Analysis
-
max time kernel
42s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
02-08-2022 18:01
Behavioral task
behavioral1
Sample
3564b2127c519a9e39b63f0e6994a3d1.exe
Resource
win7-20220715-en
General
-
Target
3564b2127c519a9e39b63f0e6994a3d1.exe
-
Size
160KB
-
MD5
3564b2127c519a9e39b63f0e6994a3d1
-
SHA1
158c22dea6eb92f518af7ea947e08521a904e3ad
-
SHA256
09103f6536c9315c4d1cfa28a4105a2e9bd06f5c432bb62dc5a2b1d0b5902fdd
-
SHA512
37bdd044469917c500a4d4cfc8b8280207198be956bb208efdac7a74dc3a49b97df237885ece8bf8d3e0c9642156c24285e9ed8fa27adad32adbde6613fc5029
Malware Config
Extracted
netwire
37.0.14.206:3384
-
activex_autorun
false
-
copy_executable
true
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
true
-
offline_keylogger
true
-
password
Password234
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Install\Host.exe netwire \Users\Admin\AppData\Roaming\Install\Host.exe netwire C:\Users\Admin\AppData\Roaming\Install\Host.exe netwire -
Executes dropped EXE 1 IoCs
Processes:
Host.exepid process 940 Host.exe -
Loads dropped DLL 2 IoCs
Processes:
3564b2127c519a9e39b63f0e6994a3d1.exepid process 1936 3564b2127c519a9e39b63f0e6994a3d1.exe 1936 3564b2127c519a9e39b63f0e6994a3d1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
3564b2127c519a9e39b63f0e6994a3d1.exedescription pid process target process PID 1936 wrote to memory of 940 1936 3564b2127c519a9e39b63f0e6994a3d1.exe Host.exe PID 1936 wrote to memory of 940 1936 3564b2127c519a9e39b63f0e6994a3d1.exe Host.exe PID 1936 wrote to memory of 940 1936 3564b2127c519a9e39b63f0e6994a3d1.exe Host.exe PID 1936 wrote to memory of 940 1936 3564b2127c519a9e39b63f0e6994a3d1.exe Host.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3564b2127c519a9e39b63f0e6994a3d1.exe"C:\Users\Admin\AppData\Local\Temp\3564b2127c519a9e39b63f0e6994a3d1.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
160KB
MD53564b2127c519a9e39b63f0e6994a3d1
SHA1158c22dea6eb92f518af7ea947e08521a904e3ad
SHA25609103f6536c9315c4d1cfa28a4105a2e9bd06f5c432bb62dc5a2b1d0b5902fdd
SHA51237bdd044469917c500a4d4cfc8b8280207198be956bb208efdac7a74dc3a49b97df237885ece8bf8d3e0c9642156c24285e9ed8fa27adad32adbde6613fc5029
-
\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
160KB
MD53564b2127c519a9e39b63f0e6994a3d1
SHA1158c22dea6eb92f518af7ea947e08521a904e3ad
SHA25609103f6536c9315c4d1cfa28a4105a2e9bd06f5c432bb62dc5a2b1d0b5902fdd
SHA51237bdd044469917c500a4d4cfc8b8280207198be956bb208efdac7a74dc3a49b97df237885ece8bf8d3e0c9642156c24285e9ed8fa27adad32adbde6613fc5029
-
\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
160KB
MD53564b2127c519a9e39b63f0e6994a3d1
SHA1158c22dea6eb92f518af7ea947e08521a904e3ad
SHA25609103f6536c9315c4d1cfa28a4105a2e9bd06f5c432bb62dc5a2b1d0b5902fdd
SHA51237bdd044469917c500a4d4cfc8b8280207198be956bb208efdac7a74dc3a49b97df237885ece8bf8d3e0c9642156c24285e9ed8fa27adad32adbde6613fc5029
-
memory/940-57-0x0000000000000000-mapping.dmp
-
memory/1936-54-0x00000000768C1000-0x00000000768C3000-memory.dmpFilesize
8KB