Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
19-07-2021 15:14
Static task
static1
Behavioral task
behavioral1
Sample
355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe
Resource
win10v20210408
General
-
Target
355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe
-
Size
212KB
-
MD5
aeae64fab4622ed23e1c61d26de74249
-
SHA1
5dabbf8093eed124e64a7e39c83e14976a74b8bb
-
SHA256
355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065
-
SHA512
ca6602e3ee04b174581b90cde554a6bdf5f7560fd1ccbae26982df297e8daf18db63219029322ff2e2ea950d8a284311d7486086c9048d1b247f2dd62a953050
Malware Config
Extracted
netwire
127.0.0.1:3360
chrisle79.ddns.net:4414
jacknop79.ddns.net:4414
smath79.ddns.net:4414
whatis79.ddns.net:4414
goodgt79.ddns.net:4414
bonding79.ddns.net:4414
-
activex_autorun
false
- activex_key
-
copy_executable
false
-
delete_original
false
-
host_id
June 2021
- install_path
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
- mutex
-
offline_keylogger
true
-
password
Password2$
-
registry_autorun
false
- startup_name
-
use_mutex
false
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\2BYsn3pjWNDCuUWQ\\HZO0JD5kzRL2.exe\",explorer.exe" 355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe -
NetWire RAT payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1520-62-0x0000000000400000-0x0000000000436000-memory.dmp netwire behavioral1/memory/1520-63-0x0000000000402453-mapping.dmp netwire behavioral1/memory/1520-65-0x0000000000400000-0x0000000000436000-memory.dmp netwire -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exedescription pid process target process PID 484 set thread context of 1520 484 355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exepid process 484 355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe 484 355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exedescription pid process Token: SeDebugPrivilege 484 355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe Token: SeDebugPrivilege 484 355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exedescription pid process target process PID 484 wrote to memory of 1520 484 355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe vbc.exe PID 484 wrote to memory of 1520 484 355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe vbc.exe PID 484 wrote to memory of 1520 484 355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe vbc.exe PID 484 wrote to memory of 1520 484 355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe vbc.exe PID 484 wrote to memory of 1520 484 355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe vbc.exe PID 484 wrote to memory of 1520 484 355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe vbc.exe PID 484 wrote to memory of 1520 484 355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe vbc.exe PID 484 wrote to memory of 1520 484 355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe vbc.exe PID 484 wrote to memory of 1520 484 355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe vbc.exe PID 484 wrote to memory of 1520 484 355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe vbc.exe PID 484 wrote to memory of 1520 484 355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe vbc.exe PID 484 wrote to memory of 1520 484 355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe"C:\Users\Admin\AppData\Local\Temp\355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe"1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/484-60-0x0000000075FE1000-0x0000000075FE3000-memory.dmpFilesize
8KB
-
memory/484-61-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/1520-62-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/1520-63-0x0000000000402453-mapping.dmp
-
memory/1520-65-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB