Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-09-2024 12:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    afd26079505c52f938bf1af51d8633833a7a8804b4a8171487e26dd06c84735f.exe

  • Size

    796KB

  • MD5

    5c7fcc11b2a9d0c9e891946a9d36067a

  • SHA1

    8e3e22d19d12f4836e2b7c9f42d84cf7faf91907

  • SHA256

    afd26079505c52f938bf1af51d8633833a7a8804b4a8171487e26dd06c84735f

  • SHA512

    aa4c6b2204187d708a3ba8c572ed3b17032b7f623a2f65c2687bdcc56aec16ec54d9b2633416932f070fcdbb25ade48b4fa40969c4eef40beb5c6c53c6c66c47

  • SSDEEP

    24576:ldmo30ahMwQWnagWWt34TWvZQiyMPvDpbB:vRyMXP

Score
10/10
netwirebotnetdiscoverypersistenceratstealer

Malware Config

Extracted

Family

netwire

C2

localupdate.ns02.info:1443

LOCALSERVER.ns01.US:1443

dnsresoIve.ns01.US:1443

PLUGINUPDATES.duckdns.org:1443

updateavlocalgenuine.com:1443

dnsresolve.nsl1.cc:1443
Attributes
  • activex_autorun

    false

  • activex_key

    {A3N5KUJ4-U7S4-6J45-1DJ6-32HM4W8Q0615}

  • copy_executable

    false

  • delete_original

    false

  • host_id

    ADM-%Rand%

  • lock_executable

    false

  • offline_keylogger

    false

  • password

    DuleX

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • NetWire RAT payload 3 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\afd26079505c52f938bf1af51d8633833a7a8804b4a8171487e26dd06c84735f.exe
    "C:\Users\Admin\AppData\Local\Temp\afd26079505c52f938bf1af51d8633833a7a8804b4a8171487e26dd06c84735f.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1680
    • C:\Users\Admin\AppData\Local\Temp\afd26079505c52f938bf1af51d8633833a7a8804b4a8171487e26dd06c84735f.exE
      "C:\Users\Admin\AppData\Local\Temp\afd26079505c52f938bf1af51d8633833a7a8804b4a8171487e26dd06c84735f.exE"
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • System Location Discovery: System Language Discovery
      PID:3412

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3412-2-0x0000000000400000-0x000000000047E000-memory.dmp

    Filesize

    504KB

    Download

  • memory/3412-4-0x0000000000400000-0x000000000047E000-memory.dmp

    Filesize

    504KB

    Download

  • memory/3412-5-0x0000000000400000-0x000000000047E000-memory.dmp

    Filesize

    504KB

    Download

  • memory/3412-6-0x0000000000400000-0x000000000047E000-memory.dmp

    Filesize

    504KB

    Download

  • memory/3412-7-0x0000000000400000-0x000000000047E000-memory.dmp

    Filesize

    504KB

    Download

  • memory/3412-14-0x0000000000400000-0x000000000047E000-memory.dmp

    Filesize

    504KB

    Download