Analysis
-
max time kernel
138s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
-
submitted
25-07-2022 03:49
General
-
Target
97566bb258ee32164c2fb8370e2877ef88c9f0e4ea9e9456153d76f020a8ab0e.exe
-
Size
107KB
-
MD5
bf33aed1340146e9499c756caf71def6
-
SHA1
351384c18969a0b2d5271d4769af549e4e56d26f
-
SHA256
97566bb258ee32164c2fb8370e2877ef88c9f0e4ea9e9456153d76f020a8ab0e
-
SHA512
25598109743182f7e6100d67cac12663794150878c3ff3feed4e88a0c3acd72bebf71f6caf7efd5d0405f4676952bddcf7aa6ee640b13a04c6cd4c3f783a5be4
Malware Config
Extracted
netwire
45.138.157.98:3586
-
activex_autorun
false
-
copy_executable
true
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
PsYeHHVA
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
-
use_mutex
true
Signatures
-
NetWire RAT payload 2 IoCs
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Executes dropped EXE 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\97566bb258ee32164c2fb8370e2877ef88c9f0e4ea9e9456153d76f020a8ab0e.exe"C:\Users\Admin\AppData\Local\Temp\97566bb258ee32164c2fb8370e2877ef88c9f0e4ea9e9456153d76f020a8ab0e.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
107KB
MD5bf33aed1340146e9499c756caf71def6
SHA1351384c18969a0b2d5271d4769af549e4e56d26f
SHA25697566bb258ee32164c2fb8370e2877ef88c9f0e4ea9e9456153d76f020a8ab0e
SHA51225598109743182f7e6100d67cac12663794150878c3ff3feed4e88a0c3acd72bebf71f6caf7efd5d0405f4676952bddcf7aa6ee640b13a04c6cd4c3f783a5be4
-
Filesize
107KB
MD5bf33aed1340146e9499c756caf71def6
SHA1351384c18969a0b2d5271d4769af549e4e56d26f
SHA25697566bb258ee32164c2fb8370e2877ef88c9f0e4ea9e9456153d76f020a8ab0e
SHA51225598109743182f7e6100d67cac12663794150878c3ff3feed4e88a0c3acd72bebf71f6caf7efd5d0405f4676952bddcf7aa6ee640b13a04c6cd4c3f783a5be4
-