Analysis Overview
SHA256
7e2bdb47ac86e3ea25c23496ed4046aa4108ccf647250e9d9dd8e4fb83aaea4a
Threat Level: Known bad
The file 7e2bdb47ac86e3ea25c23496ed4046aa4108ccf647250e9d9dd8e4fb83aaea4a was found to be: Known bad.
Malicious Activity Summary
NetWire RAT payload
Netwire family
Netwire
Executes dropped EXE
Loads dropped DLL
Suspicious use of WriteProcessMemory
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-17 00:14
Signatures
NetWire RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Netwire family
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-17 00:14
Reported
2022-02-17 00:23
Platform
win7-en-20211208
Max time kernel
122s
Max time network
138s
Command Line
Signatures
NetWire RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Netwire
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Install\Host.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7e2bdb47ac86e3ea25c23496ed4046aa4108ccf647250e9d9dd8e4fb83aaea4a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7e2bdb47ac86e3ea25c23496ed4046aa4108ccf647250e9d9dd8e4fb83aaea4a.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1568 wrote to memory of 1588 | N/A | C:\Users\Admin\AppData\Local\Temp\7e2bdb47ac86e3ea25c23496ed4046aa4108ccf647250e9d9dd8e4fb83aaea4a.exe | C:\Users\Admin\AppData\Roaming\Install\Host.exe |
| PID 1568 wrote to memory of 1588 | N/A | C:\Users\Admin\AppData\Local\Temp\7e2bdb47ac86e3ea25c23496ed4046aa4108ccf647250e9d9dd8e4fb83aaea4a.exe | C:\Users\Admin\AppData\Roaming\Install\Host.exe |
| PID 1568 wrote to memory of 1588 | N/A | C:\Users\Admin\AppData\Local\Temp\7e2bdb47ac86e3ea25c23496ed4046aa4108ccf647250e9d9dd8e4fb83aaea4a.exe | C:\Users\Admin\AppData\Roaming\Install\Host.exe |
| PID 1568 wrote to memory of 1588 | N/A | C:\Users\Admin\AppData\Local\Temp\7e2bdb47ac86e3ea25c23496ed4046aa4108ccf647250e9d9dd8e4fb83aaea4a.exe | C:\Users\Admin\AppData\Roaming\Install\Host.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\7e2bdb47ac86e3ea25c23496ed4046aa4108ccf647250e9d9dd8e4fb83aaea4a.exe
"C:\Users\Admin\AppData\Local\Temp\7e2bdb47ac86e3ea25c23496ed4046aa4108ccf647250e9d9dd8e4fb83aaea4a.exe"
C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | sgteyor.ddns.net | udp |
Files
memory/1568-55-0x0000000076371000-0x0000000076373000-memory.dmp
\Users\Admin\AppData\Roaming\Install\Host.exe
| MD5 | 0b1bb3e49dbdc7ebfe81d4d3982275d2 |
| SHA1 | 958f45ab00ac2212c748461ea7860b12e7c8e35e |
| SHA256 | 7e2bdb47ac86e3ea25c23496ed4046aa4108ccf647250e9d9dd8e4fb83aaea4a |
| SHA512 | 15ad15a353c379934a75ad56c8955b9ca4b7aa43de4559768c819f486e5df2448dfe3c8479ff799da58bace88abeca45c4fac28ca8ac41f267fdd83ea6cebb04 |
\Users\Admin\AppData\Roaming\Install\Host.exe
| MD5 | 0b1bb3e49dbdc7ebfe81d4d3982275d2 |
| SHA1 | 958f45ab00ac2212c748461ea7860b12e7c8e35e |
| SHA256 | 7e2bdb47ac86e3ea25c23496ed4046aa4108ccf647250e9d9dd8e4fb83aaea4a |
| SHA512 | 15ad15a353c379934a75ad56c8955b9ca4b7aa43de4559768c819f486e5df2448dfe3c8479ff799da58bace88abeca45c4fac28ca8ac41f267fdd83ea6cebb04 |
C:\Users\Admin\AppData\Roaming\Install\Host.exe
| MD5 | 0b1bb3e49dbdc7ebfe81d4d3982275d2 |
| SHA1 | 958f45ab00ac2212c748461ea7860b12e7c8e35e |
| SHA256 | 7e2bdb47ac86e3ea25c23496ed4046aa4108ccf647250e9d9dd8e4fb83aaea4a |
| SHA512 | 15ad15a353c379934a75ad56c8955b9ca4b7aa43de4559768c819f486e5df2448dfe3c8479ff799da58bace88abeca45c4fac28ca8ac41f267fdd83ea6cebb04 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-17 00:14
Reported
2022-02-17 00:23
Platform
win10v2004-en-20220112
Max time kernel
159s
Max time network
175s
Command Line
Signatures
NetWire RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Netwire
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Install\Host.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\MusNotifyIcon.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\MusNotifyIcon.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3952 wrote to memory of 616 | N/A | C:\Users\Admin\AppData\Local\Temp\7e2bdb47ac86e3ea25c23496ed4046aa4108ccf647250e9d9dd8e4fb83aaea4a.exe | C:\Users\Admin\AppData\Roaming\Install\Host.exe |
| PID 3952 wrote to memory of 616 | N/A | C:\Users\Admin\AppData\Local\Temp\7e2bdb47ac86e3ea25c23496ed4046aa4108ccf647250e9d9dd8e4fb83aaea4a.exe | C:\Users\Admin\AppData\Roaming\Install\Host.exe |
| PID 3952 wrote to memory of 616 | N/A | C:\Users\Admin\AppData\Local\Temp\7e2bdb47ac86e3ea25c23496ed4046aa4108ccf647250e9d9dd8e4fb83aaea4a.exe | C:\Users\Admin\AppData\Roaming\Install\Host.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\7e2bdb47ac86e3ea25c23496ed4046aa4108ccf647250e9d9dd8e4fb83aaea4a.exe
"C:\Users\Admin\AppData\Local\Temp\7e2bdb47ac86e3ea25c23496ed4046aa4108ccf647250e9d9dd8e4fb83aaea4a.exe"
C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wusvcs -p
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 20.42.65.85:443 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| BE | 8.238.110.126:80 | tcp | |
| BE | 67.27.154.126:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | sgteyor.ddns.net | udp |
| US | 72.21.91.29:80 | crl4.digicert.com | tcp |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | sgteyor.ddns.net | udp |
Files
C:\Users\Admin\AppData\Roaming\Install\Host.exe
| MD5 | 0b1bb3e49dbdc7ebfe81d4d3982275d2 |
| SHA1 | 958f45ab00ac2212c748461ea7860b12e7c8e35e |
| SHA256 | 7e2bdb47ac86e3ea25c23496ed4046aa4108ccf647250e9d9dd8e4fb83aaea4a |
| SHA512 | 15ad15a353c379934a75ad56c8955b9ca4b7aa43de4559768c819f486e5df2448dfe3c8479ff799da58bace88abeca45c4fac28ca8ac41f267fdd83ea6cebb04 |
C:\Users\Admin\AppData\Roaming\Install\Host.exe
| MD5 | 0b1bb3e49dbdc7ebfe81d4d3982275d2 |
| SHA1 | 958f45ab00ac2212c748461ea7860b12e7c8e35e |
| SHA256 | 7e2bdb47ac86e3ea25c23496ed4046aa4108ccf647250e9d9dd8e4fb83aaea4a |
| SHA512 | 15ad15a353c379934a75ad56c8955b9ca4b7aa43de4559768c819f486e5df2448dfe3c8479ff799da58bace88abeca45c4fac28ca8ac41f267fdd83ea6cebb04 |