Analysis
-
max time kernel
135s -
max time network
135s -
platform
windows7_x64 -
resource
win7 -
submitted
30-06-2020 13:12
General
-
Target
723e38f58e65b8b7d46131511173e561.exe
-
Size
680KB
-
MD5
723e38f58e65b8b7d46131511173e561
-
SHA1
517710e731f08d0301c3f132d79793f3587a7452
-
SHA256
7b9a1aa88be62eb638af26146fce0a1b71aec646d2495fb350dd6d56997e7582
-
SHA512
d84a7dc0639219137c4afd5ec37a0143bd643ebbec188ab50e18965f63e4c2b73b0646c209cdf4052faf67b7a751019b45bb906d0cf58031094c36e5ff5f4b0f
Score
10/10
Malware Config
Signatures
-
NetWire RAT payload 2 IoCs
-
Adds Run entry to start application 2 TTPs 1 IoCs
-
Modifies registry key 1 TTPs 3 IoCs
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of WriteProcessMemory 527 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Executes dropped EXE 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\723e38f58e65b8b7d46131511173e561.exe"C:\Users\Admin\AppData\Local\Temp\723e38f58e65b8b7d46131511173e561.exe"1⤵
- Adds Run entry to start application
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\TapiUnattend.exe"C:\Windows\System32\TapiUnattend.exe"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Public\Natso.bat3⤵
-
C:\Windows\SysWOW64\reg.exereg delete hkcu\Environment /v windir /f4⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\x.bat reg delete hkcu\Environment /v windir /f && REM "4⤵
- Modifies registry key
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I4⤵
-
C:\Windows\SysWOW64\reg.exereg delete hkcu\Environment /v windir /f4⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Public\Runex.bat3⤵
-
C:\Windows \System32\fodhelper.exe"C:\Windows \System32\fodhelper.exe"4⤵
- Executes dropped EXE
-
C:\Windows \System32\fodhelper.exe"C:\Windows \System32\fodhelper.exe"4⤵
- Executes dropped EXE
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Natso.bat
-
C:\Users\Public\Runex.bat
-
C:\Users\Public\fodhelper.exe
-
C:\Users\Public\propsys.dll
-
C:\Windows \System32\fodhelper.exe
-
C:\Windows \System32\fodhelper.exe
-
memory/1036-69-0x0000000000000000-mapping.dmp
-
memory/1036-30-0x0000000000000000-mapping.dmp
-
memory/1036-7-0x0000000000000000-mapping.dmp
-
memory/1036-8-0x0000000000000000-mapping.dmp
-
memory/1036-9-0x0000000000000000-mapping.dmp
-
memory/1036-10-0x0000000000000000-mapping.dmp
-
memory/1036-11-0x0000000000000000-mapping.dmp
-
memory/1036-12-0x0000000000000000-mapping.dmp
-
memory/1036-13-0x0000000000000000-mapping.dmp
-
memory/1036-14-0x0000000000000000-mapping.dmp
-
memory/1036-15-0x0000000000000000-mapping.dmp
-
memory/1036-16-0x0000000000000000-mapping.dmp
-
memory/1036-17-0x0000000000000000-mapping.dmp
-
memory/1036-18-0x0000000000000000-mapping.dmp
-
memory/1036-19-0x0000000000000000-mapping.dmp
-
memory/1036-20-0x0000000000000000-mapping.dmp
-
memory/1036-21-0x0000000000000000-mapping.dmp
-
memory/1036-22-0x0000000000000000-mapping.dmp
-
memory/1036-23-0x0000000000000000-mapping.dmp
-
memory/1036-24-0x0000000000000000-mapping.dmp
-
memory/1036-25-0x0000000000000000-mapping.dmp
-
memory/1036-26-0x0000000000000000-mapping.dmp
-
memory/1036-27-0x0000000000000000-mapping.dmp
-
memory/1036-28-0x0000000000000000-mapping.dmp
-
memory/1036-29-0x0000000000000000-mapping.dmp
-
memory/1036-72-0x0000000000000000-mapping.dmp
-
memory/1036-31-0x0000000000000000-mapping.dmp
-
memory/1036-32-0x0000000000000000-mapping.dmp
-
memory/1036-33-0x0000000000000000-mapping.dmp
-
memory/1036-34-0x0000000000000000-mapping.dmp
-
memory/1036-35-0x0000000000000000-mapping.dmp
-
memory/1036-36-0x0000000000000000-mapping.dmp
-
memory/1036-37-0x0000000000000000-mapping.dmp
-
memory/1036-38-0x0000000000000000-mapping.dmp
-
memory/1036-39-0x0000000000000000-mapping.dmp
-
memory/1036-40-0x0000000000000000-mapping.dmp
-
memory/1036-41-0x0000000000000000-mapping.dmp
-
memory/1036-42-0x0000000000000000-mapping.dmp
-
memory/1036-43-0x0000000000000000-mapping.dmp
-
memory/1036-44-0x0000000000000000-mapping.dmp
-
memory/1036-45-0x0000000000000000-mapping.dmp
-
memory/1036-46-0x0000000000000000-mapping.dmp
-
memory/1036-47-0x0000000000000000-mapping.dmp
-
memory/1036-48-0x0000000000000000-mapping.dmp
-
memory/1036-49-0x0000000000000000-mapping.dmp
-
memory/1036-50-0x0000000000000000-mapping.dmp
-
memory/1036-51-0x0000000000000000-mapping.dmp
-
memory/1036-73-0x0000000000000000-mapping.dmp
-
memory/1036-53-0x0000000000000000-mapping.dmp
-
memory/1036-54-0x0000000000000000-mapping.dmp
-
memory/1036-55-0x0000000000000000-mapping.dmp
-
memory/1036-56-0x0000000000000000-mapping.dmp
-
memory/1036-57-0x0000000000000000-mapping.dmp
-
memory/1036-58-0x0000000000000000-mapping.dmp
-
memory/1036-59-0x0000000000000000-mapping.dmp
-
memory/1036-60-0x0000000000000000-mapping.dmp
-
memory/1036-61-0x0000000000000000-mapping.dmp
-
memory/1036-62-0x0000000000000000-mapping.dmp
-
memory/1036-63-0x0000000000000000-mapping.dmp
-
memory/1036-64-0x0000000000000000-mapping.dmp
-
memory/1036-65-0x0000000000000000-mapping.dmp
-
memory/1036-66-0x0000000000000000-mapping.dmp
-
memory/1036-67-0x0000000000000000-mapping.dmp
-
memory/1036-68-0x0000000000000000-mapping.dmp
-
memory/1036-5-0x0000000000000000-mapping.dmp
-
memory/1036-70-0x0000000000000000-mapping.dmp
-
memory/1036-84-0x0000000000000000-mapping.dmp
-
memory/1036-6-0x0000000000000000-mapping.dmp
-
memory/1036-52-0x0000000000000000-mapping.dmp
-
memory/1036-74-0x0000000000000000-mapping.dmp
-
memory/1036-75-0x0000000000000000-mapping.dmp
-
memory/1036-76-0x0000000000000000-mapping.dmp
-
memory/1036-77-0x0000000000000000-mapping.dmp
-
memory/1036-78-0x0000000000000000-mapping.dmp
-
memory/1036-79-0x0000000000000000-mapping.dmp
-
memory/1036-80-0x0000000000000000-mapping.dmp
-
memory/1036-81-0x0000000000000000-mapping.dmp
-
memory/1036-82-0x0000000000000000-mapping.dmp
-
memory/1036-83-0x0000000000000000-mapping.dmp
-
memory/1036-71-0x0000000000000000-mapping.dmp
-
memory/1036-85-0x0000000000000000-mapping.dmp
-
memory/1036-86-0x0000000000000000-mapping.dmp
-
memory/1036-87-0x0000000000000000-mapping.dmp
-
memory/1036-88-0x0000000000000000-mapping.dmp
-
memory/1036-89-0x0000000000000000-mapping.dmp
-
memory/1036-90-0x0000000000000000-mapping.dmp
-
memory/1036-91-0x0000000000000000-mapping.dmp
-
memory/1036-92-0x0000000000000000-mapping.dmp
-
memory/1036-93-0x0000000000000000-mapping.dmp
-
memory/1036-94-0x0000000000000000-mapping.dmp
-
memory/1036-95-0x0000000000000000-mapping.dmp
-
memory/1036-96-0x0000000000000000-mapping.dmp
-
memory/1036-97-0x0000000000000000-mapping.dmp
-
memory/1036-98-0x0000000000000000-mapping.dmp
-
memory/1036-99-0x0000000000000000-mapping.dmp
-
memory/1036-100-0x0000000000000000-mapping.dmp
-
memory/1036-101-0x0000000000000000-mapping.dmp
-
memory/1036-102-0x0000000000000000-mapping.dmp
-
memory/1036-103-0x0000000000000000-mapping.dmp
-
memory/1036-104-0x0000000000000000-mapping.dmp
-
memory/1036-105-0x0000000000000000-mapping.dmp
-
memory/1036-106-0x0000000000000000-mapping.dmp
-
memory/1036-107-0x0000000000000000-mapping.dmp
-
memory/1036-108-0x0000000000000000-mapping.dmp
-
memory/1036-109-0x0000000000000000-mapping.dmp
-
memory/1036-110-0x0000000000000000-mapping.dmp
-
memory/1036-111-0x0000000000000000-mapping.dmp
-
memory/1036-112-0x0000000000000000-mapping.dmp
-
memory/1036-113-0x0000000000000000-mapping.dmp
-
memory/1036-114-0x0000000000000000-mapping.dmp
-
memory/1036-115-0x0000000000000000-mapping.dmp
-
memory/1036-116-0x0000000000000000-mapping.dmp
-
memory/1036-117-0x0000000000000000-mapping.dmp
-
memory/1036-118-0x0000000000000000-mapping.dmp
-
memory/1036-119-0x0000000000000000-mapping.dmp
-
memory/1036-120-0x0000000000000000-mapping.dmp
-
memory/1036-121-0x0000000000000000-mapping.dmp
-
memory/1036-122-0x0000000000000000-mapping.dmp
-
memory/1036-123-0x0000000000000000-mapping.dmp
-
memory/1036-125-0x0000000000000000-mapping.dmp
-
memory/1036-0-0x0000000000000000-mapping.dmp
-
memory/1036-1-0x0000000000000000-mapping.dmp
-
memory/1036-2-0x0000000000000000-mapping.dmp
-
memory/1036-3-0x0000000000000000-mapping.dmp
-
memory/1036-4-0x0000000000000000-mapping.dmp
-
memory/1088-124-0x0000000010410000-0x0000000010450000-memory.dmpFilesize
256KB
-
memory/2176-132-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/2176-130-0x000000000040242D-mapping.dmp
-
memory/2176-126-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/2208-127-0x0000000000000000-mapping.dmp
-
memory/2240-129-0x0000000000000000-mapping.dmp
-
memory/2256-131-0x0000000000000000-mapping.dmp
-
memory/2280-133-0x0000000000000000-mapping.dmp
-
memory/2312-134-0x0000000000000000-mapping.dmp
-
memory/2328-135-0x0000000000000000-mapping.dmp