Overview

overview

10

Static

static

3

21daa55b09...53.exe

windows7-x64

10

21daa55b09...53.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 01:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    21daa55b09213ecdee0108b027b3aa53.exe

  • Size

    561KB

  • MD5

    21daa55b09213ecdee0108b027b3aa53

  • SHA1

    c6eb2d539531355ce9ce22fe029f0934065dbb7d

  • SHA256

    e71b74e56460d3306316281d116cbf56074788efcbb34f6f077ffdd10c8dbc02

  • SHA512

    c867f302deb1bd43bcb3ba65a9cd493f4dfc9a57b8863239afb4c380e78ca8d5c3a4bc0bb2bd11698944c5bbf7cf1b689f12229f2c06108c1aa4f111465b9d95

  • SSDEEP

    6144:C4xWH5KrIJU1TJqy4P5z4xWH5KrIJUXa+GAsebVLS37btJWB5DURZov5:OKbl0PnKHVseiBEBNt

Score
10/10
netwirebotnetpersistenceratstealer

Malware Config

Extracted

Family

netwire

C2

185.163.100.31:3364

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    Frank321

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • NetWire RAT payload 3 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\21daa55b09213ecdee0108b027b3aa53.exe
    "C:\Users\Admin\AppData\Local\Temp\21daa55b09213ecdee0108b027b3aa53.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:452
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\21daa55b09213ecdee0108b027b3aa53.exe" "C:\Users\Admin\AppData\Roaming\Windows Utility.exe"
      2⤵
        PID:1192
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\AppData\Roaming\Windows Utility.exe"
        2⤵
          PID:4536
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1744
        • C:\Users\Admin\AppData\Roaming\Windows Utility.exe
          "C:\Users\Admin\AppData\Roaming\Windows Utility.exe"
          2⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1228
          • C:\Users\Admin\AppData\Roaming\Windows Utility.exe
            "C:\Users\Admin\AppData\Roaming\Windows Utility.exe"
            3⤵
            • Executes dropped EXE
            PID:2864

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Windows Utility.exe
        Filesize

        561KB

        MD5

        21daa55b09213ecdee0108b027b3aa53

        SHA1

        c6eb2d539531355ce9ce22fe029f0934065dbb7d

        SHA256

        e71b74e56460d3306316281d116cbf56074788efcbb34f6f077ffdd10c8dbc02

        SHA512

        c867f302deb1bd43bcb3ba65a9cd493f4dfc9a57b8863239afb4c380e78ca8d5c3a4bc0bb2bd11698944c5bbf7cf1b689f12229f2c06108c1aa4f111465b9d95

        Download Submit

      • memory/452-4-0x00000000059E0000-0x00000000059FA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/452-11-0x00000000750BE000-0x00000000750BF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/452-3-0x0000000005B00000-0x0000000005B92000-memory.dmp

        Filesize

        584KB

        Download

      • memory/452-0-0x00000000750BE000-0x00000000750BF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/452-5-0x0000000003450000-0x0000000003456000-memory.dmp

        Filesize

        24KB

        Download

      • memory/452-6-0x00000000750B0000-0x0000000075860000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/452-2-0x0000000006010000-0x00000000065B4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/452-8-0x000000000AF70000-0x000000000AF7A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/452-7-0x000000000AFB0000-0x000000000B04C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/452-12-0x00000000750B0000-0x0000000075860000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/452-14-0x00000000750B0000-0x0000000075860000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/452-1-0x0000000000F60000-0x0000000000FF2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/2864-17-0x0000000000400000-0x000000000042C000-memory.dmp

        Filesize

        176KB

        Download

      • memory/2864-20-0x0000000000400000-0x000000000042C000-memory.dmp

        Filesize

        176KB

        Download

      • memory/2864-22-0x0000000000400000-0x000000000042C000-memory.dmp

        Filesize

        176KB

        Download