Analysis

  • max time kernel
    117s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    11-10-2023 11:08

General

  • Target

    3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe

  • Size

    15.2MB

  • MD5

    38be94769e4f59d9a90e551e505c2e07

  • SHA1

    cac71ca2dd32cbe99614870ef01851e0d54bff84

  • SHA256

    3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956

  • SHA512

    47ef669a5be744235e10ba65d7deb8bdd46544cd6dc4532fa4b43fdc3b5d9b6b49febbef8906870b321281c47ca45f9b679e65eabfeffbf6deffc96fa27e24a5

  • SSDEEP

    393216:J8/uxLqG0/kfQslis6SAVDfINRPcji3Zhtnh0:Bv0/kr8s6SA5QUji3ZhtnK

Malware Config

Extracted

Family

netwire

C2

qayshaija.ddns.net:1515

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • NetWire RAT payload 3 IoCs
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 11 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe
    "C:\Users\Admin\AppData\Local\Temp\3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2216
    • C:\Users\Admin\AppData\Local\Temp\OInstall.exe
      "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2576
      • C:\Windows\system32\cmd.exe
        "C:\Windows\Sysnative\cmd.exe" /D /c copy C:\Windows\system32\Tasks\OInstall "C:\Windows\Temp\OInstall.tmp" /Y
        3⤵
          PID:2968
        • C:\Windows\system32\cmd.exe
          "C:\Windows\Sysnative\cmd.exe" /D /c files.dat -y -pkmsauto
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2600
          • C:\Users\Admin\AppData\Local\Temp\files\files.dat
            files.dat -y -pkmsauto
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            PID:2500
      • C:\Users\Admin\AppData\Local\Temp\install.exe
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        2⤵
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Enumerates system info in registry
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2700
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
          3⤵
            PID:564
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
            "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:600
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 600 -s 280
              4⤵
              • Program crash
              PID:740

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\OInstall.exe

        Filesize

        9.8MB

        MD5

        78ffd4acc57558d2b0e6b89fff8930f4

        SHA1

        4513925109addb215d1004399302fb076fefdd43

        SHA256

        0c0a89c18afc28ffaf49d10153e4b81178c511cfb5594d893c9510c24c193e7e

        SHA512

        76685f2cf94bd8d15288696205a38033942f21def78c1d6fe503b94764fcbf46bfb01f7d9cf3d9adfe4136fc0b1eb395e071a3691bce0762038975eec259d566

      • C:\Users\Admin\AppData\Local\Temp\OInstall.exe

        Filesize

        9.8MB

        MD5

        78ffd4acc57558d2b0e6b89fff8930f4

        SHA1

        4513925109addb215d1004399302fb076fefdd43

        SHA256

        0c0a89c18afc28ffaf49d10153e4b81178c511cfb5594d893c9510c24c193e7e

        SHA512

        76685f2cf94bd8d15288696205a38033942f21def78c1d6fe503b94764fcbf46bfb01f7d9cf3d9adfe4136fc0b1eb395e071a3691bce0762038975eec259d566

      • C:\Users\Admin\AppData\Local\Temp\OInstall.exe

        Filesize

        9.8MB

        MD5

        78ffd4acc57558d2b0e6b89fff8930f4

        SHA1

        4513925109addb215d1004399302fb076fefdd43

        SHA256

        0c0a89c18afc28ffaf49d10153e4b81178c511cfb5594d893c9510c24c193e7e

        SHA512

        76685f2cf94bd8d15288696205a38033942f21def78c1d6fe503b94764fcbf46bfb01f7d9cf3d9adfe4136fc0b1eb395e071a3691bce0762038975eec259d566

      • C:\Users\Admin\AppData\Local\Temp\files\files.dat

        Filesize

        707KB

        MD5

        55d21b2c272a5d6b9f54fa9ed82bf9eb

        SHA1

        32464cba823cd9b7e94e4fa1a32a8f2344b0f33b

        SHA256

        7a1c82e264258470d14ca345ea1a9b6fc34fa19b393a92077a01be5f1ad08f47

        SHA512

        1b68d0c61367717529be4a3aa347bb69d3e21de7a89b10e8b0aa54d40af988cc0cc8e63298ba595a93c3372aca3770ace1eee2780a59238d0948499dbb4be725

      • C:\Users\Admin\AppData\Local\Temp\files\files.dat

        Filesize

        707KB

        MD5

        55d21b2c272a5d6b9f54fa9ed82bf9eb

        SHA1

        32464cba823cd9b7e94e4fa1a32a8f2344b0f33b

        SHA256

        7a1c82e264258470d14ca345ea1a9b6fc34fa19b393a92077a01be5f1ad08f47

        SHA512

        1b68d0c61367717529be4a3aa347bb69d3e21de7a89b10e8b0aa54d40af988cc0cc8e63298ba595a93c3372aca3770ace1eee2780a59238d0948499dbb4be725

      • C:\Users\Admin\AppData\Local\Temp\install.exe

        Filesize

        304KB

        MD5

        6037361243f8c390326debbea5b85ac2

        SHA1

        654fca850890949bbbd41a7e4c481ab89e10839a

        SHA256

        b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

        SHA512

        434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

      • C:\Users\Admin\AppData\Local\Temp\install.exe

        Filesize

        304KB

        MD5

        6037361243f8c390326debbea5b85ac2

        SHA1

        654fca850890949bbbd41a7e4c481ab89e10839a

        SHA256

        b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

        SHA512

        434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

      • C:\Users\Admin\AppData\Local\Temp\install.exe

        Filesize

        304KB

        MD5

        6037361243f8c390326debbea5b85ac2

        SHA1

        654fca850890949bbbd41a7e4c481ab89e10839a

        SHA256

        b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

        SHA512

        434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

      • \Users\Admin\AppData\Local\Temp\OInstall.exe

        Filesize

        9.8MB

        MD5

        78ffd4acc57558d2b0e6b89fff8930f4

        SHA1

        4513925109addb215d1004399302fb076fefdd43

        SHA256

        0c0a89c18afc28ffaf49d10153e4b81178c511cfb5594d893c9510c24c193e7e

        SHA512

        76685f2cf94bd8d15288696205a38033942f21def78c1d6fe503b94764fcbf46bfb01f7d9cf3d9adfe4136fc0b1eb395e071a3691bce0762038975eec259d566

      • \Users\Admin\AppData\Local\Temp\OInstall.exe

        Filesize

        9.8MB

        MD5

        78ffd4acc57558d2b0e6b89fff8930f4

        SHA1

        4513925109addb215d1004399302fb076fefdd43

        SHA256

        0c0a89c18afc28ffaf49d10153e4b81178c511cfb5594d893c9510c24c193e7e

        SHA512

        76685f2cf94bd8d15288696205a38033942f21def78c1d6fe503b94764fcbf46bfb01f7d9cf3d9adfe4136fc0b1eb395e071a3691bce0762038975eec259d566

      • \Users\Admin\AppData\Local\Temp\OInstall.exe

        Filesize

        9.8MB

        MD5

        78ffd4acc57558d2b0e6b89fff8930f4

        SHA1

        4513925109addb215d1004399302fb076fefdd43

        SHA256

        0c0a89c18afc28ffaf49d10153e4b81178c511cfb5594d893c9510c24c193e7e

        SHA512

        76685f2cf94bd8d15288696205a38033942f21def78c1d6fe503b94764fcbf46bfb01f7d9cf3d9adfe4136fc0b1eb395e071a3691bce0762038975eec259d566

      • \Users\Admin\AppData\Local\Temp\OInstall.exe

        Filesize

        9.8MB

        MD5

        78ffd4acc57558d2b0e6b89fff8930f4

        SHA1

        4513925109addb215d1004399302fb076fefdd43

        SHA256

        0c0a89c18afc28ffaf49d10153e4b81178c511cfb5594d893c9510c24c193e7e

        SHA512

        76685f2cf94bd8d15288696205a38033942f21def78c1d6fe503b94764fcbf46bfb01f7d9cf3d9adfe4136fc0b1eb395e071a3691bce0762038975eec259d566

      • \Users\Admin\AppData\Local\Temp\install.exe

        Filesize

        304KB

        MD5

        6037361243f8c390326debbea5b85ac2

        SHA1

        654fca850890949bbbd41a7e4c481ab89e10839a

        SHA256

        b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

        SHA512

        434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

      • \Users\Admin\AppData\Local\Temp\install.exe

        Filesize

        304KB

        MD5

        6037361243f8c390326debbea5b85ac2

        SHA1

        654fca850890949bbbd41a7e4c481ab89e10839a

        SHA256

        b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

        SHA512

        434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

      • \Users\Admin\AppData\Local\Temp\install.exe

        Filesize

        304KB

        MD5

        6037361243f8c390326debbea5b85ac2

        SHA1

        654fca850890949bbbd41a7e4c481ab89e10839a

        SHA256

        b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

        SHA512

        434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

      • \Users\Admin\AppData\Local\Temp\install.exe

        Filesize

        304KB

        MD5

        6037361243f8c390326debbea5b85ac2

        SHA1

        654fca850890949bbbd41a7e4c481ab89e10839a

        SHA256

        b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

        SHA512

        434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

      • \Users\Admin\AppData\Local\Temp\install.exe

        Filesize

        304KB

        MD5

        6037361243f8c390326debbea5b85ac2

        SHA1

        654fca850890949bbbd41a7e4c481ab89e10839a

        SHA256

        b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

        SHA512

        434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

      • \Users\Admin\AppData\Local\Temp\install.exe

        Filesize

        304KB

        MD5

        6037361243f8c390326debbea5b85ac2

        SHA1

        654fca850890949bbbd41a7e4c481ab89e10839a

        SHA256

        b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

        SHA512

        434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

      • \Users\Admin\AppData\Local\Temp\install.exe

        Filesize

        304KB

        MD5

        6037361243f8c390326debbea5b85ac2

        SHA1

        654fca850890949bbbd41a7e4c481ab89e10839a

        SHA256

        b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

        SHA512

        434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

      • memory/600-56-0x0000000000400000-0x000000000042B000-memory.dmp

        Filesize

        172KB

      • memory/600-60-0x0000000000400000-0x000000000042B000-memory.dmp

        Filesize

        172KB

      • memory/600-58-0x0000000000400000-0x000000000042B000-memory.dmp

        Filesize

        172KB

      • memory/2216-29-0x0000000008E60000-0x000000000A161000-memory.dmp

        Filesize

        19.0MB

      • memory/2576-33-0x0000000000400000-0x0000000001701000-memory.dmp

        Filesize

        19.0MB

      • memory/2576-67-0x0000000000400000-0x0000000001701000-memory.dmp

        Filesize

        19.0MB

      • memory/2576-53-0x0000000000400000-0x0000000001701000-memory.dmp

        Filesize

        19.0MB

      • memory/2700-51-0x0000000000550000-0x0000000000578000-memory.dmp

        Filesize

        160KB

      • memory/2700-55-0x00000000005E0000-0x00000000005E3000-memory.dmp

        Filesize

        12KB

      • memory/2700-52-0x0000000000580000-0x000000000059E000-memory.dmp

        Filesize

        120KB

      • memory/2700-39-0x0000000000190000-0x00000000001E2000-memory.dmp

        Filesize

        328KB