8IF0j0KngiDyP5/x3:5VvSGrwSKqbF8IF08iuP/3

Score
10/10
netwirebotnetratstealer

Malware Config

Extracted

Family

netwire

C2

extensions14718.sytes.net:3324

extensions14718sec.sytes.net:3324
Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

    YbcwLUQv

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    true

Signatures

  • NetWire RAT payload 3 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Drops startup file 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7d27252ef87acae8a2b583d920e52d8210ee69c4f9591ed20de1cfd55bf01650.exe
    "C:\Users\Admin\AppData\Local\Temp\7d27252ef87acae8a2b583d920e52d8210ee69c4f9591ed20de1cfd55bf01650.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5100
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ojpti4pc\ojpti4pc.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2004
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES71B5.tmp" "c:\Users\Admin\AppData\Local\Temp\ojpti4pc\CSC87C1B814D11428EB394E71CEC29EF4C.TMP"
        3⤵
          PID:3636
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
        2⤵
          PID:3492

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scripting

      1
      T1064

      Persistence

      Privilege Escalation

      Defense Evasion

      Scripting

      1
      T1064

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\RES71B5.tmp
        Filesize

        1KB

        MD5

        99f78925da1a1bee113c6abef99b0840

        SHA1

        3cde211b7425c28a8283cae7706f41d6856ab385

        SHA256

        1306b24bbc1d0616e60f5d10a4c813f919762b476858e0c423e0a66632df6df7

        SHA512

        fed02bdef7c95a22ac39b04f491ff7b8420c6de29177d911c300f5ba85deb5ac463c1400d263763551bcbec3c892f274a542c14b9cacce0b780b69706274a027

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\ojpti4pc\ojpti4pc.dll
        Filesize

        17KB

        MD5

        868fcb1a06aed0549486c5e31e3959d5

        SHA1

        86ebd77c9fbe3dbc96d530f31c96efc20c13f949

        SHA256

        1be8d4f874b44845647ab60150bedac56207b672154dfa993ec36d72fd0ab4a3

        SHA512

        d9110826a8155e2bb7a16638184dc934ca6be68fd95ed7fcfa60588b61f54eb97a3ef1d1e7d57d4906e90a9baf2d86c4922f8195a2429606a89b3ff21a858161

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\ojpti4pc\ojpti4pc.pdb
        Filesize

        53KB

        MD5

        20b0e6137e986d7784804ad67e2ef32f

        SHA1

        c94a10558116c2602ae092b690190397bd012d00

        SHA256

        41a72971328dd39e72659d5c5f76ece9edc505b36193ea38ed3552aa0d8c7851

        SHA512

        3391eafa338cdfea01d9662f8fcd80ba06bec8aa2c23a081595f807636e4ca4a6c01ff3cd83dec5c940fac9eb8da5ea62f9cd5efe1305f9afa68fc5a34d91506

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\ojpti4pc\CSC87C1B814D11428EB394E71CEC29EF4C.TMP
        Filesize

        1KB

        MD5

        5259ae16529cf3514011ba814bd6c57a

        SHA1

        3156dba812d91f6af644fb212a2922aaf2ac441d

        SHA256

        2bb0de440315157f10555f33ea1fbe933ced806b9679af0fa8da311a7ac04f51

        SHA512

        8a541625950763579d95c13343b07fac898f6ba4d8c639cccc628b8277bcae0b4e78a1f602db26c6a925bdc626b5dd1ccb60dc158d2066dce7cdcf3f1d827813

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\ojpti4pc\ojpti4pc.0.cs
        Filesize

        37KB

        MD5

        9fafd44315a524486b84e23bedaec8bf

        SHA1

        0d2820c6a0d71d57200dccafa2c6fb421269f2ec

        SHA256

        549faa466584fa74103c11227ef0b811cf96bda2d27b5c1c53fc2f053e96db74

        SHA512

        e5f2023c15f49f7758d11972e4edf00731956cf69b0b52df6a1bed00dbe756ce87b1a76af9c7dacd3abdae374da8452d6c9790f5e1ebee4ceee9c74e23778280

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\ojpti4pc\ojpti4pc.cmdline
        Filesize

        312B

        MD5

        02b6bc2f3403df03c346c6e2eea04040

        SHA1

        babe8c8f226d4e3f80460e5d09c9879aff29dd6f

        SHA256

        653ba3479a3fb3c0ea3cbaf4e3a456271e4fc866a8e46aece491b2dd70760a4a

        SHA512

        df2fd76bcb6ff38713ff7227fa5a1f0e15fac16582cbb5287aa771a349794628fbd2955fe2297274ea78cf043ebfbb7c031295fae674f7cb5ae321fe1731a17b

        Download Submit
      • memory/2004-133-0x0000000000000000-mapping.dmp
        Download
      • memory/3492-143-0x0000000000000000-mapping.dmp
        Download
      • memory/3492-144-0x0000000000400000-0x000000000042C000-memory.dmp
        Filesize

        176KB

        Download
      • memory/3492-146-0x0000000000400000-0x000000000042C000-memory.dmp
        Filesize

        176KB

        Download
      • memory/3492-147-0x0000000000400000-0x000000000042C000-memory.dmp
        Filesize

        176KB

        Download
      • memory/3636-136-0x0000000000000000-mapping.dmp
        Download
      • memory/5100-132-0x0000000000320000-0x0000000000366000-memory.dmp
        Filesize

        280KB

        Download
      • memory/5100-141-0x0000000004F90000-0x0000000005022000-memory.dmp
        Filesize

        584KB

        Download
      • memory/5100-142-0x0000000005690000-0x000000000572C000-memory.dmp
        Filesize

        624KB

        Download