Analysis
-
max time kernel
14s -
max time network
123s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
06-05-2021 17:56
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.GenericKD.36853296.10653.5222.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
General
-
Target
SecuriteInfo.com.Trojan.GenericKD.36853296.10653.5222.exe
-
Size
1.8MB
-
MD5
7a5a9f55643adf965ea93bd197353248
-
SHA1
fd70e0ec9fca053c34dc08640477ff516d2d5725
-
SHA256
d072441e276c608471a851b369726d633a66ad702663cf2868d15edfe79c5e64
-
SHA512
ae0b36de0935c25aa22cd1273f550794b5e3341777e71d87ec6f74c061fcb66111875fc528a03263dcc6e8024b537dc158cedf849755c72d8c5cf9a9ed779c7d
Malware Config
Extracted
Family
netwire
C2
23.105.131.210:1955
Attributes
-
activex_autorun
false
- activex_key
-
copy_executable
true
-
delete_original
false
-
host_id
tdce
-
install_path
%AppData%\tdce\tdce.exe
-
keylogger_dir
%AppData%\tdce\
-
lock_executable
true
-
mutex
uUTFuXPN
-
offline_keylogger
true
-
password
Password
-
registry_autorun
true
-
startup_name
tdce
-
use_mutex
true
Signatures
-
NetWire RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4436-117-0x00000000020E0000-0x000000000210C000-memory.dmp netwire behavioral2/memory/4436-118-0x0000000002110000-0x0000000002146000-memory.dmp netwire -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 1476 created 4436 1476 WerFault.exe SecuriteInfo.com.Trojan.GenericKD.36853296.10653.5222.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1476 4436 WerFault.exe SecuriteInfo.com.Trojan.GenericKD.36853296.10653.5222.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
WerFault.exepid process 1476 WerFault.exe 1476 WerFault.exe 1476 WerFault.exe 1476 WerFault.exe 1476 WerFault.exe 1476 WerFault.exe 1476 WerFault.exe 1476 WerFault.exe 1476 WerFault.exe 1476 WerFault.exe 1476 WerFault.exe 1476 WerFault.exe 1476 WerFault.exe 1476 WerFault.exe 1476 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1476 WerFault.exe Token: SeBackupPrivilege 1476 WerFault.exe Token: SeDebugPrivilege 1476 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.36853296.10653.5222.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.36853296.10653.5222.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 5282⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken