Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
23-07-2021 03:22
Behavioral task
behavioral1
Sample
dependencies.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
dependencies.exe
Resource
win10v20210408
General
-
Target
dependencies.exe
-
Size
172KB
-
MD5
3a1db70b49e9be3303890cb7855f2296
-
SHA1
fed77876af92c2eb080251ba7a3532a154be1e94
-
SHA256
3ffbccaf9efde195e47803fbeefbeea8daa46b8befe87b7781434c50b79d613b
-
SHA512
052e7cfc998eb8a6133cedb094ce7181461875031f7c7fafc1cf468d36d9d72d02705becd79c3e1e595ce02c4ba85d7baf45b0bc3125113a5a07d5b62dc3483e
Malware Config
Extracted
netwire
needforrat.hopto.org:3360
needforrat.hopto.org:7777
-
activex_autorun
false
- activex_key
-
copy_executable
true
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
- mutex
-
offline_keylogger
true
-
password
Password
-
registry_autorun
true
-
startup_name
NetWire
-
use_mutex
false
Signatures
-
NetWire RAT payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Install\Host.exe netwire \Users\Admin\AppData\Roaming\Install\Host.exe netwire C:\Users\Admin\AppData\Roaming\Install\Host.exe netwire -
Executes dropped EXE 1 IoCs
Processes:
Host.exepid process 1284 Host.exe -
Loads dropped DLL 2 IoCs
Processes:
dependencies.exepid process 1056 dependencies.exe 1056 dependencies.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Host.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Host.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe" Host.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
dependencies.exedescription pid process target process PID 1056 wrote to memory of 1284 1056 dependencies.exe Host.exe PID 1056 wrote to memory of 1284 1056 dependencies.exe Host.exe PID 1056 wrote to memory of 1284 1056 dependencies.exe Host.exe PID 1056 wrote to memory of 1284 1056 dependencies.exe Host.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dependencies.exe"C:\Users\Admin\AppData\Local\Temp\dependencies.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeMD5
3a1db70b49e9be3303890cb7855f2296
SHA1fed77876af92c2eb080251ba7a3532a154be1e94
SHA2563ffbccaf9efde195e47803fbeefbeea8daa46b8befe87b7781434c50b79d613b
SHA512052e7cfc998eb8a6133cedb094ce7181461875031f7c7fafc1cf468d36d9d72d02705becd79c3e1e595ce02c4ba85d7baf45b0bc3125113a5a07d5b62dc3483e
-
\Users\Admin\AppData\Roaming\Install\Host.exeMD5
3a1db70b49e9be3303890cb7855f2296
SHA1fed77876af92c2eb080251ba7a3532a154be1e94
SHA2563ffbccaf9efde195e47803fbeefbeea8daa46b8befe87b7781434c50b79d613b
SHA512052e7cfc998eb8a6133cedb094ce7181461875031f7c7fafc1cf468d36d9d72d02705becd79c3e1e595ce02c4ba85d7baf45b0bc3125113a5a07d5b62dc3483e
-
\Users\Admin\AppData\Roaming\Install\Host.exeMD5
3a1db70b49e9be3303890cb7855f2296
SHA1fed77876af92c2eb080251ba7a3532a154be1e94
SHA2563ffbccaf9efde195e47803fbeefbeea8daa46b8befe87b7781434c50b79d613b
SHA512052e7cfc998eb8a6133cedb094ce7181461875031f7c7fafc1cf468d36d9d72d02705becd79c3e1e595ce02c4ba85d7baf45b0bc3125113a5a07d5b62dc3483e
-
memory/1056-59-0x00000000766D1000-0x00000000766D3000-memory.dmpFilesize
8KB
-
memory/1284-62-0x0000000000000000-mapping.dmp