Analysis
-
max time kernel
45s -
max time network
106s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
21-08-2022 01:59
General
-
Target
Notepad.exe
-
Size
227KB
-
MD5
fc6330d62ae89347dddf9e98d6dc2533
-
SHA1
b2a3104e8178e25b6b40cf8b19d60c1a4e03e969
-
SHA256
72c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7
-
SHA512
1cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c
Malware Config
Signatures
-
NetWire RAT payload 5 IoCs
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Executes dropped EXE 1 IoCs
-
Drops startup file 1 IoCs
-
Loads dropped DLL 3 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Notepad.exe"C:\Users\Admin\AppData\Local\Temp\Notepad.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe"C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exeFilesize
227KB
MD5fc6330d62ae89347dddf9e98d6dc2533
SHA1b2a3104e8178e25b6b40cf8b19d60c1a4e03e969
SHA25672c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7
SHA5121cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c
-
C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exeFilesize
227KB
MD5fc6330d62ae89347dddf9e98d6dc2533
SHA1b2a3104e8178e25b6b40cf8b19d60c1a4e03e969
SHA25672c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7
SHA5121cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c
-
\Users\Admin\AppData\Roaming\Googlee\Notepad.exeFilesize
227KB
MD5fc6330d62ae89347dddf9e98d6dc2533
SHA1b2a3104e8178e25b6b40cf8b19d60c1a4e03e969
SHA25672c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7
SHA5121cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c
-
\Users\Admin\AppData\Roaming\Googlee\Notepad.exeFilesize
227KB
MD5fc6330d62ae89347dddf9e98d6dc2533
SHA1b2a3104e8178e25b6b40cf8b19d60c1a4e03e969
SHA25672c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7
SHA5121cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c
-
\Users\Admin\AppData\Roaming\Googlee\Notepad.exeFilesize
227KB
MD5fc6330d62ae89347dddf9e98d6dc2533
SHA1b2a3104e8178e25b6b40cf8b19d60c1a4e03e969
SHA25672c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7
SHA5121cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c
-
memory/988-54-0x0000000075021000-0x0000000075023000-memory.dmpFilesize
8KB
-
memory/1868-57-0x0000000000000000-mapping.dmp