Analysis
-
max time kernel
43s -
max time network
111s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
13-01-2021 19:55
Static task
static1
Behavioral task
behavioral1
Sample
b61d866837ca60df01c1465e028db4c9.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
b61d866837ca60df01c1465e028db4c9.exe
Resource
win10v20201028
General
-
Target
b61d866837ca60df01c1465e028db4c9.exe
-
Size
3.3MB
-
MD5
b61d866837ca60df01c1465e028db4c9
-
SHA1
53d4b6d751dcbf1cf6d8de3f8f50aedc2896d66a
-
SHA256
b6c6f8ac58b7838c87ccf2b36b2f7005c6dd86792575e1e8c7ccce30d7d6a878
-
SHA512
f02ece67642717bc55896d8802c6011e7023741583f05c09d626d326b5eba968ba3e7ccdde9c846d62389caf9ed9f6d63977fec2bd57195203f1b79cfff78070
Malware Config
Signatures
-
NetWire RAT payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1784-3-0x000000000009242D-mapping.dmp netwire behavioral1/memory/1784-2-0x0000000000090000-0x00000000000C0000-memory.dmp netwire behavioral1/memory/1784-4-0x0000000000090000-0x00000000000C0000-memory.dmp netwire behavioral1/memory/2020-12-0x000000000009242D-mapping.dmp netwire behavioral1/memory/2020-14-0x0000000000090000-0x00000000000C0000-memory.dmp netwire -
Executes dropped EXE 2 IoCs
Processes:
fers.exefers.exepid process 1664 fers.exe 2020 fers.exe -
Loads dropped DLL 2 IoCs
Processes:
b61d866837ca60df01c1465e028db4c9.exefers.exepid process 1784 b61d866837ca60df01c1465e028db4c9.exe 1664 fers.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
fers.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ fers.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\fers = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\fers.exe" fers.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
b61d866837ca60df01c1465e028db4c9.exefers.exedescription pid process target process PID 2044 set thread context of 1784 2044 b61d866837ca60df01c1465e028db4c9.exe b61d866837ca60df01c1465e028db4c9.exe PID 1664 set thread context of 2020 1664 fers.exe fers.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
b61d866837ca60df01c1465e028db4c9.exeb61d866837ca60df01c1465e028db4c9.exefers.exedescription pid process target process PID 2044 wrote to memory of 1784 2044 b61d866837ca60df01c1465e028db4c9.exe b61d866837ca60df01c1465e028db4c9.exe PID 2044 wrote to memory of 1784 2044 b61d866837ca60df01c1465e028db4c9.exe b61d866837ca60df01c1465e028db4c9.exe PID 2044 wrote to memory of 1784 2044 b61d866837ca60df01c1465e028db4c9.exe b61d866837ca60df01c1465e028db4c9.exe PID 2044 wrote to memory of 1784 2044 b61d866837ca60df01c1465e028db4c9.exe b61d866837ca60df01c1465e028db4c9.exe PID 2044 wrote to memory of 1784 2044 b61d866837ca60df01c1465e028db4c9.exe b61d866837ca60df01c1465e028db4c9.exe PID 2044 wrote to memory of 1784 2044 b61d866837ca60df01c1465e028db4c9.exe b61d866837ca60df01c1465e028db4c9.exe PID 2044 wrote to memory of 1784 2044 b61d866837ca60df01c1465e028db4c9.exe b61d866837ca60df01c1465e028db4c9.exe PID 2044 wrote to memory of 1784 2044 b61d866837ca60df01c1465e028db4c9.exe b61d866837ca60df01c1465e028db4c9.exe PID 2044 wrote to memory of 1784 2044 b61d866837ca60df01c1465e028db4c9.exe b61d866837ca60df01c1465e028db4c9.exe PID 1784 wrote to memory of 1664 1784 b61d866837ca60df01c1465e028db4c9.exe fers.exe PID 1784 wrote to memory of 1664 1784 b61d866837ca60df01c1465e028db4c9.exe fers.exe PID 1784 wrote to memory of 1664 1784 b61d866837ca60df01c1465e028db4c9.exe fers.exe PID 1784 wrote to memory of 1664 1784 b61d866837ca60df01c1465e028db4c9.exe fers.exe PID 1784 wrote to memory of 1664 1784 b61d866837ca60df01c1465e028db4c9.exe fers.exe PID 1784 wrote to memory of 1664 1784 b61d866837ca60df01c1465e028db4c9.exe fers.exe PID 1784 wrote to memory of 1664 1784 b61d866837ca60df01c1465e028db4c9.exe fers.exe PID 1664 wrote to memory of 2020 1664 fers.exe fers.exe PID 1664 wrote to memory of 2020 1664 fers.exe fers.exe PID 1664 wrote to memory of 2020 1664 fers.exe fers.exe PID 1664 wrote to memory of 2020 1664 fers.exe fers.exe PID 1664 wrote to memory of 2020 1664 fers.exe fers.exe PID 1664 wrote to memory of 2020 1664 fers.exe fers.exe PID 1664 wrote to memory of 2020 1664 fers.exe fers.exe PID 1664 wrote to memory of 2020 1664 fers.exe fers.exe PID 1664 wrote to memory of 2020 1664 fers.exe fers.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b61d866837ca60df01c1465e028db4c9.exe"C:\Users\Admin\AppData\Local\Temp\b61d866837ca60df01c1465e028db4c9.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b61d866837ca60df01c1465e028db4c9.exeC:\Users\Admin\AppData\Local\Temp\b61d866837ca60df01c1465e028db4c9.exe2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exeC:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exeMD5
b61d866837ca60df01c1465e028db4c9
SHA153d4b6d751dcbf1cf6d8de3f8f50aedc2896d66a
SHA256b6c6f8ac58b7838c87ccf2b36b2f7005c6dd86792575e1e8c7ccce30d7d6a878
SHA512f02ece67642717bc55896d8802c6011e7023741583f05c09d626d326b5eba968ba3e7ccdde9c846d62389caf9ed9f6d63977fec2bd57195203f1b79cfff78070
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exeMD5
b61d866837ca60df01c1465e028db4c9
SHA153d4b6d751dcbf1cf6d8de3f8f50aedc2896d66a
SHA256b6c6f8ac58b7838c87ccf2b36b2f7005c6dd86792575e1e8c7ccce30d7d6a878
SHA512f02ece67642717bc55896d8802c6011e7023741583f05c09d626d326b5eba968ba3e7ccdde9c846d62389caf9ed9f6d63977fec2bd57195203f1b79cfff78070
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exeMD5
b61d866837ca60df01c1465e028db4c9
SHA153d4b6d751dcbf1cf6d8de3f8f50aedc2896d66a
SHA256b6c6f8ac58b7838c87ccf2b36b2f7005c6dd86792575e1e8c7ccce30d7d6a878
SHA512f02ece67642717bc55896d8802c6011e7023741583f05c09d626d326b5eba968ba3e7ccdde9c846d62389caf9ed9f6d63977fec2bd57195203f1b79cfff78070
-
C:\Users\Admin\AppData\Roaming\trftkoxoicklgdxkctuphueti84738.pngMD5
8c6e2f2f47f6433efebd829c18f864d1
SHA115ebffc420841a18c1d47b6b40cfd9e7c632cf47
SHA25694dcac78e40e701792770b08478c6b2c788ec0a21a953d82e6f968a1cef8698d
SHA51286e2226fdb5bee0369d8f38bfb2e27270b9edd2b2d7c2fba76bacf51e8a53eeee1f21183bb7b75138757f198fe8513c423ce7fcbd7a740f37ca9ee68601c14db
-
\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exeMD5
b61d866837ca60df01c1465e028db4c9
SHA153d4b6d751dcbf1cf6d8de3f8f50aedc2896d66a
SHA256b6c6f8ac58b7838c87ccf2b36b2f7005c6dd86792575e1e8c7ccce30d7d6a878
SHA512f02ece67642717bc55896d8802c6011e7023741583f05c09d626d326b5eba968ba3e7ccdde9c846d62389caf9ed9f6d63977fec2bd57195203f1b79cfff78070
-
\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exeMD5
b61d866837ca60df01c1465e028db4c9
SHA153d4b6d751dcbf1cf6d8de3f8f50aedc2896d66a
SHA256b6c6f8ac58b7838c87ccf2b36b2f7005c6dd86792575e1e8c7ccce30d7d6a878
SHA512f02ece67642717bc55896d8802c6011e7023741583f05c09d626d326b5eba968ba3e7ccdde9c846d62389caf9ed9f6d63977fec2bd57195203f1b79cfff78070
-
memory/1664-6-0x0000000000000000-mapping.dmp
-
memory/1784-3-0x000000000009242D-mapping.dmp
-
memory/1784-2-0x0000000000090000-0x00000000000C0000-memory.dmpFilesize
192KB
-
memory/1784-4-0x0000000000090000-0x00000000000C0000-memory.dmpFilesize
192KB
-
memory/2020-12-0x000000000009242D-mapping.dmp
-
memory/2020-14-0x0000000000090000-0x00000000000C0000-memory.dmpFilesize
192KB