Analysis
-
max time kernel
150s -
max time network
116s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
19-07-2021 15:14
Static task
static1
Behavioral task
behavioral1
Sample
355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe
Resource
win10v20210408
General
-
Target
355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe
-
Size
212KB
-
MD5
aeae64fab4622ed23e1c61d26de74249
-
SHA1
5dabbf8093eed124e64a7e39c83e14976a74b8bb
-
SHA256
355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065
-
SHA512
ca6602e3ee04b174581b90cde554a6bdf5f7560fd1ccbae26982df297e8daf18db63219029322ff2e2ea950d8a284311d7486086c9048d1b247f2dd62a953050
Malware Config
Extracted
netwire
127.0.0.1:3360
chrisle79.ddns.net:4414
jacknop79.ddns.net:4414
smath79.ddns.net:4414
whatis79.ddns.net:4414
goodgt79.ddns.net:4414
bonding79.ddns.net:4414
-
activex_autorun
false
- activex_key
-
copy_executable
false
-
delete_original
false
-
host_id
June 2021
- install_path
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
- mutex
-
offline_keylogger
true
-
password
Password2$
-
registry_autorun
false
- startup_name
-
use_mutex
false
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\2BYsn3pjWNDCuUWQ\\1pTFqHevt0NW.exe\",explorer.exe" 355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe -
NetWire RAT payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/208-116-0x0000000000402453-mapping.dmp netwire behavioral2/memory/208-115-0x0000000000400000-0x0000000000436000-memory.dmp netwire behavioral2/memory/208-120-0x0000000000400000-0x0000000000436000-memory.dmp netwire -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exedescription pid process target process PID 776 set thread context of 208 776 355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe vbc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3568 208 WerFault.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
Processes:
355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exeWerFault.exepid process 776 355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe 776 355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe 3568 WerFault.exe 3568 WerFault.exe 3568 WerFault.exe 3568 WerFault.exe 3568 WerFault.exe 3568 WerFault.exe 3568 WerFault.exe 3568 WerFault.exe 3568 WerFault.exe 3568 WerFault.exe 3568 WerFault.exe 3568 WerFault.exe 3568 WerFault.exe 3568 WerFault.exe 3568 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exeWerFault.exedescription pid process Token: SeDebugPrivilege 776 355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe Token: SeDebugPrivilege 776 355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe Token: SeRestorePrivilege 3568 WerFault.exe Token: SeBackupPrivilege 3568 WerFault.exe Token: SeDebugPrivilege 3568 WerFault.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exedescription pid process target process PID 776 wrote to memory of 208 776 355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe vbc.exe PID 776 wrote to memory of 208 776 355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe vbc.exe PID 776 wrote to memory of 208 776 355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe vbc.exe PID 776 wrote to memory of 208 776 355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe vbc.exe PID 776 wrote to memory of 208 776 355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe vbc.exe PID 776 wrote to memory of 208 776 355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe vbc.exe PID 776 wrote to memory of 208 776 355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe vbc.exe PID 776 wrote to memory of 208 776 355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe vbc.exe PID 776 wrote to memory of 208 776 355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe vbc.exe PID 776 wrote to memory of 208 776 355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe vbc.exe PID 776 wrote to memory of 208 776 355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe"C:\Users\Admin\AppData\Local\Temp\355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe"1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 4843⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/208-116-0x0000000000402453-mapping.dmp
-
memory/208-115-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/208-117-0x0000000010000000-0x0000000010006000-memory.dmpFilesize
24KB
-
memory/208-120-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/776-114-0x00000000005A0000-0x00000000006EA000-memory.dmpFilesize
1.3MB