General
Target

e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe

Filesize

496KB

Completed

21-05-2022 19:17

Task

behavioral1

Score
10/10
MD5

2e949fbd641fbb0b7a2faa128ddd3540

SHA1

eac22a028a62c18391a452850d9c42fbb19b7fb8

SHA256

e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145

SHA512

93d326fc1f0bdace236773275b0969dc191e98979e6f353567bf8ca5479773bf8c811dd9b292136a6a1f2aa0999988c79567ef41f75dde5243ebd628582c1d78

Malware Config
Signatures 7

Filter: none

Defense Evasion
Persistence
  • NetWire RAT payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/328-63-0x0000000000400000-0x000000000042C000-memory.dmpnetwire
    behavioral1/memory/328-62-0x0000000000400000-0x000000000047E000-memory.dmpnetwire
  • Netwire

    Description

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

  • Modifies Installed Components in the registry

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Adds Run key to start application
    e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe"e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe
    Key created\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe
  • Suspicious use of SetThreadContext
    e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 912 set thread context of 328912e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exee7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe
  • Suspicious use of SetWindowsHookEx
    e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe

    Reported IOCs

    pidprocess
    912e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe
  • Suspicious use of WriteProcessMemory
    e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 912 wrote to memory of 328912e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exee7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe
    PID 912 wrote to memory of 328912e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exee7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe
    PID 912 wrote to memory of 328912e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exee7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe
    PID 912 wrote to memory of 328912e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exee7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe
    "C:\Users\Admin\AppData\Local\Temp\e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe"
    Suspicious use of SetThreadContext
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:912
    • C:\Users\Admin\AppData\Local\Temp\e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe
      C:\Users\Admin\AppData\Local\Temp\e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe"
      Adds Run key to start application
      PID:328
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • memory/328-62-0x0000000000400000-0x000000000047E000-memory.dmp

                      • memory/328-69-0x0000000077BA0000-0x0000000077D49000-memory.dmp

                      • memory/328-58-0x000000000046A117-mapping.dmp

                      • memory/328-63-0x0000000000400000-0x000000000042C000-memory.dmp

                      • memory/912-59-0x0000000077BA0000-0x0000000077D49000-memory.dmp

                      • memory/912-60-0x0000000077D80000-0x0000000077F00000-memory.dmp

                      • memory/912-56-0x0000000000240000-0x0000000000247000-memory.dmp

                      • memory/912-57-0x0000000076C81000-0x0000000076C83000-memory.dmp