netwire | 1143ff1525cde3881a8eece914059af66ce9f42da386d0ea586453cbfe33ac35

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2024 10:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17432fd27e8b58a37f0dc87f187fd187_JaffaCakes118.vbs
Size

1.5MB
MD5

17432fd27e8b58a37f0dc87f187fd187
SHA1

d075ff4fa6d0eaa61bf39e909c60ccfa6cedf879
SHA256

1143ff1525cde3881a8eece914059af66ce9f42da386d0ea586453cbfe33ac35
SHA512

0a0e49dee8ca6955645726bcb05174f8641a9045632a3b012f8eeef1392d61604eb17f3fdc775a87c569800f2faf2f01d19efdd90a553347a689baaa61921b1c
SSDEEP

24576:iGO83g+h1oWAYtrHbuN0ARrV4QQqxPF80Dz:VvuNVxGQPpOez

Score

10^/10

netwire xpertrat work botnet evasion rat stealer trojan

Malware Config

Extracted

Family

netwire

manuel3.publicvm.com:3366

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
Mine Netwire
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
TbSYfUnj
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
true

Extracted

Family

xpertrat

Version

3.0.10

Botnet

Work

127.0.0.1:666

manuel3.publicvm.com:1999

Mutex

E4R7O6I8-U116-J8G5-I0H0-K3H6U8T885I2

Signatures

NetWire RAT payload 5 IoCs

rat

resource	yara_rule
behavioral2/memory/1092-39-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/1092-48-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/1092-41-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/1092-40-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/1092-36-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	svchost.exe

XpertRAT
XpertRAT is a remote access trojan with various capabilities.
rat xpertrat

XpertRAT Core payload 1 IoCs

resource	yara_rule
behavioral2/memory/388-53-0x0000000000400000-0x0000000000443000-memory.dmp	xpertrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	file1name.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	file2name.exe

Executes dropped EXE 2 IoCs

pid	Process
4700	file1name.exe
1632	file2name.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ut	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\E4R7O6I8-U116-J8G5-I0H0-K3H6U8T885I2	iexplore.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4700 set thread context of 1092	4700	file1name.exe	96
PID 1632 set thread context of 3688	1632	file2name.exe	97
PID 3688 set thread context of 388	3688	svchost.exe	98

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
976	schtasks.exe
1000	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1632	file2name.exe
1632	file2name.exe
1632	file2name.exe
4700	file1name.exe
4700	file1name.exe
4700	file1name.exe
3688	svchost.exe
3688	svchost.exe
3688	svchost.exe
3688	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1632	file2name.exe
Token: SeDebugPrivilege	4700	file1name.exe
Token: SeDebugPrivilege	388	iexplore.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3688	svchost.exe
388	iexplore.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 464 wrote to memory of 4700	464	WScript.exe	85
PID 464 wrote to memory of 4700	464	WScript.exe	85
PID 464 wrote to memory of 4700	464	WScript.exe	85
PID 464 wrote to memory of 1632	464	WScript.exe	86
PID 464 wrote to memory of 1632	464	WScript.exe	86
PID 464 wrote to memory of 1632	464	WScript.exe	86
PID 1632 wrote to memory of 1000	1632	file2name.exe	92
PID 1632 wrote to memory of 1000	1632	file2name.exe	92
PID 1632 wrote to memory of 1000	1632	file2name.exe	92
PID 4700 wrote to memory of 976	4700	file1name.exe	93
PID 4700 wrote to memory of 976	4700	file1name.exe	93
PID 4700 wrote to memory of 976	4700	file1name.exe	93
PID 4700 wrote to memory of 1092	4700	file1name.exe	96
PID 4700 wrote to memory of 1092	4700	file1name.exe	96
PID 4700 wrote to memory of 1092	4700	file1name.exe	96
PID 1632 wrote to memory of 3688	1632	file2name.exe	97
PID 1632 wrote to memory of 3688	1632	file2name.exe	97
PID 1632 wrote to memory of 3688	1632	file2name.exe	97
PID 4700 wrote to memory of 1092	4700	file1name.exe	96
PID 1632 wrote to memory of 3688	1632	file2name.exe	97
PID 1632 wrote to memory of 3688	1632	file2name.exe	97
PID 4700 wrote to memory of 1092	4700	file1name.exe	96
PID 4700 wrote to memory of 1092	4700	file1name.exe	96
PID 1632 wrote to memory of 3688	1632	file2name.exe	97
PID 4700 wrote to memory of 1092	4700	file1name.exe	96
PID 4700 wrote to memory of 1092	4700	file1name.exe	96
PID 4700 wrote to memory of 1092	4700	file1name.exe	96
PID 4700 wrote to memory of 1092	4700	file1name.exe	96
PID 4700 wrote to memory of 1092	4700	file1name.exe	96
PID 1632 wrote to memory of 3688	1632	file2name.exe	97
PID 1632 wrote to memory of 3688	1632	file2name.exe	97
PID 3688 wrote to memory of 388	3688	svchost.exe	98
PID 3688 wrote to memory of 388	3688	svchost.exe	98
PID 3688 wrote to memory of 388	3688	svchost.exe	98
PID 3688 wrote to memory of 388	3688	svchost.exe	98
PID 3688 wrote to memory of 388	3688	svchost.exe	98
PID 3688 wrote to memory of 388	3688	svchost.exe	98
PID 3688 wrote to memory of 388	3688	svchost.exe	98
PID 3688 wrote to memory of 388	3688	svchost.exe	98

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17432fd27e8b58a37f0dc87f187fd187_JaffaCakes118.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:464
- C:\Users\Admin\AppData\Local\Temp\file1name.exe
  "C:\Users\Admin\AppData\Local\Temp\file1name.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4700
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "PSUAQZG\PSUAQZG" /XML "C:\Users\Admin\AppData\Roaming\PSUAQZG\ahhhhh.xml"
    3⤵
    - Creates scheduled task(s)
    PID:976
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\System32\svchost.exe"
    3⤵
    PID:1092
- C:\Users\Admin\AppData\Local\Temp\file2name.exe
  "C:\Users\Admin\AppData\Local\Temp\file2name.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "JLKEZRY\JLKEZRY" /XML "C:\Users\Admin\AppData\Roaming\JLKEZRY\ahhhhh.xml"
    3⤵
    - Creates scheduled task(s)
    PID:1000
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\System32\svchost.exe"
    3⤵
    - UAC bypass
    - Windows security bypass
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3688
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      C:\Windows\SysWOW64\svchost.exe
      4⤵
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\file1name.exe

Filesize
528KB

MD5
f5dec089429d57a43bd4383d57a23cbf

SHA1
f4f53fd4c65420bde68857b9075ecc99545a4ab6

SHA256
21376229a9ae565cc2ad36dd6319f596d76adacea26003c69ae0c1f27fab0f90

SHA512
11bbde81e75cecd531101de3821f0caaccf0f04b8d64d19b117a8e81c71a6c9ea1dc74bf66640130673ef1e5f767f5929c7563b110d3c6dcbb405da697dc5b36

Download Submit
C:\Users\Admin\AppData\Local\Temp\file2name.exe

Filesize
568KB

MD5
08247446b2266867802f5faa274c95f5

SHA1
e69db3678328de50fe9049fb38f3befab465d508

SHA256
89f7b08ac2ceeb80f78c9173e6f5b2ce16743b299402dcc82280e735b5f9b96d

SHA512
26a87f84de3bbb411af7515644ebeb5f7884d68bc7f8ca99ed5709c618e29f9c85d93c8d6558d68a4d429c9c7eed4123715aee2bf6a153073bb5edea71f71b11

Download Submit
C:\Users\Admin\AppData\Roaming\JLKEZRY\ahhhhh.xml

Filesize
1KB

MD5
c3cbf6d604b5944a4c5898895cb218ff

SHA1
785fe81f6cb3cafec043314d0b48b4403f61ab1b

SHA256
dce2df23ba73c7ba0a654259dc60e8554bc20086648d968f31ed43fd0fa1647a

SHA512
966979631266fd3734a1325b236fc5d3cdc179dd3514385aadac7b523a752df18e9656cbd7488c7d8587d50b2e92337857e600812a30bc8d59968d27dee86a48

Download Submit
C:\Users\Admin\AppData\Roaming\PSUAQZG\ahhhhh.xml

Filesize
1KB

MD5
be430700d98846948f36830c36fbfc69

SHA1
e71497959d10f7255a68f887ced193e423c45893

SHA256
20612f4e2276117749beb42eeda891c141b43fba428180b65f39f43b93e7b860

SHA512
073e094da8a38051838c81ba8f4bac60a418e5d0196a2307f12a4cb8d97b63d1c200075308534782869e62d62eea4664792201df678f974439a7b3dc6931e9fa

Download Submit
memory/388-53-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1092-39-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1092-48-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1092-35-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1092-36-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1092-40-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1092-41-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1632-51-0x0000000074860000-0x0000000074E11000-memory.dmp

Filesize
5.7MB

Download
memory/1632-26-0x0000000074860000-0x0000000074E11000-memory.dmp

Filesize
5.7MB

Download
memory/1632-22-0x0000000074862000-0x0000000074863000-memory.dmp

Filesize
4KB

Download
memory/1632-24-0x0000000074860000-0x0000000074E11000-memory.dmp

Filesize
5.7MB

Download
memory/3688-47-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3688-43-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3688-34-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4700-52-0x0000000074860000-0x0000000074E11000-memory.dmp

Filesize
5.7MB

Download
memory/4700-23-0x0000000074860000-0x0000000074E11000-memory.dmp

Filesize
5.7MB

Download
memory/4700-25-0x0000000074860000-0x0000000074E11000-memory.dmp

Filesize
5.7MB

Download
memory/4700-27-0x0000000074860000-0x0000000074E11000-memory.dmp

Filesize
5.7MB

Download