| File name: | 27c3e9895486cdce1c95dc80435fb75302bf079c928888e542d8d93c7762404c.ps1 |
| Full analysis: | https://app.any.run/tasks/204d0c22-4f13-4b0b-810e-ca4673991e83 |
| Verdict: | Malicious activity |
| Threats: | Netwire is an advanced RAT — it is a malware that takes control of infected PCs and allows its operators to perform various actions. Unlike many RATs, this one can target every major operating system, including Windows, Linux, and MacOS. |
| Analysis date: | August 01, 2022, 19:20:14 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | text/plain |
| File info: | ASCII text, with very long lines, with CRLF line terminators |
| MD5: | C9EC8286A9ADCA5A052B36898F2F1AAA |
| SHA1: | F750182D8F3CE938C5D8E2F6BF9A09AFC6B1623A |
| SHA256: | 27C3E9895486CDCE1C95DC80435FB75302BF079C928888E542D8D93C7762404C |
| SSDEEP: | 3072:6ruf+NsVR+p4rz0vWJ5Xjqf9pfnyVDD6xGVSHDoX8r06HfZnBpE:bGybe430vWJ5XjCpfqGGVSssj/ZM |
MALICIOUS
Drops executable file immediately after starts
- csc.exe (PID: 3432)
Writes to a start menu file
- powershell.exe (PID: 1560)
Starts Visual C# compiler
- powershell.exe (PID: 1560)
NETWIRE was detected
- AppLaunch.exe (PID: 4020)
NETWIRE detected by memory dumps
- AppLaunch.exe (PID: 4020)
SUSPICIOUS
Reads the date of Windows installation
- powershell.exe (PID: 1560)
Checks supported languages
- powershell.exe (PID: 1560)
- csc.exe (PID: 3432)
- cvtres.exe (PID: 3288)
- AppLaunch.exe (PID: 4020)
Reads the computer name
- powershell.exe (PID: 1560)
- AppLaunch.exe (PID: 4020)
Executable content was dropped or overwritten
- csc.exe (PID: 3432)
Drops a file with a compile date too recent
- csc.exe (PID: 3432)
INFO
Checks Windows Trust Settings
- powershell.exe (PID: 1560)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
NetWire
(PID) Process(4020) AppLaunch.exe
C2 (1)185.81.157.169:4041
HostCCP
Credentials
Password1234
Options
MutexVwtFYXpp
Install_path-
Startup_name-
ActiveXfalse
ProxyDirect_connection
Copy_executablefalse
Delete_originalfalse
Lock_executablefalse
Registry_autorunfalse
Use_a_mutextrue
Offline_keyloggertrue
Sleep(s)75
Keylogger_directoryC:\Users\admin\AppData\Roaming\Logs\
Keys
RC4_key3f3d3f4147904e5d40dc2f48e944c7a7
Strings (90)GetProcessImageFileNameA
Local Disk
WinHttpOpen
WinHttpGetProxyForUrl
WinHttpGetIEProxyConfigForCurrentUser
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
SOFTWARE\Microsoft\Active Setup\Installed Components
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
SOFTWARE\Microsoft\Active Setup\Installed Components\%s
StubPath
[Esc]
[Ctrl+%c]
RegisterRawInputDevices
GetRawInputData
Secur32.dll
LsaGetLogonSessionData
LsaEnumerateLogonSessions
SOFTWARE\Mozilla\%s\
CurrentVersion
SOFTWARE\Mozilla\%s\%s\Main
Install Directory
mozutils.dll
mozsqlite3.dll
%s\logins.json
PK11_GetInternalKeySlot
PK11_Authenticate
PL_Base64Decode
SECITEM_ZfreeItem
PK11SDR_Decrypt
PK11_FreeSlot
NSS_Shutdown
sqlite3_open
sqlite3_close
sqlite3_prepare_v2
sqlite3_step
sqlite3_column_text
select * from moz_logins
hostname
<name>
<password>
POP3 Server
POP3 Password
IMAP User
IMAP Server
IMAP Password
HTTP User
HTTP Server
HTTP Password
SMTP User
SMTP Server
SMTP Password
EAS User
EAS Server URL
EAS Password
POP3 Server
POP3 Password
IMAP User
IMAP Server
IMAP Password
HTTP User
HTTP Server
HTTP Password
SMTP User
SMTP Server
SMTP Password
EAS User
EAS Server URL
EAS Password
index.dat
vaultcli.dll
VaultOpenVault
VaultCloseVault
VaultGetItem
GetModuleFileNameExA
GetModuleFileNameExA
GetNativeSystemInfo
GlobalMemoryStatusEx
HARDWARE\DESCRIPTION\System\CentralProcessor\0
Closed
Listening...
SYN Sent
SYN Received
Established
Fin Wait (1)
Fin Wait (2)
Close Wait
Closing...
Last ACK
Time Wait
Delete TCB
Total processes
37
Monitored processes
4
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1560 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\AppData\Local\Temp\27c3e9895486cdce1c95dc80435fb75302bf079c928888e542d8d93c7762404c.ps1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
| 3288 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES96D3.tmp" "c:\Users\admin\AppData\Local\Temp\CSC5CDE365238D0471481B41938C75119.TMP" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | — | csc.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Resource File To COFF Object Conversion Utility Exit code: 0 Version: 12.00.51209.34209 built by: FX452RTMGDR Modules
| |||||||||||||||
| 3432 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\xjmczhg5.cmdline" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual C# Command Line Compiler Exit code: 0 Version: 4.0.30319.34209 built by: FX452RTMGDR Modules
| |||||||||||||||
| 4020 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET ClickOnce Launch Utility Exit code: 0 Version: 4.0.30319.34209 built by: FX452RTMGDR Modules
NetWire(PID) Process(4020) AppLaunch.exe C2 (1)185.81.157.169:4041 HostCCP Credentials Password1234 Options MutexVwtFYXpp Install_path- Startup_name- ActiveXfalse ProxyDirect_connection Copy_executablefalse Delete_originalfalse Lock_executablefalse Registry_autorunfalse Use_a_mutextrue Offline_keyloggertrue Sleep(s)75 Keylogger_directoryC:\Users\admin\AppData\Roaming\Logs\ Keys RC4_key3f3d3f4147904e5d40dc2f48e944c7a7 Strings (90)GetProcessImageFileNameA Local Disk WinHttpOpen WinHttpGetProxyForUrl WinHttpGetIEProxyConfigForCurrentUser SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ SOFTWARE\Microsoft\Active Setup\Installed Components SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ SOFTWARE\Microsoft\Active Setup\Installed Components\%s StubPath [Esc] [Ctrl+%c] RegisterRawInputDevices GetRawInputData Secur32.dll LsaGetLogonSessionData LsaEnumerateLogonSessions SOFTWARE\Mozilla\%s\ CurrentVersion SOFTWARE\Mozilla\%s\%s\Main Install Directory mozutils.dll mozsqlite3.dll %s\logins.json PK11_GetInternalKeySlot PK11_Authenticate PL_Base64Decode SECITEM_ZfreeItem PK11SDR_Decrypt PK11_FreeSlot NSS_Shutdown sqlite3_open sqlite3_close sqlite3_prepare_v2 sqlite3_step sqlite3_column_text select * from moz_logins hostname <name> <password> POP3 Server POP3 Password IMAP User IMAP Server IMAP Password HTTP User HTTP Server HTTP Password SMTP User SMTP Server SMTP Password EAS User EAS Server URL EAS Password POP3 Server POP3 Password IMAP User IMAP Server IMAP Password HTTP User HTTP Server HTTP Password SMTP User SMTP Server SMTP Password EAS User EAS Server URL EAS Password index.dat vaultcli.dll VaultOpenVault VaultCloseVault VaultGetItem GetModuleFileNameExA GetModuleFileNameExA GetNativeSystemInfo GlobalMemoryStatusEx HARDWARE\DESCRIPTION\System\CentralProcessor\0 Closed Listening... SYN Sent SYN Received Established Fin Wait (1) Fin Wait (2) Close Wait Closing... Last ACK Time Wait Delete TCB | |||||||||||||||
Total events
1 834
Read events
1 770
Write events
64
Delete events
0
Modification events
| (PID) Process: | (1560) powershell.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (1560) powershell.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (1560) powershell.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (1560) powershell.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (1560) powershell.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (4020) AppLaunch.exe | Key: | HKEY_CURRENT_USER\Software\NetWire |
| Operation: | write | Name: | HostId |
Value: CCP | |||
| (PID) Process: | (4020) AppLaunch.exe | Key: | HKEY_CURRENT_USER\Software\NetWire |
| Operation: | write | Name: | Install Date |
Value: 2022-08-01 19:20:21 | |||
Executable files
1
Suspicious files
5
Text files
4
Unknown types
3
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1560 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2R710T7TD2FPKMIWDMXJ.temp | binary | |
MD5:— | SHA256:— | |||
| 1560 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemLogin.vbs | text | |
MD5:— | SHA256:— | |||
| 1560 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:— | SHA256:— | |||
| 1560 | powershell.exe | C:\Users\admin\AppData\Local\Temp\xjmczhg5.0.cs | text | |
MD5:— | SHA256:— | |||
| 1560 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF108ee4.TMP | binary | |
MD5:— | SHA256:— | |||
| 1560 | powershell.exe | C:\Users\admin\AppData\Local\Temp\xjmczhg5.cmdline | text | |
MD5:— | SHA256:— | |||
| 1560 | powershell.exe | C:\Users\admin\AppData\Local\Temp\kzxdxa3o.5qx.psm1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:— | |||
| 1560 | powershell.exe | C:\Users\admin\AppData\Local\Temp\l1repegu.j25.ps1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:— | |||
| 3288 | cvtres.exe | C:\Users\admin\AppData\Local\Temp\RES96D3.tmp | o | |
MD5:— | SHA256:— | |||
| 3432 | csc.exe | C:\Users\admin\AppData\Local\Temp\CSC5CDE365238D0471481B41938C75119.TMP | res | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 185.81.157.169:4041 | — | Inulogic Sarl | FR | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
dns.msftncsi.com |
| shared |