Analysis
-
max time kernel
106s -
max time network
132s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
24-12-2020 13:29
Static task
static1
Behavioral task
behavioral1
Sample
vmclang.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
vmclang.exe
-
Size
5.8MB
-
MD5
023ae9c9494ea1d4c24dcbfe7892c611
-
SHA1
2fff1f353cb6946d6f226050e710d4bc0cf4d16e
-
SHA256
2c1cef7d208ce8f0094415d06cc61fa37dd9c9308cfcd9fde0f7a32703220e90
-
SHA512
d2f1a3a1539a3e2359df28b274da3676718ccf2500ccceb8ed7e695d1e18b5344551b68a27c501c0ee4e0279f357b684ab1b04d3929357d6d478e26237e82d25
Malware Config
Signatures
-
NetWire RAT payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/908-3-0x0000000000000000-mapping.dmp netwire behavioral1/memory/908-4-0x0000000000400000-0x0000000000433000-memory.dmp netwire -
Drops file in Windows directory 1 IoCs
Processes:
notepad.exedescription ioc process File created C:\Windows\Tasks\vmclang.job notepad.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
vmclang.exeextrac32.exepid process 1668 vmclang.exe 836 extrac32.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
extrac32.exepid process 836 extrac32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vmclang.exepid process 1668 vmclang.exe -
Suspicious use of WriteProcessMemory 81 IoCs
Processes:
vmclang.exeextrac32.exedescription pid process target process PID 1668 wrote to memory of 836 1668 vmclang.exe extrac32.exe PID 1668 wrote to memory of 836 1668 vmclang.exe extrac32.exe PID 1668 wrote to memory of 836 1668 vmclang.exe extrac32.exe PID 1668 wrote to memory of 836 1668 vmclang.exe extrac32.exe PID 1668 wrote to memory of 836 1668 vmclang.exe extrac32.exe PID 1668 wrote to memory of 836 1668 vmclang.exe extrac32.exe PID 1668 wrote to memory of 836 1668 vmclang.exe extrac32.exe PID 1668 wrote to memory of 836 1668 vmclang.exe extrac32.exe PID 1668 wrote to memory of 836 1668 vmclang.exe extrac32.exe PID 1668 wrote to memory of 836 1668 vmclang.exe extrac32.exe PID 1668 wrote to memory of 836 1668 vmclang.exe extrac32.exe PID 1668 wrote to memory of 836 1668 vmclang.exe extrac32.exe PID 1668 wrote to memory of 836 1668 vmclang.exe extrac32.exe PID 1668 wrote to memory of 836 1668 vmclang.exe extrac32.exe PID 1668 wrote to memory of 836 1668 vmclang.exe extrac32.exe PID 1668 wrote to memory of 836 1668 vmclang.exe extrac32.exe PID 1668 wrote to memory of 836 1668 vmclang.exe extrac32.exe PID 1668 wrote to memory of 836 1668 vmclang.exe extrac32.exe PID 1668 wrote to memory of 836 1668 vmclang.exe extrac32.exe PID 1668 wrote to memory of 836 1668 vmclang.exe extrac32.exe PID 1668 wrote to memory of 836 1668 vmclang.exe extrac32.exe PID 1668 wrote to memory of 836 1668 vmclang.exe extrac32.exe PID 1668 wrote to memory of 836 1668 vmclang.exe extrac32.exe PID 1668 wrote to memory of 836 1668 vmclang.exe extrac32.exe PID 1668 wrote to memory of 836 1668 vmclang.exe extrac32.exe PID 1668 wrote to memory of 836 1668 vmclang.exe extrac32.exe PID 1668 wrote to memory of 836 1668 vmclang.exe extrac32.exe PID 1668 wrote to memory of 836 1668 vmclang.exe extrac32.exe PID 1668 wrote to memory of 836 1668 vmclang.exe extrac32.exe PID 1668 wrote to memory of 836 1668 vmclang.exe extrac32.exe PID 1668 wrote to memory of 836 1668 vmclang.exe extrac32.exe PID 1668 wrote to memory of 836 1668 vmclang.exe extrac32.exe PID 1668 wrote to memory of 836 1668 vmclang.exe extrac32.exe PID 1668 wrote to memory of 836 1668 vmclang.exe extrac32.exe PID 1668 wrote to memory of 836 1668 vmclang.exe extrac32.exe PID 836 wrote to memory of 908 836 extrac32.exe notepad.exe PID 836 wrote to memory of 908 836 extrac32.exe notepad.exe PID 836 wrote to memory of 908 836 extrac32.exe notepad.exe PID 836 wrote to memory of 908 836 extrac32.exe notepad.exe PID 836 wrote to memory of 908 836 extrac32.exe notepad.exe PID 836 wrote to memory of 908 836 extrac32.exe notepad.exe PID 836 wrote to memory of 908 836 extrac32.exe notepad.exe PID 836 wrote to memory of 908 836 extrac32.exe notepad.exe PID 836 wrote to memory of 908 836 extrac32.exe notepad.exe PID 836 wrote to memory of 908 836 extrac32.exe notepad.exe PID 836 wrote to memory of 908 836 extrac32.exe notepad.exe PID 836 wrote to memory of 908 836 extrac32.exe notepad.exe PID 836 wrote to memory of 908 836 extrac32.exe notepad.exe PID 836 wrote to memory of 908 836 extrac32.exe notepad.exe PID 836 wrote to memory of 908 836 extrac32.exe notepad.exe PID 836 wrote to memory of 908 836 extrac32.exe notepad.exe PID 836 wrote to memory of 908 836 extrac32.exe notepad.exe PID 836 wrote to memory of 908 836 extrac32.exe notepad.exe PID 836 wrote to memory of 908 836 extrac32.exe notepad.exe PID 836 wrote to memory of 908 836 extrac32.exe notepad.exe PID 836 wrote to memory of 908 836 extrac32.exe notepad.exe PID 836 wrote to memory of 908 836 extrac32.exe notepad.exe PID 836 wrote to memory of 908 836 extrac32.exe notepad.exe PID 836 wrote to memory of 908 836 extrac32.exe notepad.exe PID 836 wrote to memory of 908 836 extrac32.exe notepad.exe PID 836 wrote to memory of 908 836 extrac32.exe notepad.exe PID 836 wrote to memory of 908 836 extrac32.exe notepad.exe PID 836 wrote to memory of 908 836 extrac32.exe notepad.exe PID 836 wrote to memory of 908 836 extrac32.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\vmclang.exe"C:\Users\Admin\AppData\Local\Temp\vmclang.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\extrac32.exe"C:\Windows\system32\extrac32.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"3⤵
- Drops file in Windows directory