Analysis
-
max time kernel
61s -
max time network
122s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
06-01-2021 07:16
General
-
Target
Scan_0011121021000.exe
-
Size
1.9MB
-
MD5
dfbdf304ffb322276a26f4d7ac26ea34
-
SHA1
5fd5e24be102441882add9a32e432ac32333ca6d
-
SHA256
738e16b6660e32ed957f9fd9e0c5cea56b1aaa7695bcdb56998ca9866071e32b
-
SHA512
09454ca8e82c963fc9caa564057f6bd4c6cd2f974f9ce42a4bbb1910ef21223398420e0d8748069194499ecbd5b9b8f9905d05f45c760b422161d7785eaa8acb
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
NetWire RAT payload 6 IoCs
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
ServiceHost packer 3 IoCs
Detects ServiceHost packer used for .NET malware
-
Drops startup file 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Scan_0011121021000.exe"C:\Users\Admin\AppData\Local\Temp\Scan_0011121021000.exe"1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Scan_0011121021000.exe"C:\Users\Admin\AppData\Local\Temp\Scan_0011121021000.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 4843⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/216-11-0x0000000000402453-mapping.dmp
-
memory/216-19-0x0000000000402453-mapping.dmp
-
memory/216-17-0x0000000000402453-mapping.dmp
-
memory/216-18-0x0000000000402453-mapping.dmp
-
memory/216-13-0x0000000010000000-0x0000000010006000-memory.dmpFilesize
24KB
-
memory/216-12-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/216-10-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/2284-14-0x0000000004C00000-0x0000000004C01000-memory.dmpFilesize
4KB
-
memory/3408-6-0x0000000005190000-0x00000000051D3000-memory.dmpFilesize
268KB
-
memory/3408-9-0x0000000005B20000-0x0000000005B21000-memory.dmpFilesize
4KB
-
memory/3408-8-0x0000000005B40000-0x0000000005B41000-memory.dmpFilesize
4KB
-
memory/3408-7-0x0000000007330000-0x0000000007331000-memory.dmpFilesize
4KB
-
memory/3408-2-0x0000000073E00000-0x00000000744EE000-memory.dmpFilesize
6.9MB
-
memory/3408-5-0x0000000005930000-0x0000000005931000-memory.dmpFilesize
4KB
-
memory/3408-3-0x0000000000BA0000-0x0000000000BA1000-memory.dmpFilesize
4KB