Overview

overview

10

Static

static

8119fc6da4...20.exe

windows7-x64

10

8119fc6da4...20.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    163s
  • max time network
    218s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-11-2022 19:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8119fc6da4305f331fc904adfca9e221d26bd607a53e35dbeede7e379b051f20.exe

  • Size

    620KB

  • MD5

    126a93893a231d0d04d51c062ffacb24

  • SHA1

    2dc7626161923496e1161321564649de8a505462

  • SHA256

    8119fc6da4305f331fc904adfca9e221d26bd607a53e35dbeede7e379b051f20

  • SHA512

    7ead5d82543478d48820429fa78a6b47c4b96f9a081d6599bc7f47208acc73dee20b97345f971b7298642fb4104d90eb8a660cbdc8f592449410cba459d46715

  • SSDEEP

    6144:jIgLd7M38csN+OepKstohqNuPSzjRfXfqSicv2oJ04YIEr7rwdaJ:JNMJzpWhYvRfXiSicbJ0d7rco

Score
10/10
netwirebotnetpersistenceratstealer

Malware Config

Extracted

Family

netwire

C2

Wealthybond.ddns.me:39560

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

    uElWAoFe

  • offline_keylogger

    true

  • password

    sucess

  • registry_autorun

    false

  • use_mutex

    true

Signatures

  • NetWire RAT payload 1 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SendNotifyMessage 8 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8119fc6da4305f331fc904adfca9e221d26bd607a53e35dbeede7e379b051f20.exe
    "C:\Users\Admin\AppData\Local\Temp\8119fc6da4305f331fc904adfca9e221d26bd607a53e35dbeede7e379b051f20.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3860
    • C:\Users\Admin\AppData\Local\Temp\8119fc6da4305f331fc904adfca9e221d26bd607a53e35dbeede7e379b051f20.exe
      "C:\Users\Admin\AppData\Local\Temp\8119fc6da4305f331fc904adfca9e221d26bd607a53e35dbeede7e379b051f20.exe"
      2⤵
      • Checks computer location settings
      • Drops file in Windows directory
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1540
      • C:\Users\Admin\AppData\Local\Temp\Elektroteknikkerne3.exe
        "C:\Users\Admin\AppData\Local\Temp\Elektroteknikkerne3.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in Windows directory
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2304
        • C:\Users\Admin\AppData\Local\Temp\Elektroteknikkerne3.exe
          "C:\Users\Admin\AppData\Local\Temp\Elektroteknikkerne3.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          PID:1712

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Elektroteknikkerne3.exe
    Filesize

    620KB

    MD5

    c8b740d5083715048f6ec93a3fdc627c

    SHA1

    754919550bdd0d8c911e2a8f064a474d0cdeb457

    SHA256

    7cc46b7baca763d9a1ec051befb75e5d2e6e30aeffd76613d149e6ccb6f9e42b

    SHA512

    9ca26f1f9f716320792804152eda11c17f85f55fbb02fea7f074415d72c87795dbb34ecc3944042f1597c5c64b3da4c19f30c123d24d9ddee01c772f5d2d366e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Elektroteknikkerne3.exe
    Filesize

    620KB

    MD5

    c8b740d5083715048f6ec93a3fdc627c

    SHA1

    754919550bdd0d8c911e2a8f064a474d0cdeb457

    SHA256

    7cc46b7baca763d9a1ec051befb75e5d2e6e30aeffd76613d149e6ccb6f9e42b

    SHA512

    9ca26f1f9f716320792804152eda11c17f85f55fbb02fea7f074415d72c87795dbb34ecc3944042f1597c5c64b3da4c19f30c123d24d9ddee01c772f5d2d366e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Elektroteknikkerne3.exe
    Filesize

    620KB

    MD5

    c8b740d5083715048f6ec93a3fdc627c

    SHA1

    754919550bdd0d8c911e2a8f064a474d0cdeb457

    SHA256

    7cc46b7baca763d9a1ec051befb75e5d2e6e30aeffd76613d149e6ccb6f9e42b

    SHA512

    9ca26f1f9f716320792804152eda11c17f85f55fbb02fea7f074415d72c87795dbb34ecc3944042f1597c5c64b3da4c19f30c123d24d9ddee01c772f5d2d366e

    Download Submit
  • C:\Windows\win.ini
    Filesize

    123B

    MD5

    6bf517432f65eb7f0d18d574bf14124c

    SHA1

    5b9f37c1dd1318ebbec3bd2f07c109eb9d22c727

    SHA256

    6e2b70dfccabf3cc651545676a3a566c9cfae03f15f772886646abce1da35b46

    SHA512

    7b0cb8c20034585ec8bf4b45eda5eda5993a56e24931a7426dc5a9f081ec1f82545f3e26a48a4df885c8691fc6e8026d0808aebe3cc3358ba85ddca08ac4cb06

    Download Submit
  • C:\Windows\win.ini
    Filesize

    123B

    MD5

    6bf517432f65eb7f0d18d574bf14124c

    SHA1

    5b9f37c1dd1318ebbec3bd2f07c109eb9d22c727

    SHA256

    6e2b70dfccabf3cc651545676a3a566c9cfae03f15f772886646abce1da35b46

    SHA512

    7b0cb8c20034585ec8bf4b45eda5eda5993a56e24931a7426dc5a9f081ec1f82545f3e26a48a4df885c8691fc6e8026d0808aebe3cc3358ba85ddca08ac4cb06

    Download Submit
  • C:\Windows\win.ini
    Filesize

    123B

    MD5

    6bf517432f65eb7f0d18d574bf14124c

    SHA1

    5b9f37c1dd1318ebbec3bd2f07c109eb9d22c727

    SHA256

    6e2b70dfccabf3cc651545676a3a566c9cfae03f15f772886646abce1da35b46

    SHA512

    7b0cb8c20034585ec8bf4b45eda5eda5993a56e24931a7426dc5a9f081ec1f82545f3e26a48a4df885c8691fc6e8026d0808aebe3cc3358ba85ddca08ac4cb06

    Download Submit
  • memory/1540-142-0x0000000003760000-0x0000000003860000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/1540-144-0x0000000077600000-0x00000000777A3000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/1540-145-0x0000000003760000-0x0000000003860000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/1540-149-0x0000000077600000-0x00000000777A3000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/1540-135-0x0000000000000000-mapping.dmp
    Download
  • memory/1540-143-0x00007FF86E970000-0x00007FF86EB65000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/1712-162-0x0000000003A20000-0x0000000003B20000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/1712-166-0x0000000003A20000-0x0000000003B20000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/1712-165-0x0000000000400000-0x000000000049D000-memory.dmp
    Filesize

    628KB

    Download
  • memory/1712-164-0x0000000077601000-0x0000000077721000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1712-163-0x00007FF86E970000-0x00007FF86EB65000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/1712-153-0x0000000000000000-mapping.dmp
    Download
  • memory/2304-157-0x0000000002FF0000-0x00000000030F0000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/2304-159-0x0000000077600000-0x00000000777A3000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2304-161-0x0000000077600000-0x00000000777A3000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2304-158-0x00007FF86E970000-0x00007FF86EB65000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/2304-146-0x0000000000000000-mapping.dmp
    Download
  • memory/3860-136-0x00007FF86E970000-0x00007FF86EB65000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/3860-137-0x0000000077600000-0x00000000777A3000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3860-140-0x00000000039E0000-0x0000000003AE0000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/3860-134-0x00000000039E0000-0x0000000003AE0000-memory.dmp
    Filesize

    1024KB

    Download