Analysis

  • max time kernel
    166s
  • max time network
    177s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    17/02/2022, 02:54

General

  • Target

    5e3bdf77c3b1b40c7e2219aa82fe6b0f30989bd58a27978a8a352a7ba5934860.exe

  • Size

    89KB

  • MD5

    3c5b1f0eb1444a37bf8a7f21d9d7f985

  • SHA1

    b3f5ba2fc4e02f6ab79fb2fa719901eec29ee7bc

  • SHA256

    5e3bdf77c3b1b40c7e2219aa82fe6b0f30989bd58a27978a8a352a7ba5934860

  • SHA512

    06b8b05d7e5dcc4d44a10fd56a2c1280390b0c646bd550baad901499cb675cbf17b2d340c02954057c422059642f9447ac2cce72a52cd31afc1d5971278382bb

Malware Config

Extracted

Family

netwire

C2

sgteyor.ddns.net:39888

Attributes
  • activex_autorun

    false

  • activex_key

  • copy_executable

    true

  • delete_original

    false

  • host_id

    Eyor

  • install_path

    %AppData%\Install\Host.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

  • offline_keylogger

    true

  • password

    Master0147

  • registry_autorun

    false

  • startup_name

  • use_mutex

    false

Signatures

  • NetWire RAT payload 2 IoCs
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 50 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5e3bdf77c3b1b40c7e2219aa82fe6b0f30989bd58a27978a8a352a7ba5934860.exe
    "C:\Users\Admin\AppData\Local\Temp\5e3bdf77c3b1b40c7e2219aa82fe6b0f30989bd58a27978a8a352a7ba5934860.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1676
    • C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      2⤵
      • Executes dropped EXE
      PID:1204
  • C:\Windows\system32\MusNotifyIcon.exe
    %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
    1⤵
    • Checks processor information in registry
    PID:3260
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    PID:1676
  • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
    C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:2596

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads