Analysis Overview
SHA256
5e7f47464b5bbd59babb9adc9fea3ca08a7cd8e1874f977b067b78313790d5a1
Threat Level: Known bad
The file 5e7f47464b5bbd59babb9adc9fea3ca08a7cd8e1874f977b067b78313790d5a1 was found to be: Known bad.
Malicious Activity Summary
NetWire RAT payload
Netwire family
Netwire
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-02-17 02:52
Signatures
NetWire RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Netwire family
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-17 02:52
Reported
2022-02-17 03:08
Platform
win7-en-20211208
Max time kernel
121s
Max time network
172s
Command Line
Signatures
Netwire
Processes
C:\Users\Admin\AppData\Local\Temp\5e7f47464b5bbd59babb9adc9fea3ca08a7cd8e1874f977b067b78313790d5a1.exe
"C:\Users\Admin\AppData\Local\Temp\5e7f47464b5bbd59babb9adc9fea3ca08a7cd8e1874f977b067b78313790d5a1.exe"
Network
| Country | Destination | Domain | Proto |
| US | 66.154.103.106:13377 | tcp |
Files
memory/1720-54-0x0000000075601000-0x0000000075603000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-17 02:52
Reported
2022-02-17 03:09
Platform
win10v2004-en-20220113
Max time kernel
136s
Max time network
166s
Command Line
Signatures
Netwire
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\WinSxS\pending.xml | C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe | N/A |
| File opened for modification | C:\Windows\WindowsUpdate.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\DataStore.edb | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\ReportingEvents.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\Logs\CBS\CBS.log | C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Processes
C:\Users\Admin\AppData\Local\Temp\5e7f47464b5bbd59babb9adc9fea3ca08a7cd8e1874f977b067b78313790d5a1.exe
"C:\Users\Admin\AppData\Local\Temp\5e7f47464b5bbd59babb9adc9fea3ca08a7cd8e1874f977b067b78313790d5a1.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 66.154.103.106:13377 | tcp | |
| NL | 178.79.208.1:80 | tcp | |
| NL | 178.79.208.1:80 | tcp | |
| US | 8.8.8.8:53 | crl4.digicert.com | udp |
| US | 93.184.220.29:80 | crl4.digicert.com | tcp |
| US | 93.184.220.29:80 | crl4.digicert.com | tcp |
| US | 93.184.220.29:80 | crl4.digicert.com | tcp |
Files
memory/4188-130-0x000002D81F330000-0x000002D81F340000-memory.dmp
memory/4188-131-0x000002D81F390000-0x000002D81F3A0000-memory.dmp
memory/4188-132-0x000002D822080000-0x000002D822084000-memory.dmp