File name: | 27c3e9895486cdce1c95dc80435fb75302bf079c928888e542d8d93c7762404c.ps1 |
Full analysis: | https://app.any.run/tasks/204d0c22-4f13-4b0b-810e-ca4673991e83 |
Verdict: | Malicious activity |
Threats: | Netwire is an advanced RAT — it is a malware that takes control of infected PCs and allows its operators to perform various actions. Unlike many RATs, this one can target every major operating system, including Windows, Linux, and MacOS. |
Analysis date: | August 01, 2022, 19:20:14 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines, with CRLF line terminators |
MD5: | C9EC8286A9ADCA5A052B36898F2F1AAA |
SHA1: | F750182D8F3CE938C5D8E2F6BF9A09AFC6B1623A |
SHA256: | 27C3E9895486CDCE1C95DC80435FB75302BF079C928888E542D8D93C7762404C |
SSDEEP: | 3072:6ruf+NsVR+p4rz0vWJ5Xjqf9pfnyVDD6xGVSHDoX8r06HfZnBpE:bGybe430vWJ5XjCpfqGGVSssj/ZM |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1560 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\AppData\Local\Temp\27c3e9895486cdce1c95dc80435fb75302bf079c928888e542d8d93c7762404c.ps1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Explorer.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) | ||||
3432 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\xjmczhg5.cmdline" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | powershell.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual C# Command Line Compiler Exit code: 0 Version: 4.0.30319.34209 built by: FX452RTMGDR | ||||
3288 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES96D3.tmp" "c:\Users\admin\AppData\Local\Temp\CSC5CDE365238D0471481B41938C75119.TMP" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | — | csc.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Resource File To COFF Object Conversion Utility Exit code: 0 Version: 12.00.51209.34209 built by: FX452RTMGDR | ||||
4020 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | powershell.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET ClickOnce Launch Utility Version: 4.0.30319.34209 built by: FX452RTMGDR NetWire(PID) Process(4020) AppLaunch.exe C2 (1)185.81.157.169:4041 HostCCP Credentials Password1234 Options MutexVwtFYXpp Install_path- Startup_name- ActiveXfalse ProxyDirect_connection Copy_executablefalse Delete_originalfalse Lock_executablefalse Registry_autorunfalse Use_a_mutextrue Offline_keyloggertrue Sleep(s)75 Keylogger_directoryC:\Users\admin\AppData\Roaming\Logs\ Keys RC4_key3f3d3f4147904e5d40dc2f48e944c7a7 Strings (90)GetProcessImageFileNameA Local Disk WinHttpOpen WinHttpGetProxyForUrl WinHttpGetIEProxyConfigForCurrentUser SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ SOFTWARE\Microsoft\Active Setup\Installed Components SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ SOFTWARE\Microsoft\Active Setup\Installed Components\%s StubPath [Esc] [Ctrl+%c] RegisterRawInputDevices GetRawInputData Secur32.dll LsaGetLogonSessionData LsaEnumerateLogonSessions SOFTWARE\Mozilla\%s\ CurrentVersion SOFTWARE\Mozilla\%s\%s\Main Install Directory mozutils.dll mozsqlite3.dll %s\logins.json PK11_GetInternalKeySlot PK11_Authenticate PL_Base64Decode SECITEM_ZfreeItem PK11SDR_Decrypt PK11_FreeSlot NSS_Shutdown sqlite3_open sqlite3_close sqlite3_prepare_v2 sqlite3_step sqlite3_column_text select * from moz_logins hostname <name> <password> POP3 Server POP3 Password IMAP User IMAP Server IMAP Password HTTP User HTTP Server HTTP Password SMTP User SMTP Server SMTP Password EAS User EAS Server URL EAS Password POP3 Server POP3 Password IMAP User IMAP Server IMAP Password HTTP User HTTP Server HTTP Password SMTP User SMTP Server SMTP Password EAS User EAS Server URL EAS Password index.dat vaultcli.dll VaultOpenVault VaultCloseVault VaultGetItem GetModuleFileNameExA GetModuleFileNameExA GetNativeSystemInfo GlobalMemoryStatusEx HARDWARE\DESCRIPTION\System\CentralProcessor\0 Closed Listening... SYN Sent SYN Received Established Fin Wait (1) Fin Wait (2) Close Wait Closing... Last ACK Time Wait Delete TCB |
(PID) Process: | (1560) powershell.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (1560) powershell.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (1560) powershell.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (1560) powershell.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (1560) powershell.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (4020) AppLaunch.exe | Key: | HKEY_CURRENT_USER\Software\NetWire |
Operation: | write | Name: | HostId |
Value: CCP | |||
(PID) Process: | (4020) AppLaunch.exe | Key: | HKEY_CURRENT_USER\Software\NetWire |
Operation: | write | Name: | Install Date |
Value: 2022-08-01 19:20:21 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1560 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2R710T7TD2FPKMIWDMXJ.temp | binary | |
MD5:68B90C3CC259D8675C559212E551675E | SHA256:D7AD6011E606D10C05BAF12CD47E19BD6C67C9F0A6E48F16A915D80F32A5F71D | |||
1560 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:68B90C3CC259D8675C559212E551675E | SHA256:D7AD6011E606D10C05BAF12CD47E19BD6C67C9F0A6E48F16A915D80F32A5F71D | |||
3288 | cvtres.exe | C:\Users\admin\AppData\Local\Temp\RES96D3.tmp | o | |
MD5:570F820F4AC2CBC51207FD9EC06EE865 | SHA256:3F67F0E8ABC70572BC101469EF426A59F483BA1E582FCCE62E074E06D1536767 | |||
3432 | csc.exe | C:\Users\admin\AppData\Local\Temp\CSC5CDE365238D0471481B41938C75119.TMP | res | |
MD5:3EC8CB4214A5172F55539DF9DFA253F2 | SHA256:D2ADA932B4CF1B0387211FC89ABA7F9B8B43EB331D034932E1DE1777693C17FC | |||
1560 | powershell.exe | C:\Users\admin\AppData\Local\Temp\xjmczhg5.0.cs | text | |
MD5:2613E7F3F3414A8DA4B17D248389FBC9 | SHA256:3F81AC1BB706EACC232EC8AD24048D6E61CEE5634FC734E40287EC5CCF9860BC | |||
1560 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF108ee4.TMP | binary | |
MD5:CCFCF369F751CE8DA0370D84E52A7EED | SHA256:53922490C3F5A04667EC3605A01AF2A4F4F265782D1BCA519F63ACAD413F2ED9 | |||
1560 | powershell.exe | C:\Users\admin\AppData\Local\Temp\xjmczhg5.cmdline | text | |
MD5:954FF1551F07E41759C5B60704B08AD0 | SHA256:7724BC550F00071B05633A27354271EA11044E28053A2BE9690EE4E28002029A | |||
1560 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemLogin.vbs | text | |
MD5:05EE066FC796B26E70ACC8E45493B658 | SHA256:F4EBCB0655744C39AA2B4D8FCBEDDC74B849237E1913699E10DEAB2154B200AA | |||
3432 | csc.exe | C:\Users\admin\AppData\Local\Temp\xjmczhg5.dll | executable | |
MD5:CE4B7D46F04D5BBC16F4E664D98A4C9A | SHA256:761D6A555038636CB571C79014E03905D6B303F6229F7FE537D7652BFA9217DD | |||
3432 | csc.exe | C:\Users\admin\AppData\Local\Temp\xjmczhg5.out | text | |
MD5:D31DA4380A4937084A30DA379C101C5E | SHA256:0277D31569CD0E9FCA74FCBD140AACFE2D1C8DA48F59DB1F0D36832876169237 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 185.81.157.169:4041 | — | Inulogic Sarl | FR | malicious |
Domain | IP | Reputation |
---|---|---|
dns.msftncsi.com |
| shared |