Overview

overview

10

Static

static

5

0f0f8700da...25.exe

windows7-x64

10

0f0f8700da...25.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    56s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15-12-2024 19:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe

  • Size

    118KB

  • MD5

    c2f29e7622b41f880b6bda678e7a5584

  • SHA1

    42713213d71d7b8c57e3c79798ce6b99e41889e8

  • SHA256

    0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225

  • SHA512

    7177a3632486db69854dff5342e1a10258cabdbfe6077337d734a170cdee1a3f00c65c8f47e45bc26aef7f28c53874f760ec345d1ecbbdfe8d33f8d5b629600b

  • SSDEEP

    3072:++z7JXnrdFzp886+RMPy5fWMwdWRgjnahKoutjKI7ehMx:Jz75nrz286+RMaLVRgjahKoS

Score
10/10
netwirebotnetdiscoverypersistenceratstealerupx

Malware Config

Extracted

Family

netwire

C2

imemerit.servehttp.com:3360

Attributes
  • activex_autorun

    true

  • activex_key

    {I78G8V27-88UF-2L1T-8064-2S8723OVASE8}

  • copy_executable

    false

  • delete_original

    true

  • host_id

    HostId-%Rand%

  • keylogger_dir

    C:\Users\Admin\AppData\Roaming\Logs\

  • lock_executable

    false

  • mutex

    TIrKHSHH

  • offline_keylogger

    true

  • password

    `+8n0x<gT)\"Lu5"'A`c?$H="

  • registry_autorun

    true

  • startup_name

    FirstRowAli

  • use_mutex

    true

Signatures

  • NetWire RAT payload 2 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Netwire family
    netwire
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 5 IoCs
  • UPX packed file 28 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Gathers network information 2 TTPs 4 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
    "C:\Users\Admin\AppData\Local\Temp\0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2308
    • C:\Windows\SysWOW64\ipconfig.exe
      "C:\Windows\System32\ipconfig.exe" /release
      2⤵
      • System Location Discovery: System Language Discovery
      • Gathers network information
      PID:2268
    • C:\Users\Admin\AppData\Local\Temp\0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
      "C:\Users\Admin\AppData\Local\Temp\0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2424
      • C:\Windows\SysWOW64\ipconfig.exe
        ipconfig /renew
        3⤵
        • System Location Discovery: System Language Discovery
        • Gathers network information
        PID:2788
    • C:\Users\Admin\AppData\Local\Temp\0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe
      "C:\Users\Admin\AppData\Local\Temp\0f0f8700da79a05e5919bd31420e45cce0e79d5c7cec35b062c7dd4af3d6d225.exe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2120
      • C:\Users\Admin\AppData\Roaming\FirstRow.pif
        "C:\Users\Admin\AppData\Roaming\FirstRow.pif"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2828
        • C:\Windows\SysWOW64\ipconfig.exe
          "C:\Windows\System32\ipconfig.exe" /release
          4⤵
          • System Location Discovery: System Language Discovery
          • Gathers network information
          PID:2980
        • C:\Users\Admin\AppData\Roaming\FirstRow.pif
          "C:\Users\Admin\AppData\Roaming\FirstRow.pif"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2984
          • C:\Windows\SysWOW64\ipconfig.exe
            ipconfig /renew
            5⤵
            • System Location Discovery: System Language Discovery
            • Gathers network information
            PID:1716
        • C:\Users\Admin\AppData\Roaming\FirstRow.pif
          "C:\Users\Admin\AppData\Roaming\FirstRow.pif"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1936
          • C:\Windows\SysWOW64\bitsadmin.exe
            "C:\Windows\system32\bitsadmin.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1696
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c ""C:\Users\Admin\AppData\Local\Temp\HUQTX.bat" "
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2404
              • C:\Windows\SysWOW64\reg.exe
                REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UpdateAliAim" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FirstRow.pif" /f
                7⤵
                • Adds Run key to start application
                • System Location Discovery: System Language Discovery
                PID:772
        • C:\Users\Admin\AppData\Roaming\FirstRow.pif
          "C:\Users\Admin\AppData\Roaming\FirstRow.pif"
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Adds Run key to start application
          PID:2500

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\HUQTX.bat
    Filesize

    142B

    MD5

    f36ef4e2bfb399e9159d71c0806dc34f

    SHA1

    9ce20868ec14cabf37d77a1995b1399ebf40681d

    SHA256

    99a012606942fe84a0ed1b09c60ef765cef48e4ba317b3a71595b300ae531cc2

    SHA512

    ad7cd152f2b8f04aeee6838ccb2cc10675f289f0e4fd0e6175dace10a062655df1ec2a8d5e80ba65e5d6d0237311c91b0fce54c16e7576dc38b3399abc304b0b

    Download Submit

  • \Users\Admin\AppData\Roaming\FirstRow.pif
    Filesize

    118KB

    MD5

    62b17b9cdbbd6711dbfce8e2ddbd3b25

    SHA1

    7cd2d136beee0629eec2ec88aeab0eeb862a228e

    SHA256

    6e31069208365f3adafc6e17bd4c2e0b7b26c3d9d6d583da2880442a375c58e0

    SHA512

    fe286afc62074384b45dd9ab193995ce0df2d3e4a502e63f243655428790b19dd0614986eb7d8be094eda637c493195bbbcdd9ce80a074e3ce51de24ba2c842b

    Download Submit

  • memory/1696-75-0x0000000000080000-0x0000000000081000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1936-89-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2120-46-0x0000000003AB0000-0x0000000003B2C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/2120-19-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2120-35-0x0000000003AB0000-0x0000000003B2C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/2120-18-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2120-16-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2120-44-0x0000000003AB0000-0x0000000003B2C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/2120-45-0x0000000003AB0000-0x0000000003B2C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/2120-49-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2308-4-0x0000000000400000-0x000000000047C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/2308-25-0x0000000000400000-0x000000000047C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/2308-5-0x0000000000400000-0x000000000047C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/2308-7-0x0000000000400000-0x000000000047C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/2308-13-0x00000000030A0000-0x000000000311C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/2308-0-0x0000000000400000-0x000000000047C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/2308-10-0x0000000000400000-0x000000000047C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/2308-3-0x000000000044C000-0x000000000044D000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2424-14-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2424-53-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2424-54-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2424-97-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2424-8-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2424-11-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2424-80-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2500-83-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2500-84-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2500-86-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2500-81-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2500-94-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2828-85-0x0000000000400000-0x000000000047C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/2828-50-0x0000000000400000-0x000000000047C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/2828-56-0x0000000000400000-0x000000000047C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/2984-88-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

    Download