Overview

overview

10

Static

static

3

2b1245c454...b8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-12-2024 18:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe

  • Size

    1.3MB

  • MD5

    5c9ad0440fefa31403bd944a1a10a3b8

  • SHA1

    2707299e9ec7fb2173f6afb2e23a4d74865cf5a3

  • SHA256

    2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8

  • SHA512

    9b5b620be47d31f652d0100d891808f9b6baff7177c17604be6b0eb9cc731737e610ff47f83ffe8b9f50da48107087be06e74b75347f8d460b35a83d366c1078

  • SSDEEP

    24576:AemBdOxLFDApSPKk48wxpb4YLDrvomDMzqZB:0BiLFssPH48ApZDrYzq

Score
10/10
netwirebotnetdiscoverypersistenceratstealer

Malware Config

Extracted

Family

netwire

C2

banqueislamik.ddrive.online:3360

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    SALUT

  • lock_executable

    false

  • offline_keylogger

    false

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • NetWire RAT payload 4 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Netwire family
    netwire
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe
    "C:\Users\Admin\AppData\Local\Temp\2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2456
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\othnl.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\othnl.exe zwkrwa.hep
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4492
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 5 /tn xeezzrd /tr "C:\Users\Admin\xeezzrd\othnl.exe C:\Users\Admin\xeezzrd\zwkrwa.hep"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:316
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /sc minute /mo 5 /tn xeezzrd /tr "C:\Users\Admin\xeezzrd\othnl.exe C:\Users\Admin\xeezzrd\zwkrwa.hep"
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:1644
      • C:\Users\Admin\othnl.exe
        0
        3⤵
        • Executes dropped EXE
        PID:4820

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lyzbolct.osn
    Filesize

    273KB

    MD5

    b87b1eebcce45db72f46c45d7627c854

    SHA1

    dc8e7030defc35a9d1ad6cfb5a354ecd372506a2

    SHA256

    cd591bbfcb167fa8a7c960812967f90440a350458fe4422c6257cc0558f34953

    SHA512

    fa514a1e7f56689cfdbda78a0c3ea9e73668121e94ab8057fe9a0dc77a4ddd0b8b2aa833109c5f41c182c625392e073a9c4d4a13fdfb8b57aeae9e5733cb3467

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\othnl.exe
    Filesize

    918KB

    MD5

    ad5e6eb33f8b6b48fab6d9ab3e1212c1

    SHA1

    712f5e781df0e1cf0a52cc1312f097c290770909

    SHA256

    dd998d69304649d295691a188f8d0b04b4c2ca5dc7fb03494867bd7738200daa

    SHA512

    11822e5ec5b765109db5c132e8c7dd172f883bb7ae57f78be3861099aef24b0625dc943f2d20b4eff2615e5b98f2836322c8ccac526ee6448c04cfc28328c538

    Download Submit

  • C:\Users\Admin\othnl.exe
    Filesize

    44KB

    MD5

    9d352bc46709f0cb5ec974633a0c3c94

    SHA1

    1969771b2f022f9a86d77ac4d4d239becdf08d07

    SHA256

    2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

    SHA512

    13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

    Download Submit

  • memory/4492-15-0x0000000000CA0000-0x00000000010A0000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4492-19-0x0000000000B20000-0x0000000000C0C000-memory.dmp

    Filesize

    944KB

    Download

  • memory/4820-16-0x0000000000E20000-0x0000000001E20000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/4820-18-0x0000000000E20000-0x0000000001E20000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/4820-20-0x0000000000E20000-0x0000000001E20000-memory.dmp

    Filesize

    16.0MB

    Download