Overview

overview

10

Static

static

3

Cobaltbghd...xe.exe

windows7-x64

10

Cobaltbghd...xe.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    02/08/2023, 18:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Cobaltbghdbghich14_browsingExe.exe

  • Size

    1.3MB

  • MD5

    55e3025122ba322bb9c5fc881ad05a92

  • SHA1

    88734ae99e0b76b5f63669d582f9138c0a7098ca

  • SHA256

    e933ec0f52cbc60b92134d48b08661b1af25c7d93ff5041fc704559b45bd85b8

  • SHA512

    20209b1fdc5008a3f8d2fb488802f8702f300a017fd6e37f88d72fd17db92a7d18c5bca34d9acbafabfedf7b1769a5cbcf11f2c48806c03cb1345126590a6759

  • SSDEEP

    24576:UeP/5CxBM9dOxLFDApSPKk48ULCW5Wq8USQKo+co4Jc1BR:B/5CxBM9iLFssPH482f5kPco4Jc

Score
10/10
netwirebotnetpersistenceratstealer

Malware Config

Extracted

Family

netwire

C2

banqueislamik.ddrive.online:3360

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    SALUT

  • lock_executable

    false

  • offline_keylogger

    false

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • NetWire RAT payload 3 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Cobaltbghdbghich14_browsingExe.exe
    "C:\Users\Admin\AppData\Local\Temp\Cobaltbghdbghich14_browsingExe.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2220
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pawmmueu.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pawmmueu.exe lwbe.kcv
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2196
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 5 /tn kciu /tr "C:\Users\Admin\kciu\pawmmueu.exe C:\Users\Admin\kciu\lwbe.kcv"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2208
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /sc minute /mo 5 /tn kciu /tr "C:\Users\Admin\kciu\pawmmueu.exe C:\Users\Admin\kciu\lwbe.kcv"
          4⤵
          • Creates scheduled task(s)
          PID:2328
      • C:\Users\Admin\pawmmueu.exe
        0
        3⤵
        • Executes dropped EXE
        PID:2536

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bkaf.uwj
    Filesize

    273KB

    MD5

    d8afc98db18400695af8bf2d76fe2a10

    SHA1

    d20843b5c6996e198d1c57fe123f46587d36e767

    SHA256

    c3b885c12ed1cfa6ab2308754fc6b145ac93b170e16d954d83180f9dceda82fb

    SHA512

    582df46b3c0fb1e08f3fccfa42c3f37fc4efb0501937c398dbc20e820c0e568ff6f490cf87282cd50197dcbc8eaa642d23e847f277d7663680251631e3ac4230

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lwbe.kcv
    Filesize

    113.6MB

    MD5

    f951e72df74c97a5f14efcd4973a5846

    SHA1

    da473bea7467bdc4f003144c606b5a2eab3e9fc3

    SHA256

    5b71626d99a74b1d8721cef74475a58a394eb9d9b8e46b4f3c4dd21faaaa333b

    SHA512

    abdfff664b61fd3018d3043b680ce2a4bced5d55679e6e377acfe6d89cd6ab7ca15b44a41e9ef71086cd61899c9b4c61aaf923eabd570f696ff37d13e04dd138

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pawmmueu.exe
    Filesize

    918KB

    MD5

    ad5e6eb33f8b6b48fab6d9ab3e1212c1

    SHA1

    712f5e781df0e1cf0a52cc1312f097c290770909

    SHA256

    dd998d69304649d295691a188f8d0b04b4c2ca5dc7fb03494867bd7738200daa

    SHA512

    11822e5ec5b765109db5c132e8c7dd172f883bb7ae57f78be3861099aef24b0625dc943f2d20b4eff2615e5b98f2836322c8ccac526ee6448c04cfc28328c538

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pawmmueu.exe
    Filesize

    918KB

    MD5

    ad5e6eb33f8b6b48fab6d9ab3e1212c1

    SHA1

    712f5e781df0e1cf0a52cc1312f097c290770909

    SHA256

    dd998d69304649d295691a188f8d0b04b4c2ca5dc7fb03494867bd7738200daa

    SHA512

    11822e5ec5b765109db5c132e8c7dd172f883bb7ae57f78be3861099aef24b0625dc943f2d20b4eff2615e5b98f2836322c8ccac526ee6448c04cfc28328c538

    Download Submit

  • C:\Users\Admin\pawmmueu.exe
    Filesize

    44KB

    MD5

    0e06054beb13192588e745ee63a84173

    SHA1

    30b7d4d1277bafd04a83779fd566a1f834a8d113

    SHA256

    c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

    SHA512

    251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\pawmmueu.exe
    Filesize

    918KB

    MD5

    ad5e6eb33f8b6b48fab6d9ab3e1212c1

    SHA1

    712f5e781df0e1cf0a52cc1312f097c290770909

    SHA256

    dd998d69304649d295691a188f8d0b04b4c2ca5dc7fb03494867bd7738200daa

    SHA512

    11822e5ec5b765109db5c132e8c7dd172f883bb7ae57f78be3861099aef24b0625dc943f2d20b4eff2615e5b98f2836322c8ccac526ee6448c04cfc28328c538

    Download Submit

  • \Users\Admin\pawmmueu.exe
    Filesize

    44KB

    MD5

    0e06054beb13192588e745ee63a84173

    SHA1

    30b7d4d1277bafd04a83779fd566a1f834a8d113

    SHA256

    c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

    SHA512

    251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

    Download Submit

  • memory/2196-69-0x0000000000A30000-0x0000000000E30000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/2536-73-0x0000000000F50000-0x0000000001F50000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/2536-74-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2536-75-0x0000000000F50000-0x0000000001F50000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/2536-78-0x0000000000F50000-0x0000000001F50000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/2536-79-0x0000000000F50000-0x0000000001F50000-memory.dmp

    Filesize

    16.0MB

    Download