File name:

27c3e9895486cdce1c95dc80435fb75302bf079c928888e542d8d93c7762404c.ps1

Full analysis: https://app.any.run/tasks/204d0c22-4f13-4b0b-810e-ca4673991e83
Verdict: Malicious activity
Threats:

Netwire is an advanced RAT — it is a malware that takes control of infected PCs and allows its operators to perform various actions. Unlike many RATs, this one can target every major operating system, including Windows, Linux, and MacOS.

Analysis date: August 01, 2022, 19:20:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
netwire
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with CRLF line terminators
MD5:

C9EC8286A9ADCA5A052B36898F2F1AAA

SHA1:

F750182D8F3CE938C5D8E2F6BF9A09AFC6B1623A

SHA256:

27C3E9895486CDCE1C95DC80435FB75302BF079C928888E542D8D93C7762404C

SSDEEP:

3072:6ruf+NsVR+p4rz0vWJ5Xjqf9pfnyVDD6xGVSHDoX8r06HfZnBpE:bGybe430vWJ5XjCpfqGGVSssj/ZM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Writes to a start menu file

      • powershell.exe (PID: 1560)
    • Starts Visual C# compiler

      • powershell.exe (PID: 1560)
    • NETWIRE detected by memory dumps

      • AppLaunch.exe (PID: 4020)
    • Drops executable file immediately after starts

      • csc.exe (PID: 3432)
    • NETWIRE was detected

      • AppLaunch.exe (PID: 4020)
  • SUSPICIOUS

    • Checks supported languages

      • cvtres.exe (PID: 3288)
      • powershell.exe (PID: 1560)
      • csc.exe (PID: 3432)
      • AppLaunch.exe (PID: 4020)
    • Reads the computer name

      • powershell.exe (PID: 1560)
      • AppLaunch.exe (PID: 4020)
    • Reads the date of Windows installation

      • powershell.exe (PID: 1560)
    • Drops a file with a compile date too recent

      • csc.exe (PID: 3432)
    • Executable content was dropped or overwritten

      • csc.exe (PID: 3432)
  • INFO

    • Checks Windows Trust Settings

      • powershell.exe (PID: 1560)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

NetWire

(PID) Process(4020) AppLaunch.exe
Strings (90)GetProcessImageFileNameA
Local Disk
WinHttpOpen
WinHttpGetProxyForUrl
WinHttpGetIEProxyConfigForCurrentUser
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
SOFTWARE\Microsoft\Active Setup\Installed Components
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
SOFTWARE\Microsoft\Active Setup\Installed Components\%s
StubPath
[Esc]
[Ctrl+%c]
RegisterRawInputDevices
GetRawInputData
Secur32.dll
LsaGetLogonSessionData
LsaEnumerateLogonSessions
SOFTWARE\Mozilla\%s\
CurrentVersion
SOFTWARE\Mozilla\%s\%s\Main
Install Directory
mozutils.dll
mozsqlite3.dll
%s\logins.json
PK11_GetInternalKeySlot
PK11_Authenticate
PL_Base64Decode
SECITEM_ZfreeItem
PK11SDR_Decrypt
PK11_FreeSlot
NSS_Shutdown
sqlite3_open
sqlite3_close
sqlite3_prepare_v2
sqlite3_step
sqlite3_column_text
select * from moz_logins
hostname
<name>
<password>
POP3 Server
POP3 Password
IMAP User
IMAP Server
IMAP Password
HTTP User
HTTP Server
HTTP Password
SMTP User
SMTP Server
SMTP Password
EAS User
EAS Server URL
EAS Password
POP3 Server
POP3 Password
IMAP User
IMAP Server
IMAP Password
HTTP User
HTTP Server
HTTP Password
SMTP User
SMTP Server
SMTP Password
EAS User
EAS Server URL
EAS Password
index.dat
vaultcli.dll
VaultOpenVault
VaultCloseVault
VaultGetItem
GetModuleFileNameExA
GetModuleFileNameExA
GetNativeSystemInfo
GlobalMemoryStatusEx
HARDWARE\DESCRIPTION\System\CentralProcessor\0
Closed
Listening...
SYN Sent
SYN Received
Established
Fin Wait (1)
Fin Wait (2)
Close Wait
Closing...
Last ACK
Time Wait
Delete TCB
Keys
RC4_key3f3d3f4147904e5d40dc2f48e944c7a7
Options
Keylogger_directoryC:\Users\admin\AppData\Roaming\Logs\
Sleep(s)75
Offline_keyloggertrue
Use_a_mutextrue
Registry_autorunfalse
Lock_executablefalse
Delete_originalfalse
Copy_executablefalse
ProxyDirect_connection
ActiveXfalse
Startup_name-
Install_path-
MutexVwtFYXpp
Credentials
Password1234
HostCCP
C2 (1)185.81.157.169:4041
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start powershell.exe csc.exe cvtres.exe no specs #NETWIRE applaunch.exe

Process information

PID
CMD
Path
Indicators
Parent process
1560"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\AppData\Local\Temp\27c3e9895486cdce1c95dc80435fb75302bf079c928888e542d8d93c7762404c.ps1"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\atl.dll
c:\windows\system32\lpk.dll
3432"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\xjmczhg5.cmdline"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.0.30319.34209 built by: FX452RTMGDR
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\ole32.dll
3288C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES96D3.tmp" "c:\Users\admin\AppData\Local\Temp\CSC5CDE365238D0471481B41938C75119.TMP"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
12.00.51209.34209 built by: FX452RTMGDR
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\cryptsp.dll
4020"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET ClickOnce Launch Utility
Version:
4.0.30319.34209 built by: FX452RTMGDR
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\applaunch.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
NetWire
(PID) Process(4020) AppLaunch.exe
Strings (90)GetProcessImageFileNameA
Local Disk
WinHttpOpen
WinHttpGetProxyForUrl
WinHttpGetIEProxyConfigForCurrentUser
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
SOFTWARE\Microsoft\Active Setup\Installed Components
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
SOFTWARE\Microsoft\Active Setup\Installed Components\%s
StubPath
[Esc]
[Ctrl+%c]
RegisterRawInputDevices
GetRawInputData
Secur32.dll
LsaGetLogonSessionData
LsaEnumerateLogonSessions
SOFTWARE\Mozilla\%s\
CurrentVersion
SOFTWARE\Mozilla\%s\%s\Main
Install Directory
mozutils.dll
mozsqlite3.dll
%s\logins.json
PK11_GetInternalKeySlot
PK11_Authenticate
PL_Base64Decode
SECITEM_ZfreeItem
PK11SDR_Decrypt
PK11_FreeSlot
NSS_Shutdown
sqlite3_open
sqlite3_close
sqlite3_prepare_v2
sqlite3_step
sqlite3_column_text
select * from moz_logins
hostname
<name>
<password>
POP3 Server
POP3 Password
IMAP User
IMAP Server
IMAP Password
HTTP User
HTTP Server
HTTP Password
SMTP User
SMTP Server
SMTP Password
EAS User
EAS Server URL
EAS Password
POP3 Server
POP3 Password
IMAP User
IMAP Server
IMAP Password
HTTP User
HTTP Server
HTTP Password
SMTP User
SMTP Server
SMTP Password
EAS User
EAS Server URL
EAS Password
index.dat
vaultcli.dll
VaultOpenVault
VaultCloseVault
VaultGetItem
GetModuleFileNameExA
GetModuleFileNameExA
GetNativeSystemInfo
GlobalMemoryStatusEx
HARDWARE\DESCRIPTION\System\CentralProcessor\0
Closed
Listening...
SYN Sent
SYN Received
Established
Fin Wait (1)
Fin Wait (2)
Close Wait
Closing...
Last ACK
Time Wait
Delete TCB
Keys
RC4_key3f3d3f4147904e5d40dc2f48e944c7a7
Options
Keylogger_directoryC:\Users\admin\AppData\Roaming\Logs\
Sleep(s)75
Offline_keyloggertrue
Use_a_mutextrue
Registry_autorunfalse
Lock_executablefalse
Delete_originalfalse
Copy_executablefalse
ProxyDirect_connection
ActiveXfalse
Startup_name-
Install_path-
MutexVwtFYXpp
Credentials
Password1234
HostCCP
C2 (1)185.81.157.169:4041
Total events
1 834
Read events
1 770
Write events
64
Delete events
0

Modification events

(PID) Process:(1560) powershell.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1560) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1560) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1560) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1560) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(4020) AppLaunch.exeKey:HKEY_CURRENT_USER\Software\NetWire
Operation:writeName:HostId
Value:
CCP
(PID) Process:(4020) AppLaunch.exeKey:HKEY_CURRENT_USER\Software\NetWire
Operation:writeName:Install Date
Value:
2022-08-01 19:20:21
Executable files
1
Suspicious files
5
Text files
4
Unknown types
3

Dropped files

PID
Process
Filename
Type
1560powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemLogin.vbstext
MD5:05EE066FC796B26E70ACC8E45493B658
SHA256:F4EBCB0655744C39AA2B4D8FCBEDDC74B849237E1913699E10DEAB2154B200AA
1560powershell.exeC:\Users\admin\AppData\Local\Temp\xjmczhg5.cmdlinetext
MD5:954FF1551F07E41759C5B60704B08AD0
SHA256:7724BC550F00071B05633A27354271EA11044E28053A2BE9690EE4E28002029A
3432csc.exeC:\Users\admin\AppData\Local\Temp\xjmczhg5.dllexecutable
MD5:CE4B7D46F04D5BBC16F4E664D98A4C9A
SHA256:761D6A555038636CB571C79014E03905D6B303F6229F7FE537D7652BFA9217DD
1560powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF108ee4.TMPbinary
MD5:CCFCF369F751CE8DA0370D84E52A7EED
SHA256:53922490C3F5A04667EC3605A01AF2A4F4F265782D1BCA519F63ACAD413F2ED9
3432csc.exeC:\Users\admin\AppData\Local\Temp\xjmczhg5.outtext
MD5:D31DA4380A4937084A30DA379C101C5E
SHA256:0277D31569CD0E9FCA74FCBD140AACFE2D1C8DA48F59DB1F0D36832876169237
1560powershell.exeC:\Users\admin\AppData\Local\Temp\xjmczhg5.0.cstext
MD5:2613E7F3F3414A8DA4B17D248389FBC9
SHA256:3F81AC1BB706EACC232EC8AD24048D6E61CEE5634FC734E40287EC5CCF9860BC
3432csc.exeC:\Users\admin\AppData\Local\Temp\CSC5CDE365238D0471481B41938C75119.TMPres
MD5:3EC8CB4214A5172F55539DF9DFA253F2
SHA256:D2ADA932B4CF1B0387211FC89ABA7F9B8B43EB331D034932E1DE1777693C17FC
1560powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:68B90C3CC259D8675C559212E551675E
SHA256:D7AD6011E606D10C05BAF12CD47E19BD6C67C9F0A6E48F16A915D80F32A5F71D
3288cvtres.exeC:\Users\admin\AppData\Local\Temp\RES96D3.tmpo
MD5:570F820F4AC2CBC51207FD9EC06EE865
SHA256:3F67F0E8ABC70572BC101469EF426A59F483BA1E582FCCE62E074E06D1536767
1560powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2R710T7TD2FPKMIWDMXJ.tempbinary
MD5:68B90C3CC259D8675C559212E551675E
SHA256:D7AD6011E606D10C05BAF12CD47E19BD6C67C9F0A6E48F16A915D80F32A5F71D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
185.81.157.169:4041
Inulogic Sarl
FR
malicious

DNS requests

Domain
IP
Reputation
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

No threats detected
No debug info