Analysis
-
max time kernel
54s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
-
submitted
10-08-2022 14:21
General
-
Target
fcf97ea6afcef40cd854853701504614.exe
-
Size
639KB
-
MD5
fcf97ea6afcef40cd854853701504614
-
SHA1
789238f6d20e473926d6197db23244ae5fb6c83a
-
SHA256
f3ba07ea43adc68f25d26028ec31b752001be473d77b69d5c89e1ef393d37812
-
SHA512
eb7f0a809958f453c32ac4f326ca1ace0df4139bbe9534389dac10200175b0a50b073f21d5ae8782a2cd8d82ae198a518115aa6de9a6baee31661bccd7932798
Malware Config
Extracted
netwire
194.5.98.188:3364
194.5.98.188:3366
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
j5m52xuc
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 8 IoCs
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\fcf97ea6afcef40cd854853701504614.exe"C:\Users\Admin\AppData\Local\Temp\fcf97ea6afcef40cd854853701504614.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\dYNpqakeEvmHP.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dYNpqakeEvmHP" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDF68.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\fcf97ea6afcef40cd854853701504614.exe"C:\Users\Admin\AppData\Local\Temp\fcf97ea6afcef40cd854853701504614.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\fcf97ea6afcef40cd854853701504614.exe"C:\Users\Admin\AppData\Local\Temp\fcf97ea6afcef40cd854853701504614.exe"2⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD52e31e0cb7e61442975abdeb84813fde7
SHA124e0d30ced0cd6e2b61cdad4734f5e409c69a180
SHA256ca8cbe51c648438db07f7ccc0e5ecaa378624673f35ed36d9ff689ac30280d65
SHA5126ee5db4248b9fa1f7cc970296a306512427bf19dab628d32f8f7d07976491b20cd8d80969a5d69ab4f3c5118e5aa5ca306aa1d558e81c78b8e86de094a10b15d
-
Filesize
8KB
-
Filesize
144KB
-
Filesize
48KB
-
Filesize
472KB
-
Filesize
664KB
-
Filesize
224KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
-
-
-
Filesize
5.7MB
-
Filesize
5.7MB