Analysis
-
max time kernel
144s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-06-2022 07:15
Static task
static1
Behavioral task
behavioral1
Sample
39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe
Resource
win10v2004-20220414-en
General
-
Target
39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe
-
Size
604KB
-
MD5
709f957e6dbe9b0c1457e92aa4cc48d6
-
SHA1
204d345363fd5d0d78d436d3d67cab1c335273ce
-
SHA256
39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822
-
SHA512
be56e882e28835c8e6c043d39d59510f3b3a6ce03517095c9d24c8fbca02a6d91c98bf4bd83579b3078fde4147201b010611959d5bb5cc2adfda24a5c2a3ba4f
Malware Config
Extracted
netwire
emthai.ddns.net:3365
emthai.ddns.net:1076
-
activex_autorun
false
-
copy_executable
true
-
delete_original
true
-
host_id
HostId-%Emathai%
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
nOQDdboC
-
offline_keylogger
true
-
password
emthai18
-
registry_autorun
true
-
startup_name
Java_Updates
-
use_mutex
true
Signatures
-
NetWire RAT payload 7 IoCs
resource yara_rule behavioral2/memory/688-133-0x0000000000000000-mapping.dmp netwire behavioral2/memory/688-135-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral2/memory/688-136-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral2/memory/688-137-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral2/memory/4988-143-0x0000000000000000-mapping.dmp netwire behavioral2/memory/4988-147-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral2/memory/4988-148-0x0000000000400000-0x000000000042C000-memory.dmp netwire -
Executes dropped EXE 2 IoCs
pid Process 2288 Host.exe 4988 Host.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Host.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java_Updates = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe" Host.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4416 39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe 2288 Host.exe -
Suspicious use of WriteProcessMemory 37 IoCs
description pid Process procid_target PID 4416 wrote to memory of 688 4416 39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe 81 PID 4416 wrote to memory of 688 4416 39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe 81 PID 4416 wrote to memory of 688 4416 39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe 81 PID 4416 wrote to memory of 688 4416 39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe 81 PID 4416 wrote to memory of 688 4416 39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe 81 PID 4416 wrote to memory of 688 4416 39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe 81 PID 4416 wrote to memory of 688 4416 39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe 81 PID 4416 wrote to memory of 688 4416 39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe 81 PID 4416 wrote to memory of 688 4416 39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe 81 PID 4416 wrote to memory of 688 4416 39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe 81 PID 4416 wrote to memory of 688 4416 39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe 81 PID 4416 wrote to memory of 688 4416 39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe 81 PID 4416 wrote to memory of 688 4416 39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe 81 PID 4416 wrote to memory of 688 4416 39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe 81 PID 4416 wrote to memory of 688 4416 39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe 81 PID 4416 wrote to memory of 688 4416 39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe 81 PID 4416 wrote to memory of 688 4416 39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe 81 PID 688 wrote to memory of 2288 688 39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe 82 PID 688 wrote to memory of 2288 688 39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe 82 PID 688 wrote to memory of 2288 688 39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe 82 PID 2288 wrote to memory of 4988 2288 Host.exe 83 PID 2288 wrote to memory of 4988 2288 Host.exe 83 PID 2288 wrote to memory of 4988 2288 Host.exe 83 PID 2288 wrote to memory of 4988 2288 Host.exe 83 PID 2288 wrote to memory of 4988 2288 Host.exe 83 PID 2288 wrote to memory of 4988 2288 Host.exe 83 PID 2288 wrote to memory of 4988 2288 Host.exe 83 PID 2288 wrote to memory of 4988 2288 Host.exe 83 PID 2288 wrote to memory of 4988 2288 Host.exe 83 PID 2288 wrote to memory of 4988 2288 Host.exe 83 PID 2288 wrote to memory of 4988 2288 Host.exe 83 PID 2288 wrote to memory of 4988 2288 Host.exe 83 PID 2288 wrote to memory of 4988 2288 Host.exe 83 PID 2288 wrote to memory of 4988 2288 Host.exe 83 PID 2288 wrote to memory of 4988 2288 Host.exe 83 PID 2288 wrote to memory of 4988 2288 Host.exe 83 PID 2288 wrote to memory of 4988 2288 Host.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe"C:\Users\Admin\AppData\Local\Temp\39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Users\Admin\AppData\Local\Temp\39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe"C:\Users\Admin\AppData\Local\Temp\39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Users\Admin\AppData\Roaming\Install\Host.exe-m "C:\Users\Admin\AppData\Local\Temp\39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Users\Admin\AppData\Roaming\Install\Host.exe-m "C:\Users\Admin\AppData\Local\Temp\39f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4988
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
604KB
MD5709f957e6dbe9b0c1457e92aa4cc48d6
SHA1204d345363fd5d0d78d436d3d67cab1c335273ce
SHA25639f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822
SHA512be56e882e28835c8e6c043d39d59510f3b3a6ce03517095c9d24c8fbca02a6d91c98bf4bd83579b3078fde4147201b010611959d5bb5cc2adfda24a5c2a3ba4f
-
Filesize
604KB
MD5709f957e6dbe9b0c1457e92aa4cc48d6
SHA1204d345363fd5d0d78d436d3d67cab1c335273ce
SHA25639f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822
SHA512be56e882e28835c8e6c043d39d59510f3b3a6ce03517095c9d24c8fbca02a6d91c98bf4bd83579b3078fde4147201b010611959d5bb5cc2adfda24a5c2a3ba4f
-
Filesize
604KB
MD5709f957e6dbe9b0c1457e92aa4cc48d6
SHA1204d345363fd5d0d78d436d3d67cab1c335273ce
SHA25639f51c80d8d21e1ae2a007f80d67e24dbf3742a458dd53c7fc5e0ebf1ae92822
SHA512be56e882e28835c8e6c043d39d59510f3b3a6ce03517095c9d24c8fbca02a6d91c98bf4bd83579b3078fde4147201b010611959d5bb5cc2adfda24a5c2a3ba4f