Overview

overview

10

Static

static

ed8a1d7a00...fd.exe

windows7-x64

10

ed8a1d7a00...fd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    129s
  • max time network
    73s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    30-11-2022 15:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ed8a1d7a009815e9d7d1e4eb4064bb842bf22fccd57f47feee4dd1cc9798c9fd.exe

  • Size

    476KB

  • MD5

    79aa2b8dacf7b786c5d1c84ad5bd7b83

  • SHA1

    cbabb849547a604f3d97f4881f7e735c683084bd

  • SHA256

    ed8a1d7a009815e9d7d1e4eb4064bb842bf22fccd57f47feee4dd1cc9798c9fd

  • SHA512

    c5817c47cc0acca676ce06a63a3519f21c3c91f5753da7700745b6cd96a8115b7bd8ea34689b3a8f7125c1fdce1ad91e22f534fb6347e700389daa901291ae5e

  • SSDEEP

    3072:wkkIMPKsWiHtHnTi0LwolBYce3pDsQKtSWY3HGyfJEeA7IpgMNK02ewbudNWU/U:fD3sWiY0koA9sBSWcdf6eidYt

Score
10/10
netwirebotnetpersistenceratstealer

Malware Config

Extracted

Family

netwire

C2

extensions14718.sytes.net:3324

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • lock_executable

    false

  • mutex

    pjtcCJSh

  • offline_keylogger

    false

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    true

Signatures

  • NetWire RAT payload 4 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ed8a1d7a009815e9d7d1e4eb4064bb842bf22fccd57f47feee4dd1cc9798c9fd.exe
    "C:\Users\Admin\AppData\Local\Temp\ed8a1d7a009815e9d7d1e4eb4064bb842bf22fccd57f47feee4dd1cc9798c9fd.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1340
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\subfolder\firefoxpro.vbs"
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1496
      • C:\Users\Admin\AppData\Local\Temp\subfolder\firefoxpro.exe
        "C:\Users\Admin\AppData\Local\Temp\subfolder\firefoxpro.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1752
        • C:\Users\Admin\AppData\Local\Temp\subfolder\firefoxpro.exe
          "C:\Users\Admin\AppData\Local\Temp\subfolder\firefoxpro.exe"
          4⤵
          • Executes dropped EXE
          PID:1992

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\subfolder\firefoxpro.exe
    Filesize

    476KB

    MD5

    6167b7295d9bad6d37176e96382b9e86

    SHA1

    a77e85e3885a51ce43a3844ce9811282d288a7b2

    SHA256

    4598724a5016b215d2fa970976783e866b925cb49aad2f018b75f8e652e57d3a

    SHA512

    2df31d3bd4e9a3433c22254f60c43c1c86f705608676a8ec219a930a7cdba82fc1d0db5853997d39af30cea49ed785718415f921c60e4dc6c95c926b656afc76

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\subfolder\firefoxpro.exe
    Filesize

    476KB

    MD5

    6167b7295d9bad6d37176e96382b9e86

    SHA1

    a77e85e3885a51ce43a3844ce9811282d288a7b2

    SHA256

    4598724a5016b215d2fa970976783e866b925cb49aad2f018b75f8e652e57d3a

    SHA512

    2df31d3bd4e9a3433c22254f60c43c1c86f705608676a8ec219a930a7cdba82fc1d0db5853997d39af30cea49ed785718415f921c60e4dc6c95c926b656afc76

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\subfolder\firefoxpro.exe
    Filesize

    476KB

    MD5

    6167b7295d9bad6d37176e96382b9e86

    SHA1

    a77e85e3885a51ce43a3844ce9811282d288a7b2

    SHA256

    4598724a5016b215d2fa970976783e866b925cb49aad2f018b75f8e652e57d3a

    SHA512

    2df31d3bd4e9a3433c22254f60c43c1c86f705608676a8ec219a930a7cdba82fc1d0db5853997d39af30cea49ed785718415f921c60e4dc6c95c926b656afc76

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\subfolder\firefoxpro.vbs
    Filesize

    1024B

    MD5

    5633ea06d76d044e23ff5ed058b09cac

    SHA1

    a5f8798527ceb451ac6db8fa16649359d34ab896

    SHA256

    41e8e3ab92c8a25c6c3442cb6dc4eeaffa243573b81c0cf742312465ed20ce9f

    SHA512

    ddb54c48df72c7c80cb2f14c5b59a9de26dcfe3acef468e706eccd59e20962977d4c3957a456d07fdaea182fffdccd5f34feb5dc64a3e7cf02f2549df6835595

    Download Submit
  • \Users\Admin\AppData\Local\Temp\subfolder\firefoxpro.exe
    Filesize

    476KB

    MD5

    6167b7295d9bad6d37176e96382b9e86

    SHA1

    a77e85e3885a51ce43a3844ce9811282d288a7b2

    SHA256

    4598724a5016b215d2fa970976783e866b925cb49aad2f018b75f8e652e57d3a

    SHA512

    2df31d3bd4e9a3433c22254f60c43c1c86f705608676a8ec219a930a7cdba82fc1d0db5853997d39af30cea49ed785718415f921c60e4dc6c95c926b656afc76

    Download Submit
  • \Users\Admin\AppData\Local\Temp\subfolder\firefoxpro.exe
    Filesize

    476KB

    MD5

    6167b7295d9bad6d37176e96382b9e86

    SHA1

    a77e85e3885a51ce43a3844ce9811282d288a7b2

    SHA256

    4598724a5016b215d2fa970976783e866b925cb49aad2f018b75f8e652e57d3a

    SHA512

    2df31d3bd4e9a3433c22254f60c43c1c86f705608676a8ec219a930a7cdba82fc1d0db5853997d39af30cea49ed785718415f921c60e4dc6c95c926b656afc76

    Download Submit
  • \Users\Admin\AppData\Local\Temp\subfolder\firefoxpro.exe
    Filesize

    476KB

    MD5

    6167b7295d9bad6d37176e96382b9e86

    SHA1

    a77e85e3885a51ce43a3844ce9811282d288a7b2

    SHA256

    4598724a5016b215d2fa970976783e866b925cb49aad2f018b75f8e652e57d3a

    SHA512

    2df31d3bd4e9a3433c22254f60c43c1c86f705608676a8ec219a930a7cdba82fc1d0db5853997d39af30cea49ed785718415f921c60e4dc6c95c926b656afc76

    Download Submit
  • memory/1340-56-0x0000000076411000-0x0000000076413000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1340-57-0x0000000000250000-0x0000000000257000-memory.dmp
    Filesize

    28KB

    Download
  • memory/1496-58-0x0000000000000000-mapping.dmp
    Download
  • memory/1752-64-0x0000000000000000-mapping.dmp
    Download
  • memory/1992-70-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/1992-71-0x000000000040231A-mapping.dmp
    Download
  • memory/1992-75-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/1992-76-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download