Overview

overview

10

Static

static

e7cddae953978b...45.exe

windows7_x64

10

e7cddae953978b...45.exe

windows10-2004_x64

10
General
Target

e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe

Filesize

496KB

Completed

21-05-2022 19:16

Task

behavioral2

Score
10/10
MD5

2e949fbd641fbb0b7a2faa128ddd3540

SHA1

eac22a028a62c18391a452850d9c42fbb19b7fb8

SHA256

e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145

SHA512

93d326fc1f0bdace236773275b0969dc191e98979e6f353567bf8ca5479773bf8c811dd9b292136a6a1f2aa0999988c79567ef41f75dde5243ebd628582c1d78

Malware Config
Signatures 7

Filter: none

Defense Evasion
Persistence
  • NetWire RAT payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/1132-136-0x0000000000400000-0x000000000047E000-memory.dmpnetwire
    behavioral2/memory/1132-137-0x0000000000400000-0x000000000042C000-memory.dmpnetwire
  • Netwire

    Description

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    Tags

  • Modifies Installed Components in the registry

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Adds Run key to start application
    e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe"e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe
  • Suspicious use of SetThreadContext
    e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1292 set thread context of 11321292e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exee7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe
  • Suspicious use of SetWindowsHookEx
    e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe

    Reported IOCs

    pidprocess
    1292e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe
  • Suspicious use of WriteProcessMemory
    e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1292 wrote to memory of 11321292e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exee7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe
    PID 1292 wrote to memory of 11321292e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exee7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe
    PID 1292 wrote to memory of 11321292e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exee7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe
    "C:\Users\Admin\AppData\Local\Temp\e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe"
    Suspicious use of SetThreadContext
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:1292
    • C:\Users\Admin\AppData\Local\Temp\e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe
      C:\Users\Admin\AppData\Local\Temp\e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe"
      Adds Run key to start application
      PID:1132
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads

                      • memory/1132-143-0x00007FFAFF090000-0x00007FFAFF285000-memory.dmp

                        Download

                      • memory/1132-133-0x0000000000000000-mapping.dmp

                        Download

                      • memory/1132-136-0x0000000000400000-0x000000000047E000-memory.dmp

                        Download

                      • memory/1132-137-0x0000000000400000-0x000000000042C000-memory.dmp

                        Download

                      • memory/1132-144-0x00000000773E0000-0x0000000077583000-memory.dmp

                        Download

                      • memory/1292-134-0x00007FFAFF090000-0x00007FFAFF285000-memory.dmp

                        Download

                      • memory/1292-135-0x00000000773E0000-0x0000000077583000-memory.dmp

                        Download

                      • memory/1292-132-0x0000000002220000-0x0000000002227000-memory.dmp

                        Download