Overview

overview

10

Static

static

3

Documents.scr

windows7-x64

10

Documents.scr

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    13-05-2024 20:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Documents.scr

  • Size

    1.1MB

  • MD5

    593aeac80c036d5c582b7401ebea4bee

  • SHA1

    4440e909d855dc00a9b488bd066d4677e3258d52

  • SHA256

    0686b879b7202d29274f7d6cc2e1a46beef12a3cc831cccbae97ddd96218d809

  • SHA512

    f0c3ca04a3b0a3cb56e06dee182fadb52f6de2eb1dfec8a53337bbca7c365a17e088d3ba3f74c756f51a60ddd5d6f0b0d2e07c37f0c2bcb96764267ad5b6697d

  • SSDEEP

    24576:6NA3R5drXLmpdOA0NXfvhQIMmJwCPfKCUf/omu17h+hK+AQMBQFFGs7f:z5LmOA0NXfvyvWwCnjUu1F+KbQMBcFGK

Score
10/10
netwirebotnetpersistenceratstealer

Malware Config

Extracted

Family

netwire

C2

tats2lou.ddns.net:3122

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • NetWire RAT payload 2 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Documents.scr
    "C:\Users\Admin\AppData\Local\Temp\Documents.scr" /S
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2196
    • C:\Users\Admin\AppData\Local\Temp\05058597\qoqcxwmpeh.exe
      "C:\Users\Admin\AppData\Local\Temp\05058597\qoqcxwmpeh.exe" cxvaurw.blf
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:772
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
          PID:2952

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\05058597\jnuncnh.ini
      Filesize

      303KB

      MD5

      b47acfeaeb9f286ba877f2bfcbcfe65a

      SHA1

      e217578e98c0730d9dcf75d31243ba4ed8c883f2

      SHA256

      90b50db3a32950c47019116aee1751d7d378d09d1c3386dbca16fa66fc56a6ac

      SHA512

      35cc7029d5c6729bf876753ae39e9a61064928854c936e79fbb640b72f4e2cea1cb11ba6463211a5deca8c3865b76c8c9ac37bfff312b508b9048bbcf791d6cf

      Download Submit

    • \Users\Admin\AppData\Local\Temp\05058597\qoqcxwmpeh.exe
      Filesize

      732KB

      MD5

      71d8f6d5dc35517275bc38ebcc815f9f

      SHA1

      cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

      SHA256

      fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

      SHA512

      4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

      Download Submit

    • memory/2952-164-0x00000000003C0000-0x00000000013C0000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/2952-166-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2952-167-0x00000000003C0000-0x00000000013C0000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/2952-168-0x00000000003C0000-0x00000000013C0000-memory.dmp

      Filesize

      16.0MB

      Download