Analysis
-
max time kernel
112s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
-
submitted
01-08-2022 05:19
General
-
Target
5cc870a54b9cf9f98ddfb7a7a574c41afe30205368c9665eeefea1652316a20c.exe
-
Size
1.8MB
-
MD5
52a4eba0459f9fed7d54a50790b85482
-
SHA1
091b583ad84dcac1b7d50ecb561186d091526428
-
SHA256
5cc870a54b9cf9f98ddfb7a7a574c41afe30205368c9665eeefea1652316a20c
-
SHA512
49c2d81910084b5c2144db45fe298357f4a93ff4c7158f853421d768aa0febc29fe848d4b884947eb162741bf9da0b1f14a94a04633b60644d44eb43c46a63d8
Malware Config
Extracted
netwire
159.65.128.193:4445
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
nest1
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
ceVlGBjM
-
offline_keylogger
true
-
password
mysteh4445
-
registry_autorun
false
-
use_mutex
true
Signatures
-
NetWire RAT payload 4 IoCs
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Executes dropped EXE 2 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5cc870a54b9cf9f98ddfb7a7a574c41afe30205368c9665eeefea1652316a20c.exe"C:\Users\Admin\AppData\Local\Temp\5cc870a54b9cf9f98ddfb7a7a574c41afe30205368c9665eeefea1652316a20c.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\startup\flies.vbs"2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\startup\flies.exe"C:\Users\Admin\AppData\Local\Temp\startup\flies.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\startup\flies.exe"C:\Users\Admin\AppData\Local\Temp\startup\flies.exe"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD5ebbe1485d69bf5a00ea21d1f4e41f45f
SHA184d67c5a3feefb2e66558af598b4da6bef3e18ab
SHA256106ea56f8138f1dfbebb5b5e7e5e327e0b461383a8ac64de897e58ddb1878316
SHA5128e19c7c2dcdd63a3d77f2724a4b01974a3b1212bb1e6329774463a15c60d9aa17644decace913394cf8b2c331c017bf1936bd086aa876d25526b3821ef29c636
-
Filesize
1.8MB
MD5ebbe1485d69bf5a00ea21d1f4e41f45f
SHA184d67c5a3feefb2e66558af598b4da6bef3e18ab
SHA256106ea56f8138f1dfbebb5b5e7e5e327e0b461383a8ac64de897e58ddb1878316
SHA5128e19c7c2dcdd63a3d77f2724a4b01974a3b1212bb1e6329774463a15c60d9aa17644decace913394cf8b2c331c017bf1936bd086aa876d25526b3821ef29c636
-
Filesize
1.8MB
MD5ebbe1485d69bf5a00ea21d1f4e41f45f
SHA184d67c5a3feefb2e66558af598b4da6bef3e18ab
SHA256106ea56f8138f1dfbebb5b5e7e5e327e0b461383a8ac64de897e58ddb1878316
SHA5128e19c7c2dcdd63a3d77f2724a4b01974a3b1212bb1e6329774463a15c60d9aa17644decace913394cf8b2c331c017bf1936bd086aa876d25526b3821ef29c636
-
Filesize
1024B
MD589793f6f9e43e7084a57b2974ea7ec9d
SHA1d22532ff2b3694d9cb4c4a726418a126e1df2650
SHA2562d1e611db454cb03e67383f7e4c16f0e8b0889ac526e7c4cd837828a49fc7141
SHA5124e954e265e07083a0632c9c9870044966287944956b8d4a93df73411a17262ac93f3c268720e62f85b231e3b87c81471d3c016deec3ba186b4b3ff13433060d9
-
-
-
Filesize
176KB
-
Filesize
176KB
-
Filesize
176KB
-
Filesize
24KB
-