Overview

overview

10

Static

static

3

b0a864a148...ca.exe

windows7-x64

10

b0a864a148...ca.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    03/03/2024, 23:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b0a864a148401a06d36c824e148c4bca.exe

  • Size

    679KB

  • MD5

    b0a864a148401a06d36c824e148c4bca

  • SHA1

    0f576fd2fa907dd0e44e63dcbae3c95ed02c856e

  • SHA256

    a33cee89c7330579833c3ec1708a3718d5383889f83074194b01b0049b985b9c

  • SHA512

    c42aaa9a8fe600a55a32a82dd479e83974634bcd1478b7f911561c866e0049e9f7b845c69966865e6197593279e8398ac882251a84f0c65289f544e43a9dbf3f

  • SSDEEP

    12288:7ViPLBHrljUrybmbzIpWXPxwKMVAFWuQdvoP8DpBqp9l3SyaUVKnp:7ViP1LlwybOAWfxNrkXgP8svZahp

Score
10/10
netwirebotnetratstealer

Malware Config

Extracted

Family

netwire

C2

night90.ddns.net:8999

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    New-stub

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    true

  • mutex

    soHOGwSb

  • offline_keylogger

    true

  • password

    teamoluwa1

  • registry_autorun

    false

  • use_mutex

    true

Signatures

  • NetWire RAT payload 7 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b0a864a148401a06d36c824e148c4bca.exe
    "C:\Users\Admin\AppData\Local\Temp\b0a864a148401a06d36c824e148c4bca.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1504
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\b0a864a148401a06d36c824e148c4bca.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2000
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JAwsDkf.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2784
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JAwsDkf" /XML "C:\Users\Admin\AppData\Local\Temp\tmp91C4.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2844
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JAwsDkf.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:628
    • C:\Users\Admin\AppData\Local\Temp\b0a864a148401a06d36c824e148c4bca.exe
      "C:\Users\Admin\AppData\Local\Temp\b0a864a148401a06d36c824e148c4bca.exe"
      2⤵
        PID:856

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp91C4.tmp
      Filesize

      1KB

      MD5

      cc311c40592810e4aa310e138cd2750c

      SHA1

      6164b9615735d8c48d97a48eb117f6efc538bbb6

      SHA256

      fef5fc5252e7a31b3aef1b093507580ffa52c05619f5ab8fc8c91f46471927a0

      SHA512

      f032e5b576817da9a6a24ebbce603b065249b637b1c89c982aaaf4057535b0cf871ae951f4632bf21fc833b7e301381d22967b667f6a2dfe33a442031100ea2d

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      Filesize

      7KB

      MD5

      404750be5eed61406133a88aa48831cc

      SHA1

      09cee03b5f878f61eeab99c61872a2ec6bad498f

      SHA256

      c132e7ac3c5d359487cba11d6f7c5b7af0fc47e9f9d7fe0f7b5cdd6cab9084dc

      SHA512

      b2ef2ebef40b9883a1e16ed33360d31ffbf1d05622ffaeb3ea1a694d39b1d981444e3f0b7dd7dedab61f5e1d638dc975bcd9906907548a8b7beec49d2c75b5b1

      Download Submit

    • memory/628-43-0x0000000074510000-0x0000000074ABB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/628-51-0x0000000074510000-0x0000000074ABB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/628-48-0x0000000001DE0000-0x0000000001E20000-memory.dmp

      Filesize

      256KB

      Download

    • memory/628-50-0x0000000001DE0000-0x0000000001E20000-memory.dmp

      Filesize

      256KB

      Download

    • memory/628-47-0x0000000074510000-0x0000000074ABB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/628-45-0x0000000001DE0000-0x0000000001E20000-memory.dmp

      Filesize

      256KB

      Download

    • memory/856-25-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/856-46-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/856-42-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/856-40-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/856-21-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/856-23-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/856-34-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/856-27-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/856-29-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/856-31-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1504-49-0x0000000074510000-0x0000000074ABB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1504-1-0x0000000074510000-0x0000000074ABB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1504-0-0x0000000074510000-0x0000000074ABB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1504-2-0x0000000000630000-0x0000000000670000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1504-3-0x0000000074510000-0x0000000074ABB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1504-4-0x0000000000630000-0x0000000000670000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2000-19-0x0000000074510000-0x0000000074ABB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2000-20-0x00000000029C0000-0x0000000002A00000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2000-16-0x0000000074510000-0x0000000074ABB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2000-52-0x0000000074510000-0x0000000074ABB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2784-18-0x0000000002980000-0x00000000029C0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2784-17-0x0000000074510000-0x0000000074ABB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2784-53-0x0000000074510000-0x0000000074ABB000-memory.dmp

      Filesize

      5.7MB

      Download