Analysis
-
max time kernel
143s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 21:48
General
-
Target
5e6936004864f0ea2ca948645cf3a73610b08b61e28dd9dd9abd37c3a7097df2.exe
-
Size
160KB
-
MD5
a6b3b195fc729456c47573cc58f7b420
-
SHA1
1a388ba57f09225eed3a4fed6a9a9b8b7f16bcfd
-
SHA256
5e6936004864f0ea2ca948645cf3a73610b08b61e28dd9dd9abd37c3a7097df2
-
SHA512
eec3a6e00461fd8f7293522df11a018daffd4d3716e35c2448743e7169b73d798dfbf4a82b8edc896df1a29653cfcad218dbb1048457b6c3eaed7cb127d2ff11
Malware Config
Signatures
-
NetWire RAT payload 6 IoCs
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Executes dropped EXE 2 IoCs
-
Modifies Installed Components in the registry 2 TTPs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e6936004864f0ea2ca948645cf3a73610b08b61e28dd9dd9abd37c3a7097df2.exe"C:\Users\Admin\AppData\Local\Temp\5e6936004864f0ea2ca948645cf3a73610b08b61e28dd9dd9abd37c3a7097df2.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5e6936004864f0ea2ca948645cf3a73610b08b61e28dd9dd9abd37c3a7097df2.exe"C:\Users\Admin\AppData\Local\Temp\5e6936004864f0ea2ca948645cf3a73610b08b61e28dd9dd9abd37c3a7097df2.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\microsofts\iexplore.exe"C:\Users\Admin\AppData\Roaming\microsofts\iexplore.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\microsofts\iexplore.exe"C:\Users\Admin\AppData\Roaming\microsofts\iexplore.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\microsofts\iexplore.exeFilesize
160KB
MD5a6b3b195fc729456c47573cc58f7b420
SHA11a388ba57f09225eed3a4fed6a9a9b8b7f16bcfd
SHA2565e6936004864f0ea2ca948645cf3a73610b08b61e28dd9dd9abd37c3a7097df2
SHA512eec3a6e00461fd8f7293522df11a018daffd4d3716e35c2448743e7169b73d798dfbf4a82b8edc896df1a29653cfcad218dbb1048457b6c3eaed7cb127d2ff11
-
C:\Users\Admin\AppData\Roaming\microsofts\iexplore.exeFilesize
160KB
MD5a6b3b195fc729456c47573cc58f7b420
SHA11a388ba57f09225eed3a4fed6a9a9b8b7f16bcfd
SHA2565e6936004864f0ea2ca948645cf3a73610b08b61e28dd9dd9abd37c3a7097df2
SHA512eec3a6e00461fd8f7293522df11a018daffd4d3716e35c2448743e7169b73d798dfbf4a82b8edc896df1a29653cfcad218dbb1048457b6c3eaed7cb127d2ff11
-
C:\Users\Admin\AppData\Roaming\microsofts\iexplore.exeFilesize
160KB
MD5a6b3b195fc729456c47573cc58f7b420
SHA11a388ba57f09225eed3a4fed6a9a9b8b7f16bcfd
SHA2565e6936004864f0ea2ca948645cf3a73610b08b61e28dd9dd9abd37c3a7097df2
SHA512eec3a6e00461fd8f7293522df11a018daffd4d3716e35c2448743e7169b73d798dfbf4a82b8edc896df1a29653cfcad218dbb1048457b6c3eaed7cb127d2ff11
-
\Users\Admin\AppData\Roaming\microsofts\iexplore.exeFilesize
160KB
MD5a6b3b195fc729456c47573cc58f7b420
SHA11a388ba57f09225eed3a4fed6a9a9b8b7f16bcfd
SHA2565e6936004864f0ea2ca948645cf3a73610b08b61e28dd9dd9abd37c3a7097df2
SHA512eec3a6e00461fd8f7293522df11a018daffd4d3716e35c2448743e7169b73d798dfbf4a82b8edc896df1a29653cfcad218dbb1048457b6c3eaed7cb127d2ff11
-
\Users\Admin\AppData\Roaming\microsofts\iexplore.exeFilesize
160KB
MD5a6b3b195fc729456c47573cc58f7b420
SHA11a388ba57f09225eed3a4fed6a9a9b8b7f16bcfd
SHA2565e6936004864f0ea2ca948645cf3a73610b08b61e28dd9dd9abd37c3a7097df2
SHA512eec3a6e00461fd8f7293522df11a018daffd4d3716e35c2448743e7169b73d798dfbf4a82b8edc896df1a29653cfcad218dbb1048457b6c3eaed7cb127d2ff11
-
memory/104-72-0x00000000004021DA-mapping.dmp
-
memory/104-77-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/964-57-0x00000000004021DA-mapping.dmp
-
memory/964-59-0x00000000751C1000-0x00000000751C3000-memory.dmpFilesize
8KB
-
memory/964-60-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/964-56-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/964-64-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1832-63-0x0000000000000000-mapping.dmp
-
memory/1832-66-0x0000000000430000-0x0000000000583000-memory.dmpFilesize
1.3MB