Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
19-07-2021 15:13
Static task
static1
Behavioral task
behavioral1
Sample
b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe
Resource
win10v20210410
General
-
Target
b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe
-
Size
256KB
-
MD5
3982c9643ff47aa981a446f679e332f8
-
SHA1
c9baff1bac6e99aa18a56532ed851c896cb5d5c9
-
SHA256
b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082
-
SHA512
c226600764a1f3e1fb57e96e1df966cb232f29b23aefabb7f189b6952f7e5a6c8b6a5442b29b4ff72d2b87c06a53c2ca7766e5f609d7450ac85e8211a7a6cf7f
Malware Config
Extracted
netwire
chrisle79.ddns.net:4414
jacknop79.ddns.net:4414
smath79.ddns.net:4414
whatis79.ddns.net:4414
goodgt79.ddns.net:4414
bonding79.ddns.net:4414
-
activex_autorun
false
- activex_key
-
copy_executable
false
-
delete_original
false
-
host_id
June 2021
- install_path
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
- mutex
-
offline_keylogger
true
-
password
Password2$
-
registry_autorun
false
- startup_name
-
use_mutex
false
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\kAt04XL5n9TRa34v\\ED3F82GwGGS7.exe\",explorer.exe" b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe -
NetWire RAT payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1040-115-0x0000000000400000-0x0000000000436000-memory.dmp netwire behavioral2/memory/1040-116-0x0000000000402453-mapping.dmp netwire behavioral2/memory/1040-120-0x0000000000400000-0x0000000000436000-memory.dmp netwire -
Suspicious use of SetThreadContext 1 IoCs
Processes:
b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exedescription pid process target process PID 3872 set thread context of 1040 3872 b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3704 1040 WerFault.exe b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
Processes:
b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exeWerFault.exepid process 3872 b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe 3872 b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe 3704 WerFault.exe 3704 WerFault.exe 3704 WerFault.exe 3704 WerFault.exe 3704 WerFault.exe 3704 WerFault.exe 3704 WerFault.exe 3704 WerFault.exe 3704 WerFault.exe 3704 WerFault.exe 3704 WerFault.exe 3704 WerFault.exe 3704 WerFault.exe 3704 WerFault.exe 3704 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exeWerFault.exedescription pid process Token: SeDebugPrivilege 3872 b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe Token: SeDebugPrivilege 3872 b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe Token: SeRestorePrivilege 3704 WerFault.exe Token: SeBackupPrivilege 3704 WerFault.exe Token: SeDebugPrivilege 3704 WerFault.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exedescription pid process target process PID 3872 wrote to memory of 1040 3872 b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe PID 3872 wrote to memory of 1040 3872 b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe PID 3872 wrote to memory of 1040 3872 b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe PID 3872 wrote to memory of 1040 3872 b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe PID 3872 wrote to memory of 1040 3872 b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe PID 3872 wrote to memory of 1040 3872 b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe PID 3872 wrote to memory of 1040 3872 b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe PID 3872 wrote to memory of 1040 3872 b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe PID 3872 wrote to memory of 1040 3872 b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe PID 3872 wrote to memory of 1040 3872 b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe PID 3872 wrote to memory of 1040 3872 b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe"C:\Users\Admin\AppData\Local\Temp\b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe"1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe"C:\Users\Admin\AppData\Local\Temp\b58c2b3f5f6fdae85220cd053a163ba7b6e2de2f85f3b6fde2ad52528f598082.bin.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 4843⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1040-115-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/1040-116-0x0000000000402453-mapping.dmp
-
memory/1040-117-0x0000000010000000-0x0000000010006000-memory.dmpFilesize
24KB
-
memory/1040-120-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/3872-114-0x0000000003160000-0x0000000003161000-memory.dmpFilesize
4KB