Analysis

  • max time kernel
    119s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/01/2025, 16:59

General

  • Target

    bb4773c106ac654769bca2778273b3efc76226a93cee33cfa2c099fc9d0e44cbN.exe

  • Size

    296KB

  • MD5

    ca239e74778ea238c877d0a08ff014e0

  • SHA1

    cd3cce3b44b9b21384b292add85ee800ca4a6166

  • SHA256

    bb4773c106ac654769bca2778273b3efc76226a93cee33cfa2c099fc9d0e44cb

  • SHA512

    5af6a0b7ac51b546bd9309c9a0bfcb6ace1fb12cc7ad288734483e02c478c9924bb39e117c13678856fbbc76aa04fe8570f7754e2aeb1c2935f6c82997feb4fb

  • SSDEEP

    3072:tg6pbDIqOnD6rdKRMvXs+oCTZG9QBNctlVeFAnhPQ12uDefLFmLf9WL5Bcxw:5Ddrvv8O1Ga9qtH5mLfoA

Malware Config

Extracted

Family

netwire

C2

wealthyman.brasilia.me:39560

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    WEALTH

  • keylogger_dir

    %AppData%\music\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    sucess

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • NetWire RAT payload 4 IoCs
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

  • Netwire family
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bb4773c106ac654769bca2778273b3efc76226a93cee33cfa2c099fc9d0e44cbN.exe
    "C:\Users\Admin\AppData\Local\Temp\bb4773c106ac654769bca2778273b3efc76226a93cee33cfa2c099fc9d0e44cbN.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3064
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN "Evakostumet1" /TR "C:\Users\Admin\AppData\Roaming\Haandevendingerne.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:4972
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /run /tn "Evakostumet1"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:5020
  • C:\Users\Admin\AppData\Roaming\Haandevendingerne.exe
    C:\Users\Admin\AppData\Roaming\Haandevendingerne.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    PID:4360

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Haandevendingerne.exe

    Filesize

    296KB

    MD5

    4acfd830113a6da904c6397850610a72

    SHA1

    09a259a8f4ac047c3402238a5f852f333dd6f0d2

    SHA256

    2c639ebd748cb27f6345c2bf5dc4ce0e5179b923b401cc7c392323266660d934

    SHA512

    d45fc8351cee4a336e1d11e7ce19380571d1a54fdc79510e2a04d97aedb0fa5f6e50e500af5f6a25d2c053779af6d038b14c659afb326ce84480a74632a86f40

  • C:\Windows\win.ini

    Filesize

    111B

    MD5

    45fc085b156dff15d5472839a842a650

    SHA1

    70623f377b48c1a5a05866b675008851dc043c3b

    SHA256

    a38c356a0ad92fdfa96d20675c979528ffd39d0449d0965d8a5cb7dca753b718

    SHA512

    5e9b995e76800cbf5c3161d8d8c7fc81698ed90ffe3cf198c13e81b60b547e68493337f938e453cfb363b74e96e6615f8549bb6f1d826d02a62d2e2c992190aa

  • memory/3064-212-0x0000000077461000-0x0000000077581000-memory.dmp

    Filesize

    1.1MB

  • memory/3064-214-0x0000000077461000-0x0000000077581000-memory.dmp

    Filesize

    1.1MB

  • memory/4360-431-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/4360-432-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB

  • memory/4360-433-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/4360-435-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB