Overview

overview

10

Static

static

10

r.exe

windows7-x64

10

r.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    01-04-2023 05:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    r.exe

  • Size

    160KB

  • MD5

    fb8441287cef7a3c0a67a24830a648f3

  • SHA1

    6fef02a3793b481a2603da3d5051698ea752f4ab

  • SHA256

    10a9942365cfd73d8c11b5b8e46763a53c642e5ddd9577a21c2388e7bc99d910

  • SHA512

    660a630c200f34808deba9484d416a8292176f18516a33d9af7c0ec3e5764f41c9a77d8fbf42dd123b8cdbe71e7537a2f63ccc675b2271c85b7a4164c0b4ad0e

  • SSDEEP

    3072:jOzPcXa+ND32eioGHlz8rnAE0HCXh0edLv1YMjMqqDvFf:jOTcK+NrRioGHlz8rz0i/1zQqqDvFf

Score
10/10
netwirebotnetpersistenceratstealer

Malware Config

Extracted

Family

netwire

C2

wire.universitynetservice1979.info:8888

167.179.102.70:8888

62.234.24.30:8888
Attributes
  • activex_autorun

    false

  • copy_executable

    true

  • delete_original

    true

  • host_id

    HostId-%Rand%

  • install_path

    %AppData%\Install\svchost.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

    olflQfiP

  • offline_keylogger

    true

  • password

    win

  • registry_autorun

    true

  • startup_name

    netloading

  • use_mutex

    true

Signatures

  • NetWire RAT payload 12 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\r.exe
    "C:\Users\Admin\AppData\Local\Temp\r.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1192
    • C:\Users\Admin\AppData\Roaming\Install\svchost.exe
      "C:\Users\Admin\AppData\Roaming\Install\svchost.exe" -m "C:\Users\Admin\AppData\Local\Temp\r.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      PID:1076

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Install\svchost.exe
    Filesize

    160KB

    MD5

    fb8441287cef7a3c0a67a24830a648f3

    SHA1

    6fef02a3793b481a2603da3d5051698ea752f4ab

    SHA256

    10a9942365cfd73d8c11b5b8e46763a53c642e5ddd9577a21c2388e7bc99d910

    SHA512

    660a630c200f34808deba9484d416a8292176f18516a33d9af7c0ec3e5764f41c9a77d8fbf42dd123b8cdbe71e7537a2f63ccc675b2271c85b7a4164c0b4ad0e

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Install\svchost.exe
    Filesize

    160KB

    MD5

    fb8441287cef7a3c0a67a24830a648f3

    SHA1

    6fef02a3793b481a2603da3d5051698ea752f4ab

    SHA256

    10a9942365cfd73d8c11b5b8e46763a53c642e5ddd9577a21c2388e7bc99d910

    SHA512

    660a630c200f34808deba9484d416a8292176f18516a33d9af7c0ec3e5764f41c9a77d8fbf42dd123b8cdbe71e7537a2f63ccc675b2271c85b7a4164c0b4ad0e

    Download Submit
  • \Users\Admin\AppData\Roaming\Install\svchost.exe
    Filesize

    160KB

    MD5

    fb8441287cef7a3c0a67a24830a648f3

    SHA1

    6fef02a3793b481a2603da3d5051698ea752f4ab

    SHA256

    10a9942365cfd73d8c11b5b8e46763a53c642e5ddd9577a21c2388e7bc99d910

    SHA512

    660a630c200f34808deba9484d416a8292176f18516a33d9af7c0ec3e5764f41c9a77d8fbf42dd123b8cdbe71e7537a2f63ccc675b2271c85b7a4164c0b4ad0e

    Download Submit
  • \Users\Admin\AppData\Roaming\Install\svchost.exe
    Filesize

    160KB

    MD5

    fb8441287cef7a3c0a67a24830a648f3

    SHA1

    6fef02a3793b481a2603da3d5051698ea752f4ab

    SHA256

    10a9942365cfd73d8c11b5b8e46763a53c642e5ddd9577a21c2388e7bc99d910

    SHA512

    660a630c200f34808deba9484d416a8292176f18516a33d9af7c0ec3e5764f41c9a77d8fbf42dd123b8cdbe71e7537a2f63ccc675b2271c85b7a4164c0b4ad0e

    Download Submit
  • memory/1076-64-0x0000000000400000-0x0000000000433000-memory.dmp
    Filesize

    204KB

    Download
  • memory/1076-66-0x0000000000400000-0x0000000000433000-memory.dmp
    Filesize

    204KB

    Download
  • memory/1076-73-0x0000000000400000-0x0000000000433000-memory.dmp
    Filesize

    204KB

    Download
  • memory/1076-74-0x0000000000400000-0x0000000000433000-memory.dmp
    Filesize

    204KB

    Download
  • memory/1076-75-0x0000000000400000-0x0000000000433000-memory.dmp
    Filesize

    204KB

    Download
  • memory/1076-76-0x0000000000400000-0x0000000000433000-memory.dmp
    Filesize

    204KB

    Download
  • memory/1076-77-0x0000000000400000-0x0000000000433000-memory.dmp
    Filesize

    204KB

    Download
  • memory/1192-62-0x0000000000400000-0x0000000000433000-memory.dmp
    Filesize

    204KB

    Download