Analysis
-
max time kernel
140s -
max time network
146s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
22-07-2021 15:48
Static task
static1
General
-
Target
4309e6dc5f9633106714d1a16f9300641d45d5062f5456cfb836d4e6d24ace95.exe
-
Size
1.1MB
-
MD5
f2b4a895b2eea85ad655a6d67177d2a1
-
SHA1
8f558062e5f2dce4cc17bd12ed68602e3e0d7b87
-
SHA256
4309e6dc5f9633106714d1a16f9300641d45d5062f5456cfb836d4e6d24ace95
-
SHA512
e8065c5e721d937b9a185c3fa74f6f4d70f124a4a54b25733783e41c851ed55b9bea4f71571b1a593665584265c723780bf1ca255dc390c695554cb427239be0
Malware Config
Signatures
-
NetWire RAT payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/4052-114-0x0000000000400000-0x000000000041F000-memory.dmp netwire behavioral1/memory/4052-115-0x00000000004021DA-mapping.dmp netwire behavioral1/memory/3176-118-0x0000000000A80000-0x0000000000BCA000-memory.dmp netwire behavioral1/memory/4052-131-0x0000000000400000-0x000000000041F000-memory.dmp netwire -
Drops startup file 1 IoCs
Processes:
4309e6dc5f9633106714d1a16f9300641d45d5062f5456cfb836d4e6d24ace95.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iqwkhtydexbloym.fr.url 4309e6dc5f9633106714d1a16f9300641d45d5062f5456cfb836d4e6d24ace95.exe -
Drops file in System32 directory 2 IoCs
Processes:
dllhost.exedescription ioc process File created C:\Windows\SysWOW64\.Identifier dllhost.exe File opened for modification C:\Windows\SysWOW64\.Identifier dllhost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
4309e6dc5f9633106714d1a16f9300641d45d5062f5456cfb836d4e6d24ace95.exedescription pid process target process PID 3176 set thread context of 4052 3176 4309e6dc5f9633106714d1a16f9300641d45d5062f5456cfb836d4e6d24ace95.exe dllhost.exe -
autoit_exe 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/3176-118-0x0000000000A80000-0x0000000000BCA000-memory.dmp autoit_exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
4309e6dc5f9633106714d1a16f9300641d45d5062f5456cfb836d4e6d24ace95.exepid process 3176 4309e6dc5f9633106714d1a16f9300641d45d5062f5456cfb836d4e6d24ace95.exe 3176 4309e6dc5f9633106714d1a16f9300641d45d5062f5456cfb836d4e6d24ace95.exe 3176 4309e6dc5f9633106714d1a16f9300641d45d5062f5456cfb836d4e6d24ace95.exe 3176 4309e6dc5f9633106714d1a16f9300641d45d5062f5456cfb836d4e6d24ace95.exe 3176 4309e6dc5f9633106714d1a16f9300641d45d5062f5456cfb836d4e6d24ace95.exe 3176 4309e6dc5f9633106714d1a16f9300641d45d5062f5456cfb836d4e6d24ace95.exe 3176 4309e6dc5f9633106714d1a16f9300641d45d5062f5456cfb836d4e6d24ace95.exe 3176 4309e6dc5f9633106714d1a16f9300641d45d5062f5456cfb836d4e6d24ace95.exe 3176 4309e6dc5f9633106714d1a16f9300641d45d5062f5456cfb836d4e6d24ace95.exe 3176 4309e6dc5f9633106714d1a16f9300641d45d5062f5456cfb836d4e6d24ace95.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
4309e6dc5f9633106714d1a16f9300641d45d5062f5456cfb836d4e6d24ace95.exepid process 3176 4309e6dc5f9633106714d1a16f9300641d45d5062f5456cfb836d4e6d24ace95.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
4309e6dc5f9633106714d1a16f9300641d45d5062f5456cfb836d4e6d24ace95.exedescription pid process target process PID 3176 wrote to memory of 4052 3176 4309e6dc5f9633106714d1a16f9300641d45d5062f5456cfb836d4e6d24ace95.exe dllhost.exe PID 3176 wrote to memory of 4052 3176 4309e6dc5f9633106714d1a16f9300641d45d5062f5456cfb836d4e6d24ace95.exe dllhost.exe PID 3176 wrote to memory of 4052 3176 4309e6dc5f9633106714d1a16f9300641d45d5062f5456cfb836d4e6d24ace95.exe dllhost.exe PID 3176 wrote to memory of 4052 3176 4309e6dc5f9633106714d1a16f9300641d45d5062f5456cfb836d4e6d24ace95.exe dllhost.exe PID 3176 wrote to memory of 4052 3176 4309e6dc5f9633106714d1a16f9300641d45d5062f5456cfb836d4e6d24ace95.exe dllhost.exe PID 3176 wrote to memory of 4052 3176 4309e6dc5f9633106714d1a16f9300641d45d5062f5456cfb836d4e6d24ace95.exe dllhost.exe PID 3176 wrote to memory of 4052 3176 4309e6dc5f9633106714d1a16f9300641d45d5062f5456cfb836d4e6d24ace95.exe dllhost.exe PID 3176 wrote to memory of 4052 3176 4309e6dc5f9633106714d1a16f9300641d45d5062f5456cfb836d4e6d24ace95.exe dllhost.exe PID 3176 wrote to memory of 4052 3176 4309e6dc5f9633106714d1a16f9300641d45d5062f5456cfb836d4e6d24ace95.exe dllhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4309e6dc5f9633106714d1a16f9300641d45d5062f5456cfb836d4e6d24ace95.exe"C:\Users\Admin\AppData\Local\Temp\4309e6dc5f9633106714d1a16f9300641d45d5062f5456cfb836d4e6d24ace95.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dllhost.exe"C:\Windows\System32\dllhost.exe"2⤵
- Drops file in System32 directory
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3176-127-0x0000000000A80000-0x0000000000BCA000-memory.dmpFilesize
1.3MB
-
memory/3176-123-0x0000000000A80000-0x0000000000BCA000-memory.dmpFilesize
1.3MB
-
memory/3176-119-0x0000000000A80000-0x0000000000BCA000-memory.dmpFilesize
1.3MB
-
memory/3176-118-0x0000000000A80000-0x0000000000BCA000-memory.dmpFilesize
1.3MB
-
memory/3176-126-0x0000000000A80000-0x0000000000BCA000-memory.dmpFilesize
1.3MB
-
memory/3176-125-0x0000000000A80000-0x0000000000BCA000-memory.dmpFilesize
1.3MB
-
memory/3176-120-0x0000000000A80000-0x0000000000BCA000-memory.dmpFilesize
1.3MB
-
memory/3176-124-0x0000000000A80000-0x0000000000BCA000-memory.dmpFilesize
1.3MB
-
memory/3176-121-0x0000000000A80000-0x0000000000BCA000-memory.dmpFilesize
1.3MB
-
memory/3176-129-0x0000000000A80000-0x0000000000BCA000-memory.dmpFilesize
1.3MB
-
memory/3176-122-0x0000000000A80000-0x0000000000BCA000-memory.dmpFilesize
1.3MB
-
memory/3176-130-0x0000000000A80000-0x0000000000BCA000-memory.dmpFilesize
1.3MB
-
memory/3176-128-0x0000000000A80000-0x0000000000BCA000-memory.dmpFilesize
1.3MB
-
memory/4052-114-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/4052-131-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/4052-115-0x00000000004021DA-mapping.dmp