Analysis
-
max time kernel
108s -
max time network
108s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
11-03-2021 07:24
General
-
Target
12.msi
-
Size
240KB
-
MD5
e454beb5e1cec91e4498e8c0b0a5f08d
-
SHA1
37e4e481f50a7b72ef974a5c690a9cdbbadcde9a
-
SHA256
c06642bc94a8d7604ef34b33bbf2994ae789c18e3d0bd7019720294c58fe021e
-
SHA512
70329c0c264af855875c6c1511c2de8dbcbaea0a6d60139cb803158983fa58733d15ce45c5637cea3da690f4e49851731218cf5c1cc19dc49198da9d06017539
Malware Config
Signatures
-
NetWire RAT payload 2 IoCs
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Executes dropped EXE 1 IoCs
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 9 IoCs
-
Modifies data under HKEY_USERS 44 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 57 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\12.msi1⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Installer\MSIE581.tmp"C:\Windows\Installer\MSIE581.tmp"2⤵
- Executes dropped EXE
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot12" "" "" "6d110b0a3" "0000000000000000" "00000000000003AC" "00000000000004D8"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Installer\MSIE581.tmpMD5
2ac73e1ff512b1d7954e2b6bf36552b5
SHA1daa74846340dc814a884566ecb64f6d06b12781e
SHA256c65f180478891893801bf1e4a3e2b8f534079161587a07319d53d051dc40dcb8
SHA512049bd48374659c74c071548b2abe48569195540d53160a62edc2cc571289adce97d17b9e714078408f9882f8a9ce12a46f3d4f21db1cc90f0f51c66fa2a558e4
-
memory/1500-7-0x0000000000000000-mapping.dmp
-
memory/1500-9-0x0000000002E80000-0x0000000002E91000-memory.dmpFilesize
68KB
-
memory/1500-10-0x0000000000220000-0x000000000024A000-memory.dmpFilesize
168KB
-
memory/1500-11-0x00000000765A1000-0x00000000765A3000-memory.dmpFilesize
8KB
-
memory/1500-12-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1656-2-0x000007FEFC251000-0x000007FEFC253000-memory.dmpFilesize
8KB
-
memory/1656-3-0x0000000003280000-0x0000000003284000-memory.dmpFilesize
16KB
-
memory/1656-4-0x0000000004110000-0x0000000004114000-memory.dmpFilesize
16KB