Analysis
-
max time kernel
173s -
max time network
180s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
03-07-2022 17:54
Static task
static1
Behavioral task
behavioral1
Sample
3b15244c1ed008b43f0598786693c532480bd171a91e7cf931b6ce3a08303cc2.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3b15244c1ed008b43f0598786693c532480bd171a91e7cf931b6ce3a08303cc2.exe
Resource
win10v2004-20220414-en
General
-
Target
3b15244c1ed008b43f0598786693c532480bd171a91e7cf931b6ce3a08303cc2.exe
-
Size
1.2MB
-
MD5
69a49941ecabffbd265c8e8b4d0fdad0
-
SHA1
847c9d86d9747f685a18ae597796be8af721a7fc
-
SHA256
3b15244c1ed008b43f0598786693c532480bd171a91e7cf931b6ce3a08303cc2
-
SHA512
ac6380af9efc4641f76804d38f3e88d62ab4c04d7f7963eef7f1318aee51a708ac642118c05170aac089c6672e3519b061032786895e697b328cb579b8575b5d
Malware Config
Extracted
netwire
javaupdate.100chickens.biz:6988
-
activex_autorun
false
-
copy_executable
false
-
delete_original
true
-
host_id
HostId-%Rand%
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
XubCoRQh
-
offline_keylogger
true
-
password
123
-
registry_autorun
false
-
use_mutex
true
Signatures
-
NetWire RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1380-131-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral2/memory/1380-140-0x0000000000400000-0x000000000042C000-memory.dmp netwire -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
3b15244c1ed008b43f0598786693c532480bd171a91e7cf931b6ce3a08303cc2.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run 3b15244c1ed008b43f0598786693c532480bd171a91e7cf931b6ce3a08303cc2.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jdvauajhflqq = "C:\\Users\\Admin\\AppData\\Roaming\\ghnoldczpfei\\system32.exe" 3b15244c1ed008b43f0598786693c532480bd171a91e7cf931b6ce3a08303cc2.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
3b15244c1ed008b43f0598786693c532480bd171a91e7cf931b6ce3a08303cc2.exedescription pid process target process PID 1824 set thread context of 1380 1824 3b15244c1ed008b43f0598786693c532480bd171a91e7cf931b6ce3a08303cc2.exe dllhost.exe -
NTFS ADS 1 IoCs
Processes:
3b15244c1ed008b43f0598786693c532480bd171a91e7cf931b6ce3a08303cc2.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\root\cimv2 3b15244c1ed008b43f0598786693c532480bd171a91e7cf931b6ce3a08303cc2.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
3b15244c1ed008b43f0598786693c532480bd171a91e7cf931b6ce3a08303cc2.exedescription pid process target process PID 1824 wrote to memory of 1380 1824 3b15244c1ed008b43f0598786693c532480bd171a91e7cf931b6ce3a08303cc2.exe dllhost.exe PID 1824 wrote to memory of 1380 1824 3b15244c1ed008b43f0598786693c532480bd171a91e7cf931b6ce3a08303cc2.exe dllhost.exe PID 1824 wrote to memory of 1380 1824 3b15244c1ed008b43f0598786693c532480bd171a91e7cf931b6ce3a08303cc2.exe dllhost.exe PID 1824 wrote to memory of 1380 1824 3b15244c1ed008b43f0598786693c532480bd171a91e7cf931b6ce3a08303cc2.exe dllhost.exe PID 1824 wrote to memory of 1380 1824 3b15244c1ed008b43f0598786693c532480bd171a91e7cf931b6ce3a08303cc2.exe dllhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b15244c1ed008b43f0598786693c532480bd171a91e7cf931b6ce3a08303cc2.exe"C:\Users\Admin\AppData\Local\Temp\3b15244c1ed008b43f0598786693c532480bd171a91e7cf931b6ce3a08303cc2.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\dllhost.exe"C:\Windows\System32\dllhost.exe"2⤵PID:1380