Overview

overview

10

Static

static

1

34104d412d...d5.exe

windows7-x64

10

34104d412d...d5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    80s
  • max time network
    82s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    03-04-2023 01:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    34104d412d856c9ee60e6db6cce0fbb03c766988ab6e733a867eeac26cd9bad5.exe

  • Size

    453KB

  • MD5

    a7c46dcd7583f9b2fdca60638393fe3d

  • SHA1

    9d095498c250a1c8b8c1b9b7064d7be934b0ac1a

  • SHA256

    34104d412d856c9ee60e6db6cce0fbb03c766988ab6e733a867eeac26cd9bad5

  • SHA512

    7e588fd29d927c232efcf1ab7334e0ee663c6b67bbd819823cb093d9787ceb5fbadd56a11145107bafe120889d4c1acc425e7ca2cf42fa1b5cb01437e25cda47

  • SSDEEP

    12288:yhKODnJnFSRyDy/J9JLtpx+/tADdzw/aFo:yoOHSSaPJh+/tADdI

Score
10/10
netwirebotnetpersistenceratstealer

Malware Config

Extracted

Family

netwire

C2

haija.mine.nu:1338

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    Marketplace

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    qays1122

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • NetWire RAT payload 10 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Core1 .NET packer 2 IoCs

    Detects packer/loader used by .NET malware.

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Modifies registry class 31 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\34104d412d856c9ee60e6db6cce0fbb03c766988ab6e733a867eeac26cd9bad5.exe
    "C:\Users\Admin\AppData\Local\Temp\34104d412d856c9ee60e6db6cce0fbb03c766988ab6e733a867eeac26cd9bad5.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1556
    • C:\Windows\SysWow64\svchost.exe
      "C:\\Windows\\SysWow64\\svchost.exe"
      2⤵
        PID:612
      • C:\Windows\SysWow64\svchost.exe
        "C:\\Windows\\SysWow64\\svchost.exe"
        2⤵
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:1756

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\dup2patcher.dll
      Filesize

      234KB

      MD5

      6f8b0021a206e48a50986333b87a5245

      SHA1

      b650435b6e1a0cc59e2c232f83a9796770f85f96

      SHA256

      326ca48a87c1e82e1fcaf95acd5b8c09d92f712591ba88928f48e093c485c40a

      SHA512

      b7f066786f20934148d718689fbcdf830a0a04ebf46092c48b6ec06ef5a989518cb23659a7ecbcef5b689a58546f2ac688a861887611cd3ee62b8ade62b4cc27

      Download Submit
    • memory/612-66-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
      Filesize

      4KB

      Download
    • memory/612-86-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/612-85-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/612-58-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/612-59-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/612-67-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/612-60-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/612-62-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/612-63-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/612-64-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/612-65-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/1556-69-0x0000000000970000-0x00000000009B1000-memory.dmp
      Filesize

      260KB

      Download
    • memory/1556-57-0x0000000000960000-0x0000000000993000-memory.dmp
      Filesize

      204KB

      Download
    • memory/1556-54-0x000000013FB50000-0x000000013FBC6000-memory.dmp
      Filesize

      472KB

      Download
    • memory/1556-55-0x00000000020E0000-0x0000000002152000-memory.dmp
      Filesize

      456KB

      Download
    • memory/1556-56-0x0000000000840000-0x0000000000848000-memory.dmp
      Filesize

      32KB

      Download
    • memory/1556-61-0x000000001BC10000-0x000000001BC90000-memory.dmp
      Filesize

      512KB

      Download
    • memory/1756-72-0x0000000000400000-0x0000000000441000-memory.dmp
      Filesize

      260KB

      Download
    • memory/1756-75-0x0000000000400000-0x0000000000441000-memory.dmp
      Filesize

      260KB

      Download
    • memory/1756-74-0x0000000000400000-0x0000000000441000-memory.dmp
      Filesize

      260KB

      Download
    • memory/1756-77-0x0000000000400000-0x0000000000441000-memory.dmp
      Filesize

      260KB

      Download
    • memory/1756-79-0x0000000000400000-0x0000000000441000-memory.dmp
      Filesize

      260KB

      Download
    • memory/1756-73-0x0000000000400000-0x0000000000441000-memory.dmp
      Filesize

      260KB

      Download
    • memory/1756-71-0x0000000000400000-0x0000000000441000-memory.dmp
      Filesize

      260KB

      Download
    • memory/1756-70-0x0000000000400000-0x0000000000441000-memory.dmp
      Filesize

      260KB

      Download
    • memory/1756-87-0x0000000000400000-0x0000000000441000-memory.dmp
      Filesize

      260KB

      Download
    • memory/1756-88-0x00000000749F0000-0x0000000074A43000-memory.dmp
      Filesize

      332KB

      Download
    • memory/1756-89-0x0000000003620000-0x0000000003622000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1756-90-0x0000000003560000-0x0000000003561000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1756-91-0x0000000003560000-0x0000000003561000-memory.dmp
      Filesize

      4KB

      Download