Overview

overview

10

Static

static

285074cbfb...a1.exe

windows7-x64

10

285074cbfb...a1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-01-2023 18:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    285074cbfbb186cb746a1e03a3b3ca95cb3611987c0aab3433978268fb590aa1.exe

  • Size

    544KB

  • MD5

    82cf92967ff37089ac670b63f2dd45e6

  • SHA1

    37cdf11edd5bf245d7d0ab61939c920270ec8cbe

  • SHA256

    285074cbfbb186cb746a1e03a3b3ca95cb3611987c0aab3433978268fb590aa1

  • SHA512

    4658d213a8e4688d156b32f393092d1474679544488b11f72c439e0feb1ff18ebcbbf7c83d49f6e0e947670aab244e4481b28b3c8dbfd382452bfbb1591e2323

  • SSDEEP

    12288:zWkjHZV+Lfb1CnBOeMLpjOxpA+Ua2Hj+:qGlBHMZLY

Score
10/10
netwirebotnetpersistenceratstealer

Malware Config

Extracted

Family

netwire

C2

212.7.208.123:8765

Attributes
  • activex_autorun

    true

  • activex_key

    {L501JP3X-C6PC-RH36-475X-RS2C2OQHHGS0}

  • copy_executable

    true

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

    %AppData%\Install\Host.exe

  • lock_executable

    false

  • offline_keylogger

    false

  • password

    Password

  • registry_autorun

    true

  • startup_name

    windows

  • use_mutex

    false

Signatures

  • NetWire RAT payload 2 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Executes dropped EXE 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\285074cbfbb186cb746a1e03a3b3ca95cb3611987c0aab3433978268fb590aa1.exe
    "C:\Users\Admin\AppData\Local\Temp\285074cbfbb186cb746a1e03a3b3ca95cb3611987c0aab3433978268fb590aa1.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5064
    • C:\Users\Admin\AppData\Local\Temp\285074cbfbb186cb746a1e03a3b3ca95cb3611987c0aab3433978268fb590aa1.exe
      "C:\Users\Admin\AppData\Local\Temp\285074cbfbb186cb746a1e03a3b3ca95cb3611987c0aab3433978268fb590aa1.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1676
      • C:\Users\Admin\AppData\Roaming\Install\Host.exe
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1588
        • C:\Users\Admin\AppData\Roaming\Install\Host.exe
          "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
          4⤵
          • Executes dropped EXE
          • Modifies Installed Components in the registry
          • Adds Run key to start application
          PID:3652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Install\Host.exe
    Filesize

    544KB

    MD5

    82cf92967ff37089ac670b63f2dd45e6

    SHA1

    37cdf11edd5bf245d7d0ab61939c920270ec8cbe

    SHA256

    285074cbfbb186cb746a1e03a3b3ca95cb3611987c0aab3433978268fb590aa1

    SHA512

    4658d213a8e4688d156b32f393092d1474679544488b11f72c439e0feb1ff18ebcbbf7c83d49f6e0e947670aab244e4481b28b3c8dbfd382452bfbb1591e2323

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Install\Host.exe
    Filesize

    544KB

    MD5

    82cf92967ff37089ac670b63f2dd45e6

    SHA1

    37cdf11edd5bf245d7d0ab61939c920270ec8cbe

    SHA256

    285074cbfbb186cb746a1e03a3b3ca95cb3611987c0aab3433978268fb590aa1

    SHA512

    4658d213a8e4688d156b32f393092d1474679544488b11f72c439e0feb1ff18ebcbbf7c83d49f6e0e947670aab244e4481b28b3c8dbfd382452bfbb1591e2323

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Install\Host.exe
    Filesize

    544KB

    MD5

    82cf92967ff37089ac670b63f2dd45e6

    SHA1

    37cdf11edd5bf245d7d0ab61939c920270ec8cbe

    SHA256

    285074cbfbb186cb746a1e03a3b3ca95cb3611987c0aab3433978268fb590aa1

    SHA512

    4658d213a8e4688d156b32f393092d1474679544488b11f72c439e0feb1ff18ebcbbf7c83d49f6e0e947670aab244e4481b28b3c8dbfd382452bfbb1591e2323

    Download Submit
  • memory/1588-148-0x0000000000000000-mapping.dmp
    Download
  • memory/1588-158-0x0000000000760000-0x0000000000768000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1588-160-0x0000000077BD0000-0x0000000077D73000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/1588-159-0x00007FFC65B90000-0x00007FFC65D85000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/1676-151-0x00000000004D0000-0x00000000004D8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1676-144-0x00007FFC65B90000-0x00007FFC65D85000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/1676-139-0x0000000000400000-0x000000000048A000-memory.dmp
    Filesize

    552KB

    Download
  • memory/1676-140-0x0000000000400000-0x000000000042C000-memory.dmp
    Filesize

    176KB

    Download
  • memory/1676-147-0x0000000077BD0000-0x0000000077D73000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/1676-135-0x0000000000000000-mapping.dmp
    Download
  • memory/1676-153-0x00007FFC65B90000-0x00007FFC65D85000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/1676-154-0x0000000077BD0000-0x0000000077D73000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3652-156-0x0000000000000000-mapping.dmp
    Download
  • memory/3652-168-0x00007FFC65B90000-0x00007FFC65D85000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/3652-169-0x0000000077BD0000-0x0000000077D73000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/5064-138-0x0000000077BD0000-0x0000000077D73000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/5064-136-0x0000000002A50000-0x0000000002A58000-memory.dmp
    Filesize

    32KB

    Download
  • memory/5064-134-0x0000000002A50000-0x0000000002A58000-memory.dmp
    Filesize

    32KB

    Download
  • memory/5064-137-0x00007FFC65B90000-0x00007FFC65D85000-memory.dmp
    Filesize

    2.0MB

    Download