Analysis
-
max time kernel
1713s -
max time network
1754s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
23-06-2021 21:51
Behavioral task
behavioral1
Sample
Host.bin.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Host.bin.exe
Resource
win10v20210410
General
-
Target
Host.bin.exe
-
Size
160KB
-
MD5
cf67f5a6456cb27efb88ec441c1b121b
-
SHA1
8bf4c0a06df97dba8ced5fdb504982c365044597
-
SHA256
f54b2f764ed7112c3a11adf056a54b8646f23093fbc52ce0e07a184f5dd69fcc
-
SHA512
117f55a6a3d5be6c186d71ff03064cde75d31f0859957b821d6de98b4208c24fc13aadfe60e2fe5f721360d7aff5451d016c38ef04592124af40baeb2333d8f7
Malware Config
Extracted
netwire
82.156.233.85:80
-
activex_autorun
false
- activex_key
-
copy_executable
true
-
delete_original
true
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
- keylogger_dir
-
lock_executable
true
- mutex
-
offline_keylogger
false
-
password
bupt
-
registry_autorun
true
-
startup_name
NetWire
-
use_mutex
false
Signatures
-
NetWire RAT payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Install\Host.exe netwire \Users\Admin\AppData\Roaming\Install\Host.exe netwire C:\Users\Admin\AppData\Roaming\Install\Host.exe netwire -
Executes dropped EXE 1 IoCs
Processes:
Host.exepid process 1100 Host.exe -
Loads dropped DLL 2 IoCs
Processes:
Host.bin.exepid process 1652 Host.bin.exe 1652 Host.bin.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Host.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Host.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe" Host.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Host.bin.exedescription pid process target process PID 1652 wrote to memory of 1100 1652 Host.bin.exe Host.exe PID 1652 wrote to memory of 1100 1652 Host.bin.exe Host.exe PID 1652 wrote to memory of 1100 1652 Host.bin.exe Host.exe PID 1652 wrote to memory of 1100 1652 Host.bin.exe Host.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Host.bin.exe"C:\Users\Admin\AppData\Local\Temp\Host.bin.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe" -m "C:\Users\Admin\AppData\Local\Temp\Host.bin.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeMD5
cf67f5a6456cb27efb88ec441c1b121b
SHA18bf4c0a06df97dba8ced5fdb504982c365044597
SHA256f54b2f764ed7112c3a11adf056a54b8646f23093fbc52ce0e07a184f5dd69fcc
SHA512117f55a6a3d5be6c186d71ff03064cde75d31f0859957b821d6de98b4208c24fc13aadfe60e2fe5f721360d7aff5451d016c38ef04592124af40baeb2333d8f7
-
\Users\Admin\AppData\Roaming\Install\Host.exeMD5
cf67f5a6456cb27efb88ec441c1b121b
SHA18bf4c0a06df97dba8ced5fdb504982c365044597
SHA256f54b2f764ed7112c3a11adf056a54b8646f23093fbc52ce0e07a184f5dd69fcc
SHA512117f55a6a3d5be6c186d71ff03064cde75d31f0859957b821d6de98b4208c24fc13aadfe60e2fe5f721360d7aff5451d016c38ef04592124af40baeb2333d8f7
-
\Users\Admin\AppData\Roaming\Install\Host.exeMD5
cf67f5a6456cb27efb88ec441c1b121b
SHA18bf4c0a06df97dba8ced5fdb504982c365044597
SHA256f54b2f764ed7112c3a11adf056a54b8646f23093fbc52ce0e07a184f5dd69fcc
SHA512117f55a6a3d5be6c186d71ff03064cde75d31f0859957b821d6de98b4208c24fc13aadfe60e2fe5f721360d7aff5451d016c38ef04592124af40baeb2333d8f7
-
memory/1100-62-0x0000000000000000-mapping.dmp
-
memory/1652-59-0x0000000075411000-0x0000000075413000-memory.dmpFilesize
8KB