Overview

overview

10

Static

static

3

CONTRACT-H...22.exe

windows7-x64

10

CONTRACT-H...22.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2024 01:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CONTRACT-HSB7555-07-22.exe

  • Size

    574KB

  • MD5

    ab250d08a1c4628ecdb5f067c4219e7d

  • SHA1

    ca73fb0aa8e1d5d9e125eecf8ebc13612e773765

  • SHA256

    a832f30bbb32bcf5c4138d8058214e47ea72a6fe10d448dbea5fbc84e1ce375b

  • SHA512

    61dadbcdeac15afcd0f34f55333c9ce5aa35d9afff3c70d0aff2b9694d4f252def58abe5d07d235ca902782c99715511898a1ffc973b8e584e57936e431c7f4f

  • SSDEEP

    12288:DikZNia30YkxVhT/i6LT4xBWQQBhjOgYzmeU5Nsny764JxTTn:DfTiaE9xVhT60kxMZmmeuuwJN

Score
10/10
netwirebotnetdiscoveryexecutionratstealer

Malware Config

Extracted

Family

netwire

C2

37.0.14.206:3384

Attributes
  • activex_autorun

    false

  • copy_executable

    true

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

    %AppData%\Install\Host.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    true

  • offline_keylogger

    true

  • password

    Password234

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • NetWire RAT payload 3 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Netwire family
    netwire
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CONTRACT-HSB7555-07-22.exe
    "C:\Users\Admin\AppData\Local\Temp\CONTRACT-HSB7555-07-22.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2428
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\lpuqOXYcEwD.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2404
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lpuqOXYcEwD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6C13.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:1536
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      2⤵
        PID:644
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3428
        • C:\Users\Admin\AppData\Roaming\Install\Host.exe
          "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4128

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rcyyrksu.euw.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp6C13.tmp
      Filesize

      1KB

      MD5

      ab86e035e4f1a49929e29dd89243b22e

      SHA1

      fb3b83443905334ecbc150543af2d3a6bfce73c1

      SHA256

      0356362c54116f7db45ae9fe88dfda8f1df8346af71508b2feb73d79f2a181e2

      SHA512

      65874a8a2a9e339e3cc7a82b3928ccf8192944b7f6a7b0e3058a8f2bcd719fc2ee3b3f2ab1e3cadbdcb7b768349ea93a73e7cf6f3f52afd37e9e210f344b0f9e

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Install\Host.exe
      Filesize

      256KB

      MD5

      8fdf47e0ff70c40ed3a17014aeea4232

      SHA1

      e6256a0159688f0560b015da4d967f41cbf8c9bd

      SHA256

      ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82

      SHA512

      bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be

      Download Submit

    • memory/2404-70-0x0000000006880000-0x000000000689E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2404-18-0x00000000054F0000-0x0000000005B18000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/2404-77-0x00000000077F0000-0x00000000077FE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2404-76-0x00000000077C0000-0x00000000077D1000-memory.dmp

      Filesize

      68KB

      Download

    • memory/2404-75-0x0000000007840000-0x00000000078D6000-memory.dmp

      Filesize

      600KB

      Download

    • memory/2404-74-0x0000000007630000-0x000000000763A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2404-73-0x00000000075C0000-0x00000000075DA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2404-72-0x0000000007C10000-0x000000000828A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/2404-71-0x0000000007490000-0x0000000007533000-memory.dmp

      Filesize

      652KB

      Download

    • memory/2404-23-0x00000000051E0000-0x0000000005202000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2404-17-0x0000000002980000-0x00000000029B6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2404-78-0x0000000007800000-0x0000000007814000-memory.dmp

      Filesize

      80KB

      Download

    • memory/2404-19-0x00000000747D0000-0x0000000074F80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2404-79-0x0000000007900000-0x000000000791A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2404-20-0x00000000747D0000-0x0000000074F80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2404-22-0x00000000747D0000-0x0000000074F80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2404-25-0x0000000005280000-0x00000000052E6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2404-60-0x0000000075060000-0x00000000750AC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2404-80-0x00000000078E0000-0x00000000078E8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2404-59-0x0000000007250000-0x0000000007282000-memory.dmp

      Filesize

      200KB

      Download

    • memory/2404-41-0x0000000005C90000-0x0000000005FE4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2404-83-0x00000000747D0000-0x0000000074F80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2404-44-0x00000000062C0000-0x000000000630C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2404-43-0x00000000062A0000-0x00000000062BE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2428-15-0x0000000009550000-0x00000000095B6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2428-5-0x00000000747D0000-0x0000000074F80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2428-1-0x00000000009D0000-0x0000000000A66000-memory.dmp

      Filesize

      600KB

      Download

    • memory/2428-2-0x00000000058C0000-0x0000000005E64000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2428-3-0x00000000053F0000-0x0000000005482000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2428-4-0x00000000055A0000-0x00000000055AA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2428-24-0x00000000094E0000-0x000000000950E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/2428-42-0x00000000747D0000-0x0000000074F80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2428-6-0x0000000006810000-0x0000000006826000-memory.dmp

      Filesize

      88KB

      Download

    • memory/2428-0-0x00000000747DE000-0x00000000747DF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2428-11-0x0000000009240000-0x00000000092DC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/2428-10-0x0000000002CB0000-0x0000000002D2C000-memory.dmp

      Filesize

      496KB

      Download

    • memory/2428-9-0x0000000008FF0000-0x0000000008FFA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2428-8-0x00000000747D0000-0x0000000074F80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2428-7-0x00000000747DE000-0x00000000747DF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3428-34-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3428-40-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3428-26-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4128-55-0x00000000000C0000-0x0000000000100000-memory.dmp

      Filesize

      256KB

      Download

    • memory/4128-56-0x0000000004780000-0x000000000479A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4128-57-0x0000000004980000-0x0000000004ADA000-memory.dmp

      Filesize

      1.4MB

      Download