Overview

overview

10

Static

static

SecuriteIn...68.exe

windows7-x64

10

SecuriteIn...68.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-01-2023 08:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Win32.RATX-gen.8711.15068.exe

  • Size

    715KB

  • MD5

    14a8ed4f4d833c20f775d254eb751f2d

  • SHA1

    5c3282c4b919fb7d5a84a8026233fe358de5a022

  • SHA256

    b3cd1a80df7ae1654da07a03006781c83240814dd6d99db27f1733ed8267661c

  • SHA512

    5210cffe7b9b7fb2fa884a71ee599c9305df08270ffc766afa8a409fff9eab5597bd1c677312e8afb0c27caf0966e416e653b5d20b738aadece91e292de14f18

  • SSDEEP

    12288:9zJs9gjEzcfWT+9FOcfx1HsAYaZAtpuxHJNp7lbheaiA/yQRq9CLQrx99s2z:U35Mx3Ya8ApbPeoyN9CWTs2

Score
10/10
netwirebotnetratstealer

Malware Config

Extracted

Family

netwire

C2

212.193.30.230:7324

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

    %AppData%\Install\Host.exe

  • lock_executable

    false

  • offline_keylogger

    false

  • password

    Password123

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • NetWire RAT payload 4 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.8711.15068.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.8711.15068.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1644
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\abmJUJB.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:488
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\abmJUJB" /XML "C:\Users\Admin\AppData\Local\Temp\tmp30D.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:5076
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1616
      • C:\Users\Admin\AppData\Roaming\Install\Host.exe
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        3⤵
        • Executes dropped EXE
        PID:2696

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp30D.tmp
    Filesize

    1KB

    MD5

    d7627f656edadd37d192f0fa5951c7d6

    SHA1

    69a3b804708ce3ef46b36231ac500be60d099700

    SHA256

    6c3667f21ce26b6a35b683c3e131281e98c65411a2eddbb5d3cafe53567ec8aa

    SHA512

    6e17f82c736a2390f083932ed74909fe103b7f4faedfb0cd1e41a058685e50415b94950a54d205f561e00f7b298c2bfa188a7073b4019170dd1d9b7727a7c096

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Install\Host.exe
    Filesize

    44KB

    MD5

    9d352bc46709f0cb5ec974633a0c3c94

    SHA1

    1969771b2f022f9a86d77ac4d4d239becdf08d07

    SHA256

    2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

    SHA512

    13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Install\Host.exe
    Filesize

    44KB

    MD5

    9d352bc46709f0cb5ec974633a0c3c94

    SHA1

    1969771b2f022f9a86d77ac4d4d239becdf08d07

    SHA256

    2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

    SHA512

    13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

    Download Submit
  • memory/488-148-0x0000000005FF0000-0x0000000006056000-memory.dmp
    Filesize

    408KB

    Download
  • memory/488-157-0x00000000759E0000-0x0000000075A2C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/488-164-0x0000000007B00000-0x0000000007B1A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/488-163-0x00000000079F0000-0x00000000079FE000-memory.dmp
    Filesize

    56KB

    Download
  • memory/488-139-0x0000000002BC0000-0x0000000002BF6000-memory.dmp
    Filesize

    216KB

    Download
  • memory/488-162-0x0000000007A40000-0x0000000007AD6000-memory.dmp
    Filesize

    600KB

    Download
  • memory/488-141-0x0000000005850000-0x0000000005E78000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/488-161-0x0000000007830000-0x000000000783A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/488-160-0x00000000077C0000-0x00000000077DA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/488-159-0x0000000007E00000-0x000000000847A000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/488-146-0x0000000005510000-0x0000000005532000-memory.dmp
    Filesize

    136KB

    Download
  • memory/488-158-0x0000000006A50000-0x0000000006A6E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/488-147-0x00000000057B0000-0x0000000005816000-memory.dmp
    Filesize

    408KB

    Download
  • memory/488-156-0x0000000006A70000-0x0000000006AA2000-memory.dmp
    Filesize

    200KB

    Download
  • memory/488-137-0x0000000000000000-mapping.dmp
    Download
  • memory/488-165-0x0000000007AE0000-0x0000000007AE8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/488-155-0x00000000064A0000-0x00000000064BE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1616-142-0x0000000000000000-mapping.dmp
    Download
  • memory/1616-143-0x0000000000400000-0x000000000044F000-memory.dmp
    Filesize

    316KB

    Download
  • memory/1616-151-0x0000000000400000-0x000000000044F000-memory.dmp
    Filesize

    316KB

    Download
  • memory/1616-145-0x0000000000400000-0x000000000044F000-memory.dmp
    Filesize

    316KB

    Download
  • memory/1616-144-0x0000000000400000-0x000000000044F000-memory.dmp
    Filesize

    316KB

    Download
  • memory/1644-133-0x00000000055B0000-0x0000000005B54000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/1644-132-0x00000000005D0000-0x0000000000688000-memory.dmp
    Filesize

    736KB

    Download
  • memory/1644-135-0x0000000005050000-0x000000000505A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1644-136-0x0000000008D00000-0x0000000008D9C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/1644-134-0x00000000050A0000-0x0000000005132000-memory.dmp
    Filesize

    584KB

    Download
  • memory/2696-153-0x0000000000670000-0x000000000067E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/2696-149-0x0000000000000000-mapping.dmp
    Download
  • memory/2696-154-0x0000000004E60000-0x0000000004E9C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/5076-138-0x0000000000000000-mapping.dmp
    Download