Overview

overview

10

Static

static

SecuriteIn...68.exe

windows7-x64

10

SecuriteIn...68.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    44s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    05-01-2023 08:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Win32.RATX-gen.8711.15068.exe

  • Size

    715KB

  • MD5

    14a8ed4f4d833c20f775d254eb751f2d

  • SHA1

    5c3282c4b919fb7d5a84a8026233fe358de5a022

  • SHA256

    b3cd1a80df7ae1654da07a03006781c83240814dd6d99db27f1733ed8267661c

  • SHA512

    5210cffe7b9b7fb2fa884a71ee599c9305df08270ffc766afa8a409fff9eab5597bd1c677312e8afb0c27caf0966e416e653b5d20b738aadece91e292de14f18

  • SSDEEP

    12288:9zJs9gjEzcfWT+9FOcfx1HsAYaZAtpuxHJNp7lbheaiA/yQRq9CLQrx99s2z:U35Mx3Ya8ApbPeoyN9CWTs2

Score
10/10
netwirebotnetratstealer

Malware Config

Extracted

Family

netwire

C2

212.193.30.230:7324

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

    %AppData%\Install\Host.exe

  • lock_executable

    false

  • offline_keylogger

    false

  • password

    Password123

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • NetWire RAT payload 7 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.8711.15068.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.8711.15068.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1696
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\abmJUJB.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:784
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\abmJUJB" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9F2D.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1324
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1124
      • C:\Users\Admin\AppData\Roaming\Install\Host.exe
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        3⤵
        • Executes dropped EXE
        PID:1760

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp9F2D.tmp
    Filesize

    1KB

    MD5

    0111c411f50b2510fa894573b827af23

    SHA1

    31f43a58f16a7061af367def476a675e75a2c815

    SHA256

    70396855e8ff46dc348ee1e3f4d102211db6ac376596f02d9b4616be0388376b

    SHA512

    85abffd1c9b53b9323fd31719f51ad4c95bd3d4f0d421a43ab20d19f913db2f67807fe8861bc317524e035e318a7c3282bafa9219940cc8a33e2ded0094f2775

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Install\Host.exe
    Filesize

    44KB

    MD5

    0e06054beb13192588e745ee63a84173

    SHA1

    30b7d4d1277bafd04a83779fd566a1f834a8d113

    SHA256

    c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

    SHA512

    251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Install\Host.exe
    Filesize

    44KB

    MD5

    0e06054beb13192588e745ee63a84173

    SHA1

    30b7d4d1277bafd04a83779fd566a1f834a8d113

    SHA256

    c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

    SHA512

    251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

    Download Submit
  • \Users\Admin\AppData\Roaming\Install\Host.exe
    Filesize

    44KB

    MD5

    0e06054beb13192588e745ee63a84173

    SHA1

    30b7d4d1277bafd04a83779fd566a1f834a8d113

    SHA256

    c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

    SHA512

    251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

    Download Submit
  • memory/784-87-0x000000006EA30000-0x000000006EFDB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/784-86-0x000000006EA30000-0x000000006EFDB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/784-59-0x0000000000000000-mapping.dmp
    Download
  • memory/1124-69-0x0000000000400000-0x000000000044F000-memory.dmp
    Filesize

    316KB

    Download
  • memory/1124-64-0x0000000000400000-0x000000000044F000-memory.dmp
    Filesize

    316KB

    Download
  • memory/1124-65-0x0000000000400000-0x000000000044F000-memory.dmp
    Filesize

    316KB

    Download
  • memory/1124-67-0x0000000000400000-0x000000000044F000-memory.dmp
    Filesize

    316KB

    Download
  • memory/1124-82-0x0000000000400000-0x000000000044F000-memory.dmp
    Filesize

    316KB

    Download
  • memory/1124-71-0x0000000000400000-0x000000000044F000-memory.dmp
    Filesize

    316KB

    Download
  • memory/1124-72-0x0000000000400000-0x000000000044F000-memory.dmp
    Filesize

    316KB

    Download
  • memory/1124-74-0x0000000000400000-0x000000000044F000-memory.dmp
    Filesize

    316KB

    Download
  • memory/1124-75-0x000000000041AD7B-mapping.dmp
    Download
  • memory/1124-78-0x0000000000400000-0x000000000044F000-memory.dmp
    Filesize

    316KB

    Download
  • memory/1324-60-0x0000000000000000-mapping.dmp
    Download
  • memory/1696-54-0x0000000000090000-0x0000000000148000-memory.dmp
    Filesize

    736KB

    Download
  • memory/1696-58-0x0000000007ED0000-0x0000000007F54000-memory.dmp
    Filesize

    528KB

    Download
  • memory/1696-63-0x0000000005DB0000-0x0000000005DFC000-memory.dmp
    Filesize

    304KB

    Download
  • memory/1696-57-0x00000000004D0000-0x00000000004DA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1696-56-0x00000000003A0000-0x00000000003B6000-memory.dmp
    Filesize

    88KB

    Download
  • memory/1696-55-0x00000000757C1000-0x00000000757C3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1760-80-0x0000000000000000-mapping.dmp
    Download
  • memory/1760-84-0x0000000000DC0000-0x0000000000DCE000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1760-85-0x0000000000380000-0x00000000003A0000-memory.dmp
    Filesize

    128KB

    Download