Analysis
-
max time kernel
28s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
13-01-2021 19:55
Static task
static1
Behavioral task
behavioral1
Sample
b61d866837ca60df01c1465e028db4c9.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
b61d866837ca60df01c1465e028db4c9.exe
Resource
win10v20201028
General
-
Target
b61d866837ca60df01c1465e028db4c9.exe
-
Size
3.3MB
-
MD5
b61d866837ca60df01c1465e028db4c9
-
SHA1
53d4b6d751dcbf1cf6d8de3f8f50aedc2896d66a
-
SHA256
b6c6f8ac58b7838c87ccf2b36b2f7005c6dd86792575e1e8c7ccce30d7d6a878
-
SHA512
f02ece67642717bc55896d8802c6011e7023741583f05c09d626d326b5eba968ba3e7ccdde9c846d62389caf9ed9f6d63977fec2bd57195203f1b79cfff78070
Malware Config
Signatures
-
NetWire RAT payload 6 IoCs
Processes:
resource yara_rule behavioral2/memory/3812-2-0x0000000000A10000-0x0000000000A40000-memory.dmp netwire behavioral2/memory/3812-3-0x0000000000A1242D-mapping.dmp netwire behavioral2/memory/3812-4-0x0000000000A10000-0x0000000000A40000-memory.dmp netwire behavioral2/memory/4056-10-0x0000000000E7242D-mapping.dmp netwire behavioral2/memory/4056-9-0x0000000000E70000-0x0000000000EA0000-memory.dmp netwire behavioral2/memory/4056-12-0x0000000000E70000-0x0000000000EA0000-memory.dmp netwire -
Executes dropped EXE 2 IoCs
Processes:
fers.exefers.exepid process 2316 fers.exe 4056 fers.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
fers.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ fers.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\fers = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\fers.exe" fers.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
b61d866837ca60df01c1465e028db4c9.exefers.exedescription pid process target process PID 576 set thread context of 3812 576 b61d866837ca60df01c1465e028db4c9.exe b61d866837ca60df01c1465e028db4c9.exe PID 2316 set thread context of 4056 2316 fers.exe fers.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
b61d866837ca60df01c1465e028db4c9.exeb61d866837ca60df01c1465e028db4c9.exefers.exedescription pid process target process PID 576 wrote to memory of 3812 576 b61d866837ca60df01c1465e028db4c9.exe b61d866837ca60df01c1465e028db4c9.exe PID 576 wrote to memory of 3812 576 b61d866837ca60df01c1465e028db4c9.exe b61d866837ca60df01c1465e028db4c9.exe PID 576 wrote to memory of 3812 576 b61d866837ca60df01c1465e028db4c9.exe b61d866837ca60df01c1465e028db4c9.exe PID 576 wrote to memory of 3812 576 b61d866837ca60df01c1465e028db4c9.exe b61d866837ca60df01c1465e028db4c9.exe PID 576 wrote to memory of 3812 576 b61d866837ca60df01c1465e028db4c9.exe b61d866837ca60df01c1465e028db4c9.exe PID 3812 wrote to memory of 2316 3812 b61d866837ca60df01c1465e028db4c9.exe fers.exe PID 3812 wrote to memory of 2316 3812 b61d866837ca60df01c1465e028db4c9.exe fers.exe PID 3812 wrote to memory of 2316 3812 b61d866837ca60df01c1465e028db4c9.exe fers.exe PID 2316 wrote to memory of 4056 2316 fers.exe fers.exe PID 2316 wrote to memory of 4056 2316 fers.exe fers.exe PID 2316 wrote to memory of 4056 2316 fers.exe fers.exe PID 2316 wrote to memory of 4056 2316 fers.exe fers.exe PID 2316 wrote to memory of 4056 2316 fers.exe fers.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b61d866837ca60df01c1465e028db4c9.exe"C:\Users\Admin\AppData\Local\Temp\b61d866837ca60df01c1465e028db4c9.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b61d866837ca60df01c1465e028db4c9.exeC:\Users\Admin\AppData\Local\Temp\b61d866837ca60df01c1465e028db4c9.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exeC:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exeMD5
b61d866837ca60df01c1465e028db4c9
SHA153d4b6d751dcbf1cf6d8de3f8f50aedc2896d66a
SHA256b6c6f8ac58b7838c87ccf2b36b2f7005c6dd86792575e1e8c7ccce30d7d6a878
SHA512f02ece67642717bc55896d8802c6011e7023741583f05c09d626d326b5eba968ba3e7ccdde9c846d62389caf9ed9f6d63977fec2bd57195203f1b79cfff78070
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exeMD5
b61d866837ca60df01c1465e028db4c9
SHA153d4b6d751dcbf1cf6d8de3f8f50aedc2896d66a
SHA256b6c6f8ac58b7838c87ccf2b36b2f7005c6dd86792575e1e8c7ccce30d7d6a878
SHA512f02ece67642717bc55896d8802c6011e7023741583f05c09d626d326b5eba968ba3e7ccdde9c846d62389caf9ed9f6d63977fec2bd57195203f1b79cfff78070
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exeMD5
b61d866837ca60df01c1465e028db4c9
SHA153d4b6d751dcbf1cf6d8de3f8f50aedc2896d66a
SHA256b6c6f8ac58b7838c87ccf2b36b2f7005c6dd86792575e1e8c7ccce30d7d6a878
SHA512f02ece67642717bc55896d8802c6011e7023741583f05c09d626d326b5eba968ba3e7ccdde9c846d62389caf9ed9f6d63977fec2bd57195203f1b79cfff78070
-
C:\Users\Admin\AppData\Roaming\trftkoxoicklgdxkctuphueti84738.pngMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/2316-5-0x0000000000000000-mapping.dmp
-
memory/3812-2-0x0000000000A10000-0x0000000000A40000-memory.dmpFilesize
192KB
-
memory/3812-3-0x0000000000A1242D-mapping.dmp
-
memory/3812-4-0x0000000000A10000-0x0000000000A40000-memory.dmpFilesize
192KB
-
memory/4056-10-0x0000000000E7242D-mapping.dmp
-
memory/4056-9-0x0000000000E70000-0x0000000000EA0000-memory.dmpFilesize
192KB
-
memory/4056-12-0x0000000000E70000-0x0000000000EA0000-memory.dmpFilesize
192KB