Overview

overview

10

Static

static

7

3b41fb9385...0N.exe

windows7-x64

10

3b41fb9385...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    34s
  • max time network
    39s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    30-08-2024 06:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3b41fb9385c0ac13fc08f3fda2098ac0N.exe

  • Size

    118KB

  • MD5

    3b41fb9385c0ac13fc08f3fda2098ac0

  • SHA1

    979c54b5e2d8afec33bc69ffb7a35a81a14264c8

  • SHA256

    878d2d7e6bc21b888be0c88716d0457fbb224f3d27263be509180aaf8aa4f611

  • SHA512

    d54d1109c7689c2867d4c8bb41667005717c36404e094316f9dc35a7810561867588d10f5da303656e087e76de5e0f9996b47c24f6f1b2e8128d36bb5ae280e8

  • SSDEEP

    3072:M+z7JXnrdFzp886+RMPy5fWMwdWRgjnahKoutjKI7ehMx:rz75nrz286+RMaLVRgjahKoS

Score
10/10
netwirebotnetdiscoveryratstealerupx

Malware Config

Extracted

Family

netwire

C2

imemerit.servehttp.com:3360

Attributes
  • activex_autorun

    true

  • activex_key

    {I78G8V27-88UF-2L1T-8064-2S8723OVASE8}

  • copy_executable

    false

  • delete_original

    true

  • host_id

    HostId-%Rand%

  • keylogger_dir

    C:\Users\Admin\AppData\Roaming\Logs\

  • lock_executable

    false

  • mutex

    TIrKHSHH

  • offline_keylogger

    true

  • password

    `+8n0x<gT)\"Lu5"'A`c?$H="

  • registry_autorun

    true

  • startup_name

    FirstRowAli

  • use_mutex

    true

Signatures

  • NetWire RAT payload 2 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • UPX packed file 26 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Gathers network information 2 TTPs 4 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3b41fb9385c0ac13fc08f3fda2098ac0N.exe
    "C:\Users\Admin\AppData\Local\Temp\3b41fb9385c0ac13fc08f3fda2098ac0N.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3036
    • C:\Windows\SysWOW64\ipconfig.exe
      "C:\Windows\System32\ipconfig.exe" /release
      2⤵
      • System Location Discovery: System Language Discovery
      • Gathers network information
      PID:1384
    • C:\Users\Admin\AppData\Local\Temp\3b41fb9385c0ac13fc08f3fda2098ac0N.exe
      "C:\Users\Admin\AppData\Local\Temp\3b41fb9385c0ac13fc08f3fda2098ac0N.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2280
      • C:\Windows\SysWOW64\ipconfig.exe
        ipconfig /renew
        3⤵
        • System Location Discovery: System Language Discovery
        • Gathers network information
        PID:2772
    • C:\Users\Admin\AppData\Local\Temp\3b41fb9385c0ac13fc08f3fda2098ac0N.exe
      "C:\Users\Admin\AppData\Local\Temp\3b41fb9385c0ac13fc08f3fda2098ac0N.exe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2256
      • C:\Users\Admin\AppData\Roaming\FirstRow.pif
        "C:\Users\Admin\AppData\Roaming\FirstRow.pif"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2788
        • C:\Windows\SysWOW64\ipconfig.exe
          "C:\Windows\System32\ipconfig.exe" /release
          4⤵
          • System Location Discovery: System Language Discovery
          • Gathers network information
          PID:2924
        • C:\Users\Admin\AppData\Roaming\FirstRow.pif
          "C:\Users\Admin\AppData\Roaming\FirstRow.pif"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:852
          • C:\Windows\SysWOW64\ipconfig.exe
            ipconfig /renew
            5⤵
            • System Location Discovery: System Language Discovery
            • Gathers network information
            PID:2496
        • C:\Users\Admin\AppData\Roaming\FirstRow.pif
          "C:\Users\Admin\AppData\Roaming\FirstRow.pif"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2392
          • C:\Windows\SysWOW64\bitsadmin.exe
            "C:\Windows\system32\bitsadmin.exe"
            5⤵
              PID:2960
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c ""C:\Users\Admin\AppData\Local\Temp\BTLRY.bat" "
                6⤵
                  PID:2792
                  • C:\Windows\SysWOW64\reg.exe
                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UpdateAliAim" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FirstRow.pif" /f
                    7⤵
                      PID:2200
              • C:\Users\Admin\AppData\Roaming\FirstRow.pif
                "C:\Users\Admin\AppData\Roaming\FirstRow.pif"
                4⤵
                  PID:2844

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\BTLRY.bat
            Filesize

            142B

            MD5

            f36ef4e2bfb399e9159d71c0806dc34f

            SHA1

            9ce20868ec14cabf37d77a1995b1399ebf40681d

            SHA256

            99a012606942fe84a0ed1b09c60ef765cef48e4ba317b3a71595b300ae531cc2

            SHA512

            ad7cd152f2b8f04aeee6838ccb2cc10675f289f0e4fd0e6175dace10a062655df1ec2a8d5e80ba65e5d6d0237311c91b0fce54c16e7576dc38b3399abc304b0b

            Download Submit

          • \Users\Admin\AppData\Roaming\FirstRow.pif
            Filesize

            118KB

            MD5

            2cc98992478c9688ccfd9e130c16bd59

            SHA1

            f200987192c510bdef382472a90278cb3805672f

            SHA256

            95c9d6fcd9241052b5664d0df9dc0071f3847b37940fa0bb15f85d6daac4072d

            SHA512

            c04de54ace172b7fc619da68af29f67623bd0f96d679864d0f6950a5a4c680221ee0a2d263e40a133fac9d9d46448233bb8fb9b3bfc615d029faa6611614c7f6

            Download Submit

          • memory/852-83-0x0000000000400000-0x0000000000416000-memory.dmp

            Filesize

            88KB

            Download

          • memory/2256-44-0x0000000000400000-0x0000000000415000-memory.dmp

            Filesize

            84KB

            Download

          • memory/2256-38-0x0000000003380000-0x00000000033FC000-memory.dmp

            Filesize

            496KB

            Download

          • memory/2256-14-0x0000000000400000-0x0000000000415000-memory.dmp

            Filesize

            84KB

            Download

          • memory/2256-13-0x0000000000400000-0x0000000000415000-memory.dmp

            Filesize

            84KB

            Download

          • memory/2256-11-0x0000000000400000-0x0000000000415000-memory.dmp

            Filesize

            84KB

            Download

          • memory/2256-39-0x0000000003380000-0x00000000033FC000-memory.dmp

            Filesize

            496KB

            Download

          • memory/2256-40-0x0000000003390000-0x000000000340C000-memory.dmp

            Filesize

            496KB

            Download

          • memory/2280-10-0x0000000000400000-0x0000000000416000-memory.dmp

            Filesize

            88KB

            Download

          • memory/2280-49-0x0000000000400000-0x0000000000416000-memory.dmp

            Filesize

            88KB

            Download

          • memory/2280-9-0x0000000000400000-0x0000000000416000-memory.dmp

            Filesize

            88KB

            Download

          • memory/2280-108-0x0000000000400000-0x0000000000416000-memory.dmp

            Filesize

            88KB

            Download

          • memory/2280-7-0x0000000000400000-0x0000000000416000-memory.dmp

            Filesize

            88KB

            Download

          • memory/2280-100-0x0000000000400000-0x0000000000416000-memory.dmp

            Filesize

            88KB

            Download

          • memory/2280-48-0x0000000000400000-0x0000000000416000-memory.dmp

            Filesize

            88KB

            Download

          • memory/2392-84-0x0000000000400000-0x0000000000415000-memory.dmp

            Filesize

            84KB

            Download

          • memory/2788-51-0x0000000000400000-0x000000000047C000-memory.dmp

            Filesize

            496KB

            Download

          • memory/2788-47-0x0000000000400000-0x000000000047C000-memory.dmp

            Filesize

            496KB

            Download

          • memory/2788-80-0x0000000000400000-0x000000000047C000-memory.dmp

            Filesize

            496KB

            Download

          • memory/2844-89-0x0000000000400000-0x000000000041A000-memory.dmp

            Filesize

            104KB

            Download

          • memory/2844-79-0x0000000000400000-0x000000000041A000-memory.dmp

            Filesize

            104KB

            Download

          • memory/2844-78-0x0000000000400000-0x000000000041A000-memory.dmp

            Filesize

            104KB

            Download

          • memory/2844-76-0x0000000000400000-0x000000000041A000-memory.dmp

            Filesize

            104KB

            Download

          • memory/2844-81-0x0000000000400000-0x000000000041A000-memory.dmp

            Filesize

            104KB

            Download

          • memory/2960-71-0x0000000000080000-0x0000000000081000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3036-5-0x0000000000400000-0x000000000047C000-memory.dmp

            Filesize

            496KB

            Download

          • memory/3036-3-0x000000000044C000-0x000000000044D000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3036-4-0x0000000000400000-0x000000000047C000-memory.dmp

            Filesize

            496KB

            Download

          • memory/3036-16-0x0000000000400000-0x000000000047C000-memory.dmp

            Filesize

            496KB

            Download

          • memory/3036-0-0x0000000000400000-0x000000000047C000-memory.dmp

            Filesize

            496KB

            Download