File name: | Netflix BruteForce.exe |
Full analysis: | https://app.any.run/tasks/9425e14f-efdf-40b7-8f46-c030028b5fbb |
Verdict: | Malicious activity |
Threats: | Netwire is an advanced RAT — it is a malware that takes control of infected PCs and allows its operators to perform various actions. Unlike many RATs, this one can target every major operating system, including Windows, Linux, and MacOS. |
Analysis date: | September 11, 2019, 00:24:42 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 2257DBB2D84DC2881ED94F735806DFB9 |
SHA1: | 0B105947F90B320EADAE23AC4EC059CBBC592145 |
SHA256: | 827CDE1847709AFCC95F8E55B75FA02A9C4A34F5DE532C9CB76EAFD7677EC4D5 |
SSDEEP: | 24576:aNA3R5drXJPbDIvuYMf9qPI/aehCu476zhkUzKPIuAS8neNDnxkAml4hbI3Y4lj:T5RYy9qIDjK6aIKPqneNDnCAw4hKvj |
.exe | | | Win64 Executable (generic) (64.6) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (15.4) |
.exe | | | Win32 Executable (generic) (10.5) |
.exe | | | Generic Win/DOS Executable (4.6) |
.exe | | | DOS Executable Generic (4.6) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 5.1 |
ImageVersion: | - |
OSVersion: | 5.1 |
EntryPoint: | 0x1d759 |
UninitializedDataSize: | - |
InitializedDataSize: | 102912 |
CodeSize: | 190976 |
LinkerVersion: | 14 |
PEType: | PE32 |
TimeStamp: | 2019:04:27 22:03:27+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 27-Apr-2019 20:03:27 |
Detected languages: |
|
Debug artifacts: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000110 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 6 |
Time date stamp: | 27-Apr-2019 20:03:27 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x0002E854 | 0x0002EA00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.69231 |
.rdata | 0x00030000 | 0x00009A9C | 0x00009C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.13286 |
.data | 0x0003A000 | 0x000213D0 | 0x00000C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.25381 |
.gfids | 0x0005C000 | 0x000000E8 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 2.11154 |
.rsrc | 0x0005D000 | 0x0000C6E0 | 0x0000C800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.03787 |
.reloc | 0x0006A000 | 0x00001FCC | 0x00002000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.64554 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.25329 | 1875 | Latin 1 / Western European | English - United States | RT_MANIFEST |
2 | 2.28458 | 4264 | Latin 1 / Western European | Process Default Language | RT_ICON |
3 | 2.04898 | 9640 | Latin 1 / Western European | Process Default Language | RT_ICON |
4 | 1.6128 | 16936 | Latin 1 / Western European | Process Default Language | RT_ICON |
7 | 3.1586 | 482 | Latin 1 / Western European | English - United States | RT_STRING |
8 | 3.11685 | 460 | Latin 1 / Western European | English - United States | RT_STRING |
9 | 3.15447 | 494 | Latin 1 / Western European | English - United States | RT_STRING |
10 | 2.99727 | 326 | Latin 1 / Western European | English - United States | RT_STRING |
11 | 3.2036 | 1094 | Latin 1 / Western European | English - United States | RT_STRING |
12 | 3.12889 | 358 | Latin 1 / Western European | English - United States | RT_STRING |
KERNEL32.dll |
USER32.dll (delay-loaded) |
gdiplus.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3032 | "C:\Users\admin\AppData\Local\Temp\Netflix BruteForce.exe" | C:\Users\admin\AppData\Local\Temp\Netflix BruteForce.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2076 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\RarSFX0\run.vbs" | C:\Windows\System32\WScript.exe | — | Netflix BruteForce.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2388 | "C:\Users\admin\AppData\Local\Temp\RarSFX0\host1.exe" | C:\Users\admin\AppData\Local\Temp\RarSFX0\host1.exe | — | WScript.exe |
User: admin Integrity Level: MEDIUM Description: Netflix Bruteforce Exit code: 0 Version: 1.1.0.0 | ||||
2708 | "C:\Users\admin\AppData\Local\Temp\RarSFX0\host2.exe" | C:\Users\admin\AppData\Local\Temp\RarSFX0\host2.exe | — | WScript.exe |
User: admin Company: Tvalx Integrity Level: MEDIUM Description: CompactScientificCalculator54 Installation Exit code: 3221226540 Version: 1.0.0.9 | ||||
3928 | "C:\Users\admin\AppData\Local\Temp\RarSFX0\host2.exe" | C:\Users\admin\AppData\Local\Temp\RarSFX0\host2.exe | WScript.exe | |
User: admin Company: Tvalx Integrity Level: HIGH Description: CompactScientificCalculator54 Installation Exit code: 0 Version: 1.0.0.9 | ||||
3376 | "C:\Windows\System32\cmd.exe" /c copy "C:/Users/admin/AppData/Local/Temp/RarSFX0/host2.exe" "%appdata%\Windows\WindowsLiveOptions.exe" /Y | C:\Windows\System32\cmd.exe | host2.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2692 | "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %appdata%\Windows\WindowsLiveOptions.exe:Zone.Identifier | C:\Windows\System32\cmd.exe | — | host2.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3396 | "C:\Windows\System32\cmd.exe" /c ren "%appdata%\Windows\WindowsLiveOptions.exe.jpg" WindowsLiveOptions.exe | C:\Windows\System32\cmd.exe | — | host2.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2132 | "C:\Users\admin\AppData\Local\Temp\WindowsSettingsLive.exe" | C:\Users\admin\AppData\Local\Temp\WindowsSettingsLive.exe | host2.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Visual Basic Command Line Compiler Version: 14.7.3062.0 |
(PID) Process: | (3032) Netflix BruteForce.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (3032) Netflix BruteForce.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | — | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | — | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (3928) host2.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (3928) host2.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (2132) WindowsSettingsLive.exe | Key: | HKEY_CURRENT_USER\Software\NetWire |
Operation: | write | Name: | HostId |
Value: General | |||
(PID) Process: | (2132) WindowsSettingsLive.exe | Key: | HKEY_CURRENT_USER\Software\NetWire |
Operation: | write | Name: | Install Date |
Value: 2019-09-11 00:25:38 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3032 | Netflix BruteForce.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\run.vbs | text | |
MD5:38AF315437BBF78FC0B5742C2023AC59 | SHA256:7B132DB15106030D59F9ED4F5E436B8B70EE68E857ECE65AF2C426B85426541B | |||
3032 | Netflix BruteForce.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\host2.exe | executable | |
MD5:75BC4CC664AC2A9B4A858B9B3CEF4A92 | SHA256:90546E24310295D5E920B7C90D2BE5B314DDEFF65974943F1049F73C2B3CAB12 | |||
3376 | cmd.exe | C:\Users\admin\AppData\Roaming\Windows\WindowsLiveOptions.exe | executable | |
MD5:75BC4CC664AC2A9B4A858B9B3CEF4A92 | SHA256:90546E24310295D5E920B7C90D2BE5B314DDEFF65974943F1049F73C2B3CAB12 | |||
3928 | host2.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsLiveOptions.exe.lnk | lnk | |
MD5:A428923A55AA35FDCE973C22D6DD2CC4 | SHA256:9B32DFAA46CB718EC003F6A9F8F9329EC103670953C20B34901DE0703DD101A7 | |||
3928 | host2.exe | C:\Users\admin\AppData\Roaming\Windows\WindowsLiveOptions.exe.lnk | lnk | |
MD5:061260D210BDA9D0AD4BC259D938E0C1 | SHA256:CB37B3AC4ECDB87886F8D9D2F078D9102A472E769563736A8C133CE428F9E09E | |||
3032 | Netflix BruteForce.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\host1.exe | executable | |
MD5:475788AC8BAEC2DF54A8D55BF00D2EFD | SHA256:5BC286BA48638554F6BEFD6FAB72AA562E36C43A388D73AA5726C5DE0F65728D | |||
2692 | cmd.exe | C:\Users\admin\AppData\Roaming\Windows\WindowsLiveOptions.exe:Zone.Identifier | text | |
MD5:130A75A932A2FE57BFEA6A65B88DA8F6 | SHA256:F2B79CAE559D6772AFC1C2ED9468988178F8B6833D5028A15DEA73CE47D0196E | |||
3928 | host2.exe | C:\Users\admin\AppData\Local\Temp\WindowsSettingsLive.exe | executable | |
MD5:1F7BCCC57D21A4BFEDDAAFE514CFD74D | SHA256:D4CB7377E8275ED47E499AB0D7EE47167829A5931BA41AA5790593595A7E1061 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2132 | WindowsSettingsLive.exe | 37.48.117.80:4575 | — | LeaseWeb Netherlands B.V. | NL | malicious |
PID | Process | Class | Message |
---|---|---|---|
2132 | WindowsSettingsLive.exe | A Network Trojan was detected | MALWARE [PTsecurity] Netwire.RAT |