Overview

overview

10

Static

static

22120205463499.exe

windows7-x64

10

22120205463499.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    06-12-2022 07:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    22120205463499.exe

  • Size

    1.2MB

  • MD5

    a001224289ecb113049b5582e9f57548

  • SHA1

    b9b76a11d2c9a4a1dab03b182aa755b48a9a906c

  • SHA256

    66612afe35db1f65371ffe8063c667ef486376d0939fd563422707714b6d6a96

  • SHA512

    818215f11f3bb1fb62dbfed36b2ae889df9057b1cad4a467c7a4807a6ca9c3bf5319d516da17563a98635537ffc1987fcfa300b16a1ce9a92b4e0b54de2bc43b

  • SSDEEP

    24576:CAOcZaPWlu0MnHO8rsLAeLDhPg6LgyVklRqRDmHxRAiYGWwKfU:ILJDrcAehPJ5VklqSrzhlF

Score
10/10
netwirebotnetpersistenceratstealer

Malware Config

Extracted

Family

netwire

C2

podzeye2.duckdns.org:4433

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • lock_executable

    false

  • offline_keylogger

    false

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • NetWire RAT payload 4 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\22120205463499.exe
    "C:\Users\Admin\AppData\Local\Temp\22120205463499.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:960
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\5_58\rboktbei.dat.vbe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:556
      • C:\Users\Admin\AppData\Local\Temp\5_58\lkvdecp.exe
        "C:\Users\Admin\AppData\Local\Temp\5_58\lkvdecp.exe" qusdmqd.dll
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:592
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          4⤵
            PID:1548

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\5_58\kxmdrgpe.xfn
      Filesize

      545KB

      MD5

      e19c9004a1d9565e5fd148f998c605ca

      SHA1

      27c29f5b4c28d794d09fc16e3c9b07cedf10caa7

      SHA256

      3847173d3286a0668b8662747e38eb656ccf8cbe4bc0946a2967d515f1cabcf8

      SHA512

      337fab9936bf2fd369151a68479f0efe4bef3db87c2cf2017ea917ec3a486ba85466be9b0571b1ca7fff5e829159a332074ae96ee4574fda2a06bc96e31eba03

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\5_58\lkvdecp.exe
      Filesize

      931KB

      MD5

      5feda44ac105db2d782680e78c8390f2

      SHA1

      904af0b078fbe8abb3a301267c02c37eccc85717

      SHA256

      e4299c4b0df873a4bbf97826ca26cb68ea53394e3a911ec27ae8c4a3a2b758df

      SHA512

      47aebfa40a20621d20804dbeba662b9d9c7e7e082299db1e28839f264f98082d9f30adc13aeeb3b49dc0a33861577d3ea95aa3bafdaae748362b235fa686debc

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\5_58\lkvdecp.exe
      Filesize

      931KB

      MD5

      5feda44ac105db2d782680e78c8390f2

      SHA1

      904af0b078fbe8abb3a301267c02c37eccc85717

      SHA256

      e4299c4b0df873a4bbf97826ca26cb68ea53394e3a911ec27ae8c4a3a2b758df

      SHA512

      47aebfa40a20621d20804dbeba662b9d9c7e7e082299db1e28839f264f98082d9f30adc13aeeb3b49dc0a33861577d3ea95aa3bafdaae748362b235fa686debc

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\5_58\qusdmqd.dll
      Filesize

      95.8MB

      MD5

      8460cda9993a5a79ae25842a09a2fe35

      SHA1

      c2e5f5d9ebc0829d74ade1267c78915eda20ed82

      SHA256

      c7ce343096182c58e072645c8ae19deb85699ca3cdb3d3f687738df98a3d398a

      SHA512

      806606db880b6abf45d0fb0ddb90d74852398bbb0e9c400fe9a33eda00d993130edadde00e6146e9b092b6847719e5249cbc7d75939046b5b9cd6ca3ae146034

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\5_58\sgevsc.jpg
      Filesize

      62KB

      MD5

      82d5cd884e5d96c31cb2541a168cc027

      SHA1

      a917e4830084510edd7129f720d6bf7b91c2fa79

      SHA256

      80c6e66a22a42ae5fea975299a92c682a7c1008efcb49c713457cc8e5901a3f8

      SHA512

      e26df3e9862a8e373ff28ad32342f8d7e8139a8d9e009951f42f0e89832a3417cabb051c0d83518ee93fb4608b92d6ca10a639328c4822d18613914cdbb4e141

      Download Submit
    • C:\Users\Admin\AppData\Local\temp\5_58\rboktbei.dat.vbe
      Filesize

      55KB

      MD5

      5c183d5ff5dfdca83728013dd38cf47b

      SHA1

      c9a556554ffa603f58477fefcc556e3ecfc18a65

      SHA256

      9be2a3c20e2b03deecf608ae7db40f2e783d1ee944f7e43233a84cbd20986f95

      SHA512

      99fb112917f48a1194ab5f479263db48e1106ef2c32de4ea753043d165b3ed3362dc8aa8e4f91a3be5c67532bfb63646b8a0d81a4706e9961a99ef3e607aaff1

      Download Submit
    • \Users\Admin\AppData\Local\Temp\5_58\lkvdecp.exe
      Filesize

      931KB

      MD5

      5feda44ac105db2d782680e78c8390f2

      SHA1

      904af0b078fbe8abb3a301267c02c37eccc85717

      SHA256

      e4299c4b0df873a4bbf97826ca26cb68ea53394e3a911ec27ae8c4a3a2b758df

      SHA512

      47aebfa40a20621d20804dbeba662b9d9c7e7e082299db1e28839f264f98082d9f30adc13aeeb3b49dc0a33861577d3ea95aa3bafdaae748362b235fa686debc

      Download Submit
    • \Users\Admin\AppData\Local\Temp\5_58\lkvdecp.exe
      Filesize

      931KB

      MD5

      5feda44ac105db2d782680e78c8390f2

      SHA1

      904af0b078fbe8abb3a301267c02c37eccc85717

      SHA256

      e4299c4b0df873a4bbf97826ca26cb68ea53394e3a911ec27ae8c4a3a2b758df

      SHA512

      47aebfa40a20621d20804dbeba662b9d9c7e7e082299db1e28839f264f98082d9f30adc13aeeb3b49dc0a33861577d3ea95aa3bafdaae748362b235fa686debc

      Download Submit
    • memory/556-55-0x0000000000000000-mapping.dmp
      Download
    • memory/592-61-0x0000000000000000-mapping.dmp
      Download
    • memory/960-54-0x00000000757A1000-0x00000000757A3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1548-67-0x0000000000310000-0x00000000008FA000-memory.dmp
      Filesize

      5.9MB

      Download
    • memory/1548-69-0x0000000000310000-0x00000000008FA000-memory.dmp
      Filesize

      5.9MB

      Download
    • memory/1548-70-0x000000000032AE7B-mapping.dmp
      Download
    • memory/1548-73-0x0000000000310000-0x00000000008FA000-memory.dmp
      Filesize

      5.9MB

      Download
    • memory/1548-74-0x0000000000310000-0x00000000008FA000-memory.dmp
      Filesize

      5.9MB

      Download