Overview

overview

10

Static

static

3

f9bf619a41...9b.exe

windows7-x64

10

f9bf619a41...9b.exe

windows10-2004-x64

10

Resubmissions

14-12-2024 19:23

241214-x3vs1s1qbz 10

12-12-2024 19:35

241212-yaxycaxkaj 10

Analysis

  • max time kernel
    40s
  • max time network
    30s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14-12-2024 19:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f9bf619a41a56cae6b8e6d5b3fb3d3afdd7976745dbe9cc7f90ba4dcadc35d9b.exe

  • Size

    584KB

  • MD5

    c9e985c561be0dd05c190dc70ae3518e

  • SHA1

    ffbcb080efbbd36ebb9f81eded9e63c7f66cab9f

  • SHA256

    f9bf619a41a56cae6b8e6d5b3fb3d3afdd7976745dbe9cc7f90ba4dcadc35d9b

  • SHA512

    f1b10f5bc7bb52bf70a8e083a45a823379b1b4e0ca42e7378a07a06d4b3b8346c4dfbc95575534df9b18445eb5d56a6302d07cd86b6017f422d99dccbfec1ebb

  • SSDEEP

    12288:AgIdCFdSZHZVaeSESmqf6G+SqnTrrEsYGre4YzHix:HYYSZ5VrS3xqTrPFr0c

Score
10/10
netwirebotnetdiscoverypersistenceratstealer

Malware Config

Extracted

Family

netwire

C2

38.132.124.156:1199

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    12345

  • registry_autorun

    true

  • startup_name

    ronies

  • use_mutex

    false

Signatures

  • NetWire RAT payload 6 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Netwire family
    netwire
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Office loads VBA resources, possible macro or embedded object present
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 11 IoCs
  • Suspicious use of SendNotifyMessage 8 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f9bf619a41a56cae6b8e6d5b3fb3d3afdd7976745dbe9cc7f90ba4dcadc35d9b.exe
    "C:\Users\Admin\AppData\Local\Temp\f9bf619a41a56cae6b8e6d5b3fb3d3afdd7976745dbe9cc7f90ba4dcadc35d9b.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1044
    • C:\Users\Admin\AppData\Local\Temp\service.exe
      "C:\Users\Admin\AppData\Local\Temp\service.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2444
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HRgFfvmwT" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5A8E.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2536
      • C:\Users\Admin\AppData\Local\Temp\service.exe
        "C:\Users\Admin\AppData\Local\Temp\service.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:1340
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\CPA accountant COVID_19 pandemic relief (20,000$).docx"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2760
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2672
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      1⤵
        PID:1672
      • C:\Program Files\VideoLAN\VLC\vlc.exe
        "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\ApproveFormat.DVR-MS"
        1⤵
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:2992

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\CPA accountant COVID_19 pandemic relief (20,000$).docx
        Filesize

        68KB

        MD5

        f5338a212a363459b7354fd8091d5501

        SHA1

        d5f79a7e7a664147f71dc58988462c51f489e16b

        SHA256

        9a62f34e8c12aeed7a693399f5d17676c9af7b50865f160fc7eb4d709c252583

        SHA512

        e033137c54ce92fec4d51f79d2cc79e6d6335060a1ba1f5ad0d30833749034c0c2c750e9cea9b654b1c36ea6cf67adddb08c0c165f46d75530cf7af1c1d81ab0

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\service.exe
        Filesize

        311KB

        MD5

        a69b9cf282c900d55cd7452e039daf41

        SHA1

        0ea752ca500e4b9df336cb4438e7804d3b0186ad

        SHA256

        3e2526d2955b6709532d1a16a221882619690292dce1527a3399a8d704a4c79d

        SHA512

        caa067276632186c0ef2e9bf821ad64aff680645a4d0436dac2cefa7aa99feb76cb6a52e672c325ba51783635388f32cd64c2a69f0aa52c1f8f37ab4d29d1765

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmp5A8E.tmp
        Filesize

        1KB

        MD5

        906817384c8a105b1bb00c60da88860c

        SHA1

        3b5f99947348758c118fa277285abf4b919c0b0c

        SHA256

        c305bd869333e9ce584c94b5a25c4cb67c54b492d5075fb74f1b176ce54f756d

        SHA512

        7f20a83d3a760edd66d1241e4a75d0b6e4167ebb7e7b39713556f5e48a42c6acb04135a0aff2a536f5362f267f1816f877c18050f12e52859db49d66c4af2a28

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
        Filesize

        2B

        MD5

        f3b25701fe362ec84616a93a45ce9998

        SHA1

        d62636d8caec13f04e28442a0a6fa1afeb024bbb

        SHA256

        b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

        SHA512

        98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

        Download Submit

      • memory/1340-47-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/1340-53-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/1340-55-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/1340-44-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/1340-42-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/1340-40-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/1340-52-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1340-38-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/1340-51-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/1340-48-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/2444-23-0x0000000073D00000-0x00000000742AB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2444-22-0x0000000073D00000-0x00000000742AB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2444-21-0x0000000073D01000-0x0000000073D02000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2444-56-0x0000000073D00000-0x00000000742AB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2760-25-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2760-24-0x000000002FB31000-0x000000002FB32000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2992-84-0x000000013F0D0000-0x000000013F1C8000-memory.dmp

        Filesize

        992KB

        Download

      • memory/2992-85-0x000007FEF5570000-0x000007FEF55A4000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2992-86-0x000007FEF52B0000-0x000007FEF5566000-memory.dmp

        Filesize

        2.7MB

        Download

      • memory/2992-87-0x000007FEF3C00000-0x000007FEF4CB0000-memory.dmp

        Filesize

        16.7MB

        Download