Overview

overview

10

Static

static

3

21daa55b09...53.exe

windows7-x64

10

21daa55b09...53.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    09-05-2024 01:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    21daa55b09213ecdee0108b027b3aa53.exe

  • Size

    561KB

  • MD5

    21daa55b09213ecdee0108b027b3aa53

  • SHA1

    c6eb2d539531355ce9ce22fe029f0934065dbb7d

  • SHA256

    e71b74e56460d3306316281d116cbf56074788efcbb34f6f077ffdd10c8dbc02

  • SHA512

    c867f302deb1bd43bcb3ba65a9cd493f4dfc9a57b8863239afb4c380e78ca8d5c3a4bc0bb2bd11698944c5bbf7cf1b689f12229f2c06108c1aa4f111465b9d95

  • SSDEEP

    6144:C4xWH5KrIJU1TJqy4P5z4xWH5KrIJUXa+GAsebVLS37btJWB5DURZov5:OKbl0PnKHVseiBEBNt

Score
10/10
netwirebotnetpersistenceratstealer

Malware Config

Extracted

Family

netwire

C2

185.163.100.31:3364

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    Frank321

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • NetWire RAT payload 2 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\21daa55b09213ecdee0108b027b3aa53.exe
    "C:\Users\Admin\AppData\Local\Temp\21daa55b09213ecdee0108b027b3aa53.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1540
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\21daa55b09213ecdee0108b027b3aa53.exe" "C:\Users\Admin\AppData\Roaming\Windows Utility.exe"
      2⤵
        PID:2480
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\AppData\Roaming\Windows Utility.exe"
        2⤵
          PID:2672
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:2464
        • C:\Users\Admin\AppData\Roaming\Windows Utility.exe
          "C:\Users\Admin\AppData\Roaming\Windows Utility.exe"
          2⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2372
          • C:\Users\Admin\AppData\Roaming\Windows Utility.exe
            "C:\Users\Admin\AppData\Roaming\Windows Utility.exe"
            3⤵
            • Executes dropped EXE
            PID:1564

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Windows Utility.exe
        Filesize

        561KB

        MD5

        21daa55b09213ecdee0108b027b3aa53

        SHA1

        c6eb2d539531355ce9ce22fe029f0934065dbb7d

        SHA256

        e71b74e56460d3306316281d116cbf56074788efcbb34f6f077ffdd10c8dbc02

        SHA512

        c867f302deb1bd43bcb3ba65a9cd493f4dfc9a57b8863239afb4c380e78ca8d5c3a4bc0bb2bd11698944c5bbf7cf1b689f12229f2c06108c1aa4f111465b9d95

        Download Submit

      • memory/1540-8-0x000000007481E000-0x000000007481F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1540-2-0x0000000000840000-0x000000000085A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/1540-3-0x00000000004A0000-0x00000000004A6000-memory.dmp

        Filesize

        24KB

        Download

      • memory/1540-4-0x0000000074810000-0x0000000074EFE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/1540-5-0x0000000074810000-0x0000000074EFE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/1540-0-0x000000007481E000-0x000000007481F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1540-9-0x0000000074810000-0x0000000074EFE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/1540-10-0x0000000074810000-0x0000000074EFE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/1540-11-0x0000000074810000-0x0000000074EFE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/1540-1-0x0000000001180000-0x0000000001212000-memory.dmp

        Filesize

        584KB

        Download

      • memory/1564-15-0x0000000000400000-0x000000000042C000-memory.dmp

        Filesize

        176KB

        Download

      • memory/1564-17-0x0000000000400000-0x000000000042C000-memory.dmp

        Filesize

        176KB

        Download

      • memory/2372-14-0x0000000000B50000-0x0000000000BE2000-memory.dmp

        Filesize

        584KB

        Download