Overview

overview

10

Static

static

1

3756ac8f01...88.exe

windows7-x64

10

3756ac8f01...88.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-04-2024 10:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3756ac8f01c9c6d1c1a2e9b51edff7deca0540f8954950200daae8b4c28a9888.exe

  • Size

    1.1MB

  • MD5

    3a2f2086ac104d71f450b30ab47e36d5

  • SHA1

    3c29394856e86bf4d1d255e70b51929011f4c75a

  • SHA256

    3756ac8f01c9c6d1c1a2e9b51edff7deca0540f8954950200daae8b4c28a9888

  • SHA512

    f81309eab8b1249edb563e99d83527276ae163e89cf8fbc6da1f096fd1453ec7cd1839be0e0cc5594d2a4a2b9ecd0ed102d4b14b05330290224d3a0d352bb9d2

  • SSDEEP

    24576:o2O/GlJt+uxqlvm+QEoHTj9ShwLPQNBMHxLY:i6++lTj9ShwTCBMRs

Score
10/10
latentbotnetwirebotnetratstealertrojan

Malware Config

Extracted

Family

netwire

C2

knudandersen.zapto.org:21000

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    07.03.17

  • keylogger_dir

    C:\NVIDIA\profile\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    1@wi%252ReNd5y0576Z*

  • registry_autorun

    false

  • use_mutex

    false

Extracted

Family

latentbot

C2

knudandersen.zapto.org

Signatures

  • LatentBot

    Modular trojan written in Delphi which has been in-the-wild since 2013.

    trojanlatentbot
  • NetWire RAT payload 3 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3756ac8f01c9c6d1c1a2e9b51edff7deca0540f8954950200daae8b4c28a9888.exe
    "C:\Users\Admin\AppData\Local\Temp\3756ac8f01c9c6d1c1a2e9b51edff7deca0540f8954950200daae8b4c28a9888.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2396
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Certificates\Missing of Pakistani Hujjaj during0001.pdf
      2⤵
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:392
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9b32046f8,0x7ff9b3204708,0x7ff9b3204718
        3⤵
          PID:5080
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,10738212237310487343,11551733013316344668,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
          3⤵
            PID:3700
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,10738212237310487343,11551733013316344668,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:4844
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,10738212237310487343,11551733013316344668,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
            3⤵
              PID:4708
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10738212237310487343,11551733013316344668,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
              3⤵
                PID:464
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10738212237310487343,11551733013316344668,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
                3⤵
                  PID:3184
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10738212237310487343,11551733013316344668,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4236 /prefetch:1
                  3⤵
                    PID:4036
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --field-trial-handle=2116,10738212237310487343,11551733013316344668,131072 --lang=en-US --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=4860 /prefetch:6
                    3⤵
                      PID:3652
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10738212237310487343,11551733013316344668,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
                      3⤵
                        PID:1816
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10738212237310487343,11551733013316344668,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
                        3⤵
                          PID:4404
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,10738212237310487343,11551733013316344668,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3400 /prefetch:8
                          3⤵
                            PID:1708
                          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,10738212237310487343,11551733013316344668,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3400 /prefetch:8
                            3⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:4328
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10738212237310487343,11551733013316344668,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
                            3⤵
                              PID:2440
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10738212237310487343,11551733013316344668,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:1
                              3⤵
                                PID:5012
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,10738212237310487343,11551733013316344668,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3944 /prefetch:2
                                3⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:1928
                            • C:\Windows\SysWOW64\WScript.exe
                              "C:\Windows\System32\WScript.exe" "C:\Certificates\Metallicanew.vbs"
                              2⤵
                              • Checks computer location settings
                              • Suspicious use of WriteProcessMemory
                              PID:2028
                              • C:\Certificates\Confirmation.exe
                                "C:\Certificates\Confirmation.exe"
                                3⤵
                                • Executes dropped EXE
                                • Suspicious behavior: EnumeratesProcesses
                                PID:1132
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -u -p 1132 -s 380
                                  4⤵
                                  • Program crash
                                  PID:952
                                • C:\Windows\SysWOW64\svchost.exe
                                  svchost.exe
                                  4⤵
                                  • Drops file in System32 directory
                                  PID:3008
                              • C:\Windows\SysWOW64\cmd.exe
                                "C:\Windows\System32\cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /MO 1 /TN NH2003 /TR C:\Certificates\Metallicanew.vbs
                                3⤵
                                  PID:4612
                                  • C:\Windows\SysWOW64\schtasks.exe
                                    SCHTASKS /CREATE /SC HOURLY /MO 1 /TN NH2003 /TR C:\Certificates\Metallicanew.vbs
                                    4⤵
                                    • Creates scheduled task(s)
                                    PID:3340
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1132 -ip 1132
                              1⤵
                                PID:4532
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:4276
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:1484

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Certificates\Confirmation.exe
                                    Filesize

                                    168KB

                                    MD5

                                    cdc613712ac2ab85d6a0d314bb95a082

                                    SHA1

                                    b1ad7a99fe7c1cc93de3543b9c8e298d471bee75

                                    SHA256

                                    11cb794c0f015148172ac5cac54acdb87769a16e8a93be62ab953008b1d26bb2

                                    SHA512

                                    f48f37872186ef8644e76339e2b3f523e0bbe53381abfc464639e6bc0bc3224ff85c20fca1e9e1e7faf1a5e83623156b1bee0bb26109a5ae575f37353ce9795e

                                    Download Submit

                                  • C:\Certificates\Metallicanew.vbs
                                    Filesize

                                    165KB

                                    MD5

                                    5047080930303d63185b7360c4378c9d

                                    SHA1

                                    f99c5303d011039ba4c292c4fd77eb4d4299d847

                                    SHA256

                                    57c61e561fd7731c630c649984e3392cc95a30f2257ef3a4ff3fcb0b05a5ca87

                                    SHA512

                                    3b3ac18cc73028cc74ba64251e87cecfb7598631e40fa95840555380c7157960c01d20724a79fc308b5fff96edbc05f078a4916df7c081bb0e4791681607cc69

                                    Download Submit

                                  • C:\Certificates\Missing of Pakistani Hujjaj during0001.pdf
                                    Filesize

                                    708KB

                                    MD5

                                    c2e3f3d9fc006cd26682fb8623652c3b

                                    SHA1

                                    56acebff1f3ea7dba1f9f39877c97fb0756d7693

                                    SHA256

                                    b5865366283db9f3accf36d5445d9701b7bff87601f8161327ae175759de0c4b

                                    SHA512

                                    73ab29b70b8ee9b766c00f659d5c0f350f5202898b5f3e5e472d833ca2d9f53260c5237de81eb6e44523715f2f9d3d9d57dcb3e8564fab35584070a65e8ff2a1

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                    Filesize

                                    152B

                                    MD5

                                    9f44d6f922f830d04d7463189045a5a3

                                    SHA1

                                    2e9ae7188ab8f88078e83ba7f42a11a2c421cb1c

                                    SHA256

                                    0ae5cf8b49bc34fafe9f86734c8121b631bad52a1424c1dd2caa05781032334a

                                    SHA512

                                    7c1825eaefcc7b97bae31eeff031899300b175222de14000283e296e9b44680c8b3885a4ed5d78fd8dfee93333cd7289347b95a62bf11f751c4ca47772cf987d

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                    Filesize

                                    152B

                                    MD5

                                    7740a919423ddc469647f8fdd981324d

                                    SHA1

                                    c1bc3f834507e4940a0b7594e34c4b83bbea7cda

                                    SHA256

                                    bdd4adaa418d40558ab033ac0005fd6c2312d5f1f7fdf8b0e186fe1d65d78221

                                    SHA512

                                    7ad98d5d089808d9a707d577e76e809a223d3007778a672734d0a607c2c3ac5f93bc72adb6e6c7f878a577d3a1e69a16d0cd871eb6f58b8d88e2ea25f77d87b7

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                    Filesize

                                    6KB

                                    MD5

                                    3844b76ddbda16daab3f4afce22dbd6d

                                    SHA1

                                    db897276f09bad41b693cc20d7fab92c52723e27

                                    SHA256

                                    23b55288a8b094616384e85cd3a8a2607763f559eb27ad7f92bf7ef8a6cc7e0e

                                    SHA512

                                    a0996aeb53f22693273182e0f7415a83109f23332515d27631db45424513914ef174827888e3b038e2785022036b180bd427e483a3ca19b98d6ea8b9027a389c

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                    Filesize

                                    6KB

                                    MD5

                                    b248cf46fd2c2c0c1529d8ce71abb03a

                                    SHA1

                                    c045a3725e5e036a3cea172f5ad634fe4a4ec991

                                    SHA256

                                    5a0d58fc2699d015313c653fdf0606ab61daec6bc2f355fed0892d8c4d31a524

                                    SHA512

                                    845a28dcb602fcf5ec69616bbf2a1f8df70cbd608e2740f61a80c0d8bbabc00fde04874085f69328da13207d27064ea8f9af0540d88ffb54d682d6bb5a58bb57

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                    Filesize

                                    16B

                                    MD5

                                    6752a1d65b201c13b62ea44016eb221f

                                    SHA1

                                    58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                    SHA256

                                    0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                    SHA512

                                    9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                    Filesize

                                    11KB

                                    MD5

                                    a4a3408c6bfd666853f61a146f649cb0

                                    SHA1

                                    407c9e17336c27365d8f1a38320bf9d524a77bdc

                                    SHA256

                                    d8e84a7079a1487b2b794b164c5eb2a0355b53ed0686967060f062691302a203

                                    SHA512

                                    0876a16a9803164c8031c702e1d844a509179814cfa6cb6cf096bdb5604bfe8c408d692cb158ca1f2e30e6ba9e36a936a512c23605fb14f31f2eebf401282c00

                                    Download Submit

                                  • memory/1132-38-0x0000000077B62000-0x0000000077B63000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  • memory/1132-40-0x0000000002110000-0x000000000218B000-memory.dmp

                                    Filesize

                                    492KB

                                    Download

                                  • memory/1132-37-0x0000000002110000-0x000000000218B000-memory.dmp

                                    Filesize

                                    492KB

                                    Download

                                  • memory/3008-42-0x0000000000400000-0x0000000000420000-memory.dmp

                                    Filesize

                                    128KB

                                    Download

                                  • memory/3008-45-0x00000000012C0000-0x00000000012C1000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  • memory/3008-46-0x0000000000400000-0x0000000000420000-memory.dmp

                                    Filesize

                                    128KB

                                    Download

                                  • memory/3008-41-0x0000000077B62000-0x0000000077B63000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  • memory/3008-39-0x0000000000400000-0x0000000000420000-memory.dmp

                                    Filesize

                                    128KB

                                    Download