Analysis
-
max time kernel
159s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
17/02/2022, 00:14
Behavioral task
behavioral1
Sample
7e2bdb47ac86e3ea25c23496ed4046aa4108ccf647250e9d9dd8e4fb83aaea4a.exe
Resource
win7-en-20211208
0 signatures
0 seconds
General
-
Target
7e2bdb47ac86e3ea25c23496ed4046aa4108ccf647250e9d9dd8e4fb83aaea4a.exe
-
Size
89KB
-
MD5
0b1bb3e49dbdc7ebfe81d4d3982275d2
-
SHA1
958f45ab00ac2212c748461ea7860b12e7c8e35e
-
SHA256
7e2bdb47ac86e3ea25c23496ed4046aa4108ccf647250e9d9dd8e4fb83aaea4a
-
SHA512
15ad15a353c379934a75ad56c8955b9ca4b7aa43de4559768c819f486e5df2448dfe3c8479ff799da58bace88abeca45c4fac28ca8ac41f267fdd83ea6cebb04
Malware Config
Extracted
Family
netwire
C2
sgteyor.ddns.net:39888
Attributes
-
activex_autorun
false
- activex_key
-
copy_executable
true
-
delete_original
false
-
host_id
Eyor
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
- mutex
-
offline_keylogger
true
-
password
Master0147
-
registry_autorun
false
- startup_name
-
use_mutex
false
Signatures
-
NetWire RAT payload 2 IoCs
resource yara_rule behavioral2/files/0x000300000001ed0c-130.dat netwire behavioral2/files/0x000300000001ed0c-131.dat netwire -
Executes dropped EXE 1 IoCs
pid Process 616 Host.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3952 wrote to memory of 616 3952 7e2bdb47ac86e3ea25c23496ed4046aa4108ccf647250e9d9dd8e4fb83aaea4a.exe 58 PID 3952 wrote to memory of 616 3952 7e2bdb47ac86e3ea25c23496ed4046aa4108ccf647250e9d9dd8e4fb83aaea4a.exe 58 PID 3952 wrote to memory of 616 3952 7e2bdb47ac86e3ea25c23496ed4046aa4108ccf647250e9d9dd8e4fb83aaea4a.exe 58
Processes
-
C:\Users\Admin\AppData\Local\Temp\7e2bdb47ac86e3ea25c23496ed4046aa4108ccf647250e9d9dd8e4fb83aaea4a.exe"C:\Users\Admin\AppData\Local\Temp\7e2bdb47ac86e3ea25c23496ed4046aa4108ccf647250e9d9dd8e4fb83aaea4a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"2⤵
- Executes dropped EXE
PID:616
-
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:3400
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wusvcs -p1⤵PID:3896