Analysis
-
max time kernel
85s -
max time network
86s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
06-01-2021 07:16
Static task
static1
Behavioral task
behavioral1
Sample
Scan_0011121021000.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Scan_0011121021000.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
Scan_0011121021000.exe
-
Size
1.9MB
-
MD5
dfbdf304ffb322276a26f4d7ac26ea34
-
SHA1
5fd5e24be102441882add9a32e432ac32333ca6d
-
SHA256
738e16b6660e32ed957f9fd9e0c5cea56b1aaa7695bcdb56998ca9866071e32b
-
SHA512
09454ca8e82c963fc9caa564057f6bd4c6cd2f974f9ce42a4bbb1910ef21223398420e0d8748069194499ecbd5b9b8f9905d05f45c760b422161d7785eaa8acb
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Scan_0011121021000.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Scan_0011121021000.exe\"" Scan_0011121021000.exe -
NetWire RAT payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1668-12-0x0000000000402453-mapping.dmp netwire behavioral1/memory/1668-11-0x0000000000400000-0x0000000000437000-memory.dmp netwire behavioral1/memory/1668-13-0x0000000000400000-0x0000000000437000-memory.dmp netwire -
Drops startup file 2 IoCs
Processes:
Scan_0011121021000.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scan_0011121021000.exe Scan_0011121021000.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scan_0011121021000.exe Scan_0011121021000.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Scan_0011121021000.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Scan_0011121021000.exe" Scan_0011121021000.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Scan_0011121021000.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Scan_0011121021000.exe" Scan_0011121021000.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Scan_0011121021000.exedescription pid process target process PID 752 set thread context of 1668 752 Scan_0011121021000.exe Scan_0011121021000.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Scan_0011121021000.exedescription pid process target process PID 752 wrote to memory of 1668 752 Scan_0011121021000.exe Scan_0011121021000.exe PID 752 wrote to memory of 1668 752 Scan_0011121021000.exe Scan_0011121021000.exe PID 752 wrote to memory of 1668 752 Scan_0011121021000.exe Scan_0011121021000.exe PID 752 wrote to memory of 1668 752 Scan_0011121021000.exe Scan_0011121021000.exe PID 752 wrote to memory of 1668 752 Scan_0011121021000.exe Scan_0011121021000.exe PID 752 wrote to memory of 1668 752 Scan_0011121021000.exe Scan_0011121021000.exe PID 752 wrote to memory of 1668 752 Scan_0011121021000.exe Scan_0011121021000.exe PID 752 wrote to memory of 1668 752 Scan_0011121021000.exe Scan_0011121021000.exe PID 752 wrote to memory of 1668 752 Scan_0011121021000.exe Scan_0011121021000.exe PID 752 wrote to memory of 1668 752 Scan_0011121021000.exe Scan_0011121021000.exe PID 752 wrote to memory of 1668 752 Scan_0011121021000.exe Scan_0011121021000.exe PID 752 wrote to memory of 1668 752 Scan_0011121021000.exe Scan_0011121021000.exe PID 752 wrote to memory of 1668 752 Scan_0011121021000.exe Scan_0011121021000.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Scan_0011121021000.exe"C:\Users\Admin\AppData\Local\Temp\Scan_0011121021000.exe"1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Scan_0011121021000.exe"C:\Users\Admin\AppData\Local\Temp\Scan_0011121021000.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/752-2-0x0000000074580000-0x0000000074C6E000-memory.dmpFilesize
6.9MB
-
memory/752-3-0x0000000001320000-0x0000000001321000-memory.dmpFilesize
4KB
-
memory/752-5-0x00000000008C0000-0x00000000008D1000-memory.dmpFilesize
68KB
-
memory/752-10-0x00000000008C0000-0x0000000000903000-memory.dmpFilesize
268KB
-
memory/1668-12-0x0000000000402453-mapping.dmp
-
memory/1668-11-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/1668-13-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB