Analysis
-
max time kernel
140s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
-
submitted
18-07-2022 21:16
General
-
Target
50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exe
-
Size
740KB
-
MD5
a1b23f02659dab7b195e78a08d5847ca
-
SHA1
8a51e9c00629ded57754e400d6344c018ab0183a
-
SHA256
50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058
-
SHA512
227b9753bda1d150b287fc4da824416e266aadc35212a037eb4665cb9895c267c07fc3be3505039136832a08c93ac03ea28b7a22e3ba7a0a1f94f052a4a99d05
Malware Config
Extracted
netwire
amz1.hackermind.info:3360
-
activex_autorun
true
-
activex_key
{O5IC1RX5-17QA-4B21-K563-M1NR4O07C3VQ}
-
copy_executable
true
-
delete_original
true
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
Password
-
registry_autorun
true
-
startup_name
NetWire
-
use_mutex
false
Signatures
-
NetWire RAT payload 7 IoCs
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Executes dropped EXE 2 IoCs
-
Modifies Installed Components in the registry 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 37 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exe"C:\Users\Admin\AppData\Local\Temp\50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exe"C:\Users\Admin\AppData\Local\Temp\50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe-m "C:\Users\Admin\AppData\Local\Temp\50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe-m "C:\Users\Admin\AppData\Local\Temp\50ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058.exe"4⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
740KB
MD5a1b23f02659dab7b195e78a08d5847ca
SHA18a51e9c00629ded57754e400d6344c018ab0183a
SHA25650ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058
SHA512227b9753bda1d150b287fc4da824416e266aadc35212a037eb4665cb9895c267c07fc3be3505039136832a08c93ac03ea28b7a22e3ba7a0a1f94f052a4a99d05
-
Filesize
740KB
MD5a1b23f02659dab7b195e78a08d5847ca
SHA18a51e9c00629ded57754e400d6344c018ab0183a
SHA25650ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058
SHA512227b9753bda1d150b287fc4da824416e266aadc35212a037eb4665cb9895c267c07fc3be3505039136832a08c93ac03ea28b7a22e3ba7a0a1f94f052a4a99d05
-
Filesize
740KB
MD5a1b23f02659dab7b195e78a08d5847ca
SHA18a51e9c00629ded57754e400d6344c018ab0183a
SHA25650ac1329dbc10441a42cfb745392c68a022bda8ef5ffbe29a65cbb801672a058
SHA512227b9753bda1d150b287fc4da824416e266aadc35212a037eb4665cb9895c267c07fc3be3505039136832a08c93ac03ea28b7a22e3ba7a0a1f94f052a4a99d05
-
-
Filesize
176KB
-
Filesize
176KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
176KB
-
Filesize
176KB
-
Filesize
176KB
-
-