Analysis
-
max time kernel
131s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 19:14
Static task
static1
Behavioral task
behavioral1
Sample
swift copy .exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
swift copy .exe
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
swift copy .exe
-
Size
496KB
-
MD5
2e949fbd641fbb0b7a2faa128ddd3540
-
SHA1
eac22a028a62c18391a452850d9c42fbb19b7fb8
-
SHA256
e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145
-
SHA512
93d326fc1f0bdace236773275b0969dc191e98979e6f353567bf8ca5479773bf8c811dd9b292136a6a1f2aa0999988c79567ef41f75dde5243ebd628582c1d78
Score
10/10
Malware Config
Signatures
-
NetWire RAT payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1644-63-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral1/memory/1644-62-0x0000000000400000-0x000000000047E000-memory.dmp netwire -
Modifies Installed Components in the registry 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
swift copy .exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Local\\Temp\\swift copy .exe" swift copy .exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ swift copy .exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
swift copy .exedescription pid process target process PID 2032 set thread context of 1644 2032 swift copy .exe swift copy .exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
swift copy .exepid process 2032 swift copy .exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
swift copy .exedescription pid process target process PID 2032 wrote to memory of 1644 2032 swift copy .exe swift copy .exe PID 2032 wrote to memory of 1644 2032 swift copy .exe swift copy .exe PID 2032 wrote to memory of 1644 2032 swift copy .exe swift copy .exe PID 2032 wrote to memory of 1644 2032 swift copy .exe swift copy .exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\swift copy .exe"C:\Users\Admin\AppData\Local\Temp\swift copy .exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\swift copy .exeC:\Users\Admin\AppData\Local\Temp\swift copy .exe"2⤵
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1644-58-0x000000000046A117-mapping.dmp
-
memory/1644-63-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1644-62-0x0000000000400000-0x000000000047E000-memory.dmpFilesize
504KB
-
memory/1644-69-0x0000000077A60000-0x0000000077C09000-memory.dmpFilesize
1.7MB
-
memory/2032-56-0x00000000001D0000-0x00000000001D7000-memory.dmpFilesize
28KB
-
memory/2032-57-0x00000000759F1000-0x00000000759F3000-memory.dmpFilesize
8KB
-
memory/2032-59-0x0000000077A60000-0x0000000077C09000-memory.dmpFilesize
1.7MB
-
memory/2032-60-0x0000000077C40000-0x0000000077DC0000-memory.dmpFilesize
1.5MB