Analysis
-
max time kernel
3s -
max time network
94s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
30-06-2021 18:52
Static task
static1
Behavioral task
behavioral1
Sample
467e17b8d44626b7456716680e3d043d.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
467e17b8d44626b7456716680e3d043d.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
467e17b8d44626b7456716680e3d043d.exe
-
Size
349KB
-
MD5
467e17b8d44626b7456716680e3d043d
-
SHA1
6636511ae14abb0f2554199b4ed8977def1d9b8a
-
SHA256
cf2aec2969353dc99a7f715ac818212b42b8cff7a58c9109442f2c65ff62de42
-
SHA512
5f3a0f47bfe3f1784849c9ddedc30e489b5d37cbb0a73c488ab58efc7a777d0d5e0c5a5abef63661166003b623224d6990b8baa160d6e398dc804b4c2fb941a7
Score
10/10
Malware Config
Extracted
Family
netwire
C2
66.154.103.106:13374
Attributes
-
activex_autorun
false
- activex_key
-
copy_executable
false
-
delete_original
false
-
host_id
myphone
- install_path
- keylogger_dir
-
lock_executable
false
- mutex
-
offline_keylogger
false
-
password
Password
-
registry_autorun
false
- startup_name
-
use_mutex
false
Signatures
-
NetWire RAT payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1684-64-0x000000000040242D-mapping.dmp netwire behavioral1/memory/1684-63-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1684-66-0x0000000000400000-0x0000000000433000-memory.dmp netwire -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Reader = "C:\\Users\\Admin\\AppData\\Local\\Adobe Reader.exe" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
467e17b8d44626b7456716680e3d043d.exedescription pid process target process PID 1072 set thread context of 1684 1072 467e17b8d44626b7456716680e3d043d.exe calc.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
467e17b8d44626b7456716680e3d043d.execmd.exedescription pid process target process PID 1072 wrote to memory of 1768 1072 467e17b8d44626b7456716680e3d043d.exe cmd.exe PID 1072 wrote to memory of 1768 1072 467e17b8d44626b7456716680e3d043d.exe cmd.exe PID 1072 wrote to memory of 1768 1072 467e17b8d44626b7456716680e3d043d.exe cmd.exe PID 1072 wrote to memory of 1768 1072 467e17b8d44626b7456716680e3d043d.exe cmd.exe PID 1768 wrote to memory of 1712 1768 cmd.exe reg.exe PID 1768 wrote to memory of 1712 1768 cmd.exe reg.exe PID 1768 wrote to memory of 1712 1768 cmd.exe reg.exe PID 1768 wrote to memory of 1712 1768 cmd.exe reg.exe PID 1072 wrote to memory of 1684 1072 467e17b8d44626b7456716680e3d043d.exe calc.exe PID 1072 wrote to memory of 1684 1072 467e17b8d44626b7456716680e3d043d.exe calc.exe PID 1072 wrote to memory of 1684 1072 467e17b8d44626b7456716680e3d043d.exe calc.exe PID 1072 wrote to memory of 1684 1072 467e17b8d44626b7456716680e3d043d.exe calc.exe PID 1072 wrote to memory of 1684 1072 467e17b8d44626b7456716680e3d043d.exe calc.exe PID 1072 wrote to memory of 1684 1072 467e17b8d44626b7456716680e3d043d.exe calc.exe PID 1072 wrote to memory of 1684 1072 467e17b8d44626b7456716680e3d043d.exe calc.exe PID 1072 wrote to memory of 1684 1072 467e17b8d44626b7456716680e3d043d.exe calc.exe PID 1072 wrote to memory of 1684 1072 467e17b8d44626b7456716680e3d043d.exe calc.exe PID 1072 wrote to memory of 1684 1072 467e17b8d44626b7456716680e3d043d.exe calc.exe PID 1072 wrote to memory of 1684 1072 467e17b8d44626b7456716680e3d043d.exe calc.exe PID 1072 wrote to memory of 1684 1072 467e17b8d44626b7456716680e3d043d.exe calc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\467e17b8d44626b7456716680e3d043d.exe"C:\Users\Admin\AppData\Local\Temp\467e17b8d44626b7456716680e3d043d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\467e17b8d44626b7456716680e3d043d.exe" "C:\Users\%username%\AppData\Local\Adobe Reader.exe" & REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Adobe Reader" /t REG_SZ /F /D "C:\Users\%username%\AppData\Local\Adobe Reader.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Adobe Reader" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Adobe Reader.exe"3⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\calc.exe"C:\Windows\System32\calc.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1072-60-0x0000000075411000-0x0000000075413000-memory.dmpFilesize
8KB
-
memory/1684-64-0x000000000040242D-mapping.dmp
-
memory/1684-63-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1684-66-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1712-62-0x0000000000000000-mapping.dmp
-
memory/1768-61-0x0000000000000000-mapping.dmp