Analysis
-
max time kernel
150s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
19-07-2021 15:13
Static task
static1
Behavioral task
behavioral1
Sample
e101b909b756b3c91655dc0ba5073887162757a17d643c6df230d5bdb228ff96.bin.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
e101b909b756b3c91655dc0ba5073887162757a17d643c6df230d5bdb228ff96.bin.exe
Resource
win10v20210410
General
-
Target
e101b909b756b3c91655dc0ba5073887162757a17d643c6df230d5bdb228ff96.bin.exe
-
Size
247KB
-
MD5
a3e07383b17726ab7223d618658fa337
-
SHA1
14e19e38d30878eb633c9c0170a7ca441976f5e4
-
SHA256
e101b909b756b3c91655dc0ba5073887162757a17d643c6df230d5bdb228ff96
-
SHA512
d4658d341eece6898c7aad9ca90389f969288210a490232b808bcc08527f50607fa3635345271e9e414c26831779d9c5c5fc25a4df22ee4ee2dd025d5191bb9e
Malware Config
Extracted
netwire
127.0.0.1:3360
chrisle79.ddns.net:4414
jacknop79.ddns.net:4414
smath79.ddns.net:4414
whatis79.ddns.net:4414
goodgt79.ddns.net:4414
bonding79.ddns.net:4414
-
activex_autorun
false
- activex_key
-
copy_executable
false
-
delete_original
false
-
host_id
June 2021
- install_path
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
- mutex
-
offline_keylogger
true
-
password
Password2$
-
registry_autorun
false
- startup_name
-
use_mutex
false
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
e101b909b756b3c91655dc0ba5073887162757a17d643c6df230d5bdb228ff96.bin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\2BYsn3pjWNDCuUWQ\\X3lL7S06AKfA.exe\",explorer.exe" e101b909b756b3c91655dc0ba5073887162757a17d643c6df230d5bdb228ff96.bin.exe -
NetWire RAT payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/184-115-0x0000000000400000-0x0000000000436000-memory.dmp netwire behavioral2/memory/184-116-0x0000000000402453-mapping.dmp netwire behavioral2/memory/184-120-0x0000000000400000-0x0000000000436000-memory.dmp netwire -
Suspicious use of SetThreadContext 1 IoCs
Processes:
e101b909b756b3c91655dc0ba5073887162757a17d643c6df230d5bdb228ff96.bin.exedescription pid process target process PID 772 set thread context of 184 772 e101b909b756b3c91655dc0ba5073887162757a17d643c6df230d5bdb228ff96.bin.exe e101b909b756b3c91655dc0ba5073887162757a17d643c6df230d5bdb228ff96.bin.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1672 184 WerFault.exe e101b909b756b3c91655dc0ba5073887162757a17d643c6df230d5bdb228ff96.bin.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
Processes:
e101b909b756b3c91655dc0ba5073887162757a17d643c6df230d5bdb228ff96.bin.exeWerFault.exepid process 772 e101b909b756b3c91655dc0ba5073887162757a17d643c6df230d5bdb228ff96.bin.exe 772 e101b909b756b3c91655dc0ba5073887162757a17d643c6df230d5bdb228ff96.bin.exe 1672 WerFault.exe 1672 WerFault.exe 1672 WerFault.exe 1672 WerFault.exe 1672 WerFault.exe 1672 WerFault.exe 1672 WerFault.exe 1672 WerFault.exe 1672 WerFault.exe 1672 WerFault.exe 1672 WerFault.exe 1672 WerFault.exe 1672 WerFault.exe 1672 WerFault.exe 1672 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
e101b909b756b3c91655dc0ba5073887162757a17d643c6df230d5bdb228ff96.bin.exeWerFault.exedescription pid process Token: SeDebugPrivilege 772 e101b909b756b3c91655dc0ba5073887162757a17d643c6df230d5bdb228ff96.bin.exe Token: SeDebugPrivilege 772 e101b909b756b3c91655dc0ba5073887162757a17d643c6df230d5bdb228ff96.bin.exe Token: SeRestorePrivilege 1672 WerFault.exe Token: SeBackupPrivilege 1672 WerFault.exe Token: SeDebugPrivilege 1672 WerFault.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
e101b909b756b3c91655dc0ba5073887162757a17d643c6df230d5bdb228ff96.bin.exedescription pid process target process PID 772 wrote to memory of 184 772 e101b909b756b3c91655dc0ba5073887162757a17d643c6df230d5bdb228ff96.bin.exe e101b909b756b3c91655dc0ba5073887162757a17d643c6df230d5bdb228ff96.bin.exe PID 772 wrote to memory of 184 772 e101b909b756b3c91655dc0ba5073887162757a17d643c6df230d5bdb228ff96.bin.exe e101b909b756b3c91655dc0ba5073887162757a17d643c6df230d5bdb228ff96.bin.exe PID 772 wrote to memory of 184 772 e101b909b756b3c91655dc0ba5073887162757a17d643c6df230d5bdb228ff96.bin.exe e101b909b756b3c91655dc0ba5073887162757a17d643c6df230d5bdb228ff96.bin.exe PID 772 wrote to memory of 184 772 e101b909b756b3c91655dc0ba5073887162757a17d643c6df230d5bdb228ff96.bin.exe e101b909b756b3c91655dc0ba5073887162757a17d643c6df230d5bdb228ff96.bin.exe PID 772 wrote to memory of 184 772 e101b909b756b3c91655dc0ba5073887162757a17d643c6df230d5bdb228ff96.bin.exe e101b909b756b3c91655dc0ba5073887162757a17d643c6df230d5bdb228ff96.bin.exe PID 772 wrote to memory of 184 772 e101b909b756b3c91655dc0ba5073887162757a17d643c6df230d5bdb228ff96.bin.exe e101b909b756b3c91655dc0ba5073887162757a17d643c6df230d5bdb228ff96.bin.exe PID 772 wrote to memory of 184 772 e101b909b756b3c91655dc0ba5073887162757a17d643c6df230d5bdb228ff96.bin.exe e101b909b756b3c91655dc0ba5073887162757a17d643c6df230d5bdb228ff96.bin.exe PID 772 wrote to memory of 184 772 e101b909b756b3c91655dc0ba5073887162757a17d643c6df230d5bdb228ff96.bin.exe e101b909b756b3c91655dc0ba5073887162757a17d643c6df230d5bdb228ff96.bin.exe PID 772 wrote to memory of 184 772 e101b909b756b3c91655dc0ba5073887162757a17d643c6df230d5bdb228ff96.bin.exe e101b909b756b3c91655dc0ba5073887162757a17d643c6df230d5bdb228ff96.bin.exe PID 772 wrote to memory of 184 772 e101b909b756b3c91655dc0ba5073887162757a17d643c6df230d5bdb228ff96.bin.exe e101b909b756b3c91655dc0ba5073887162757a17d643c6df230d5bdb228ff96.bin.exe PID 772 wrote to memory of 184 772 e101b909b756b3c91655dc0ba5073887162757a17d643c6df230d5bdb228ff96.bin.exe e101b909b756b3c91655dc0ba5073887162757a17d643c6df230d5bdb228ff96.bin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e101b909b756b3c91655dc0ba5073887162757a17d643c6df230d5bdb228ff96.bin.exe"C:\Users\Admin\AppData\Local\Temp\e101b909b756b3c91655dc0ba5073887162757a17d643c6df230d5bdb228ff96.bin.exe"1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e101b909b756b3c91655dc0ba5073887162757a17d643c6df230d5bdb228ff96.bin.exe"C:\Users\Admin\AppData\Local\Temp\e101b909b756b3c91655dc0ba5073887162757a17d643c6df230d5bdb228ff96.bin.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 184 -s 4843⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/184-115-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/184-116-0x0000000000402453-mapping.dmp
-
memory/184-117-0x0000000010000000-0x0000000010006000-memory.dmpFilesize
24KB
-
memory/184-120-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/772-114-0x00000000023E0000-0x00000000023E1000-memory.dmpFilesize
4KB