Analysis
-
max time kernel
183s -
max time network
192s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
resource tags
arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system -
submitted
17-07-2022 01:28
Behavioral task
behavioral1
Sample
52ebeec6271770d72e3f2ed73535cd4a9b4d614e8877bd52a777b5f23d492869.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
52ebeec6271770d72e3f2ed73535cd4a9b4d614e8877bd52a777b5f23d492869.exe
Resource
win10v2004-20220414-en
General
-
Target
52ebeec6271770d72e3f2ed73535cd4a9b4d614e8877bd52a777b5f23d492869.exe
-
Size
89KB
-
MD5
60ac7ad7eccc1cdc8e2fcd21cf42e068
-
SHA1
0d1b45bcbdbd9699bde81e984edbac26e6e39b11
-
SHA256
52ebeec6271770d72e3f2ed73535cd4a9b4d614e8877bd52a777b5f23d492869
-
SHA512
4cf4816f4587910e5541da1eb2bfc90d8281e7c11339a9708c692d7124f70b65f1fb714ff3e7e8ecb3e3cb10817a9080f313f31034c6b756f7589afbbc4a85ba
Malware Config
Extracted
netwire
178.32.72.136:3361
193.124.117.153:3360
-
activex_autorun
true
-
activex_key
{UL0J35EK-4812-5A22-5827-J02V07OJ0H4J}
-
copy_executable
true
-
delete_original
true
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Skype.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
true
-
mutex
TptENIRd
-
offline_keylogger
true
-
password
ebefob44
-
registry_autorun
true
-
startup_name
Skype
-
use_mutex
true
Signatures
-
NetWire RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/files/0x0008000000023153-131.dat netwire behavioral2/files/0x0008000000023153-132.dat netwire -
Executes dropped EXE 1 IoCs
Processes:
Skype.exepid Process 1684 Skype.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
Skype.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{UL0J35EK-4812-5A22-5827-J02V07OJ0H4J} Skype.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{UL0J35EK-4812-5A22-5827-J02V07OJ0H4J}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Install\\Skype.exe\"" Skype.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Skype.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Skype.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Skype = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Skype.exe" Skype.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
52ebeec6271770d72e3f2ed73535cd4a9b4d614e8877bd52a777b5f23d492869.exedescription pid Process procid_target PID 4772 wrote to memory of 1684 4772 52ebeec6271770d72e3f2ed73535cd4a9b4d614e8877bd52a777b5f23d492869.exe 77 PID 4772 wrote to memory of 1684 4772 52ebeec6271770d72e3f2ed73535cd4a9b4d614e8877bd52a777b5f23d492869.exe 77 PID 4772 wrote to memory of 1684 4772 52ebeec6271770d72e3f2ed73535cd4a9b4d614e8877bd52a777b5f23d492869.exe 77
Processes
-
C:\Users\Admin\AppData\Local\Temp\52ebeec6271770d72e3f2ed73535cd4a9b4d614e8877bd52a777b5f23d492869.exe"C:\Users\Admin\AppData\Local\Temp\52ebeec6271770d72e3f2ed73535cd4a9b4d614e8877bd52a777b5f23d492869.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Users\Admin\AppData\Roaming\Install\Skype.exe-m "C:\Users\Admin\AppData\Local\Temp\52ebeec6271770d72e3f2ed73535cd4a9b4d614e8877bd52a777b5f23d492869.exe"2⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:1684
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
89KB
MD560ac7ad7eccc1cdc8e2fcd21cf42e068
SHA10d1b45bcbdbd9699bde81e984edbac26e6e39b11
SHA25652ebeec6271770d72e3f2ed73535cd4a9b4d614e8877bd52a777b5f23d492869
SHA5124cf4816f4587910e5541da1eb2bfc90d8281e7c11339a9708c692d7124f70b65f1fb714ff3e7e8ecb3e3cb10817a9080f313f31034c6b756f7589afbbc4a85ba
-
Filesize
89KB
MD560ac7ad7eccc1cdc8e2fcd21cf42e068
SHA10d1b45bcbdbd9699bde81e984edbac26e6e39b11
SHA25652ebeec6271770d72e3f2ed73535cd4a9b4d614e8877bd52a777b5f23d492869
SHA5124cf4816f4587910e5541da1eb2bfc90d8281e7c11339a9708c692d7124f70b65f1fb714ff3e7e8ecb3e3cb10817a9080f313f31034c6b756f7589afbbc4a85ba