Analysis
-
max time kernel
120s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
27-09-2022 08:28
General
-
Target
309f1fdb.exe
-
Size
212KB
-
MD5
ef4dc688cea9947303bffe8b9952e9d4
-
SHA1
f37002c49495e867d1d151e33c5ece0a955b1d54
-
SHA256
309f1fdb12349a92d91f910056004bb865f1a5dd28bdedba3d969c9cdb724465
-
SHA512
f9b5bae16b810066b50c4a03e7b6cf8166df8c950bf2a3de212179fc808ed069d8c33cd8c3107e5509b90f55992f92917d07f2a2260ada8e37161dcbbd6ba50b
-
SSDEEP
3072:18yRG3SKAvr3Oovrz1vsRrKaIdBNU8eWg:iyRGsreovr5WKPhU
Malware Config
Extracted
netwire
185.140.53.231:39560
-
activex_autorun
false
-
copy_executable
true
-
delete_original
false
-
host_id
sunshineslisa
-
install_path
%AppData%\Imgburn\Imgburn.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
sucess
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 7 IoCs
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\309f1fdb.exe"C:\Users\Admin\AppData\Local\Temp\309f1fdb.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\309f1fdb.exe"C:\Users\Admin\AppData\Local\Temp\309f1fdb.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Imgburn\Imgburn.exe"C:\Users\Admin\AppData\Roaming\Imgburn\Imgburn.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Imgburn\Imgburn.exe"C:\Users\Admin\AppData\Roaming\Imgburn\Imgburn.exe"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Imgburn\Imgburn.exeFilesize
212KB
MD5ef4dc688cea9947303bffe8b9952e9d4
SHA1f37002c49495e867d1d151e33c5ece0a955b1d54
SHA256309f1fdb12349a92d91f910056004bb865f1a5dd28bdedba3d969c9cdb724465
SHA512f9b5bae16b810066b50c4a03e7b6cf8166df8c950bf2a3de212179fc808ed069d8c33cd8c3107e5509b90f55992f92917d07f2a2260ada8e37161dcbbd6ba50b
-
C:\Users\Admin\AppData\Roaming\Imgburn\Imgburn.exeFilesize
212KB
MD5ef4dc688cea9947303bffe8b9952e9d4
SHA1f37002c49495e867d1d151e33c5ece0a955b1d54
SHA256309f1fdb12349a92d91f910056004bb865f1a5dd28bdedba3d969c9cdb724465
SHA512f9b5bae16b810066b50c4a03e7b6cf8166df8c950bf2a3de212179fc808ed069d8c33cd8c3107e5509b90f55992f92917d07f2a2260ada8e37161dcbbd6ba50b
-
C:\Users\Admin\AppData\Roaming\Imgburn\Imgburn.exeFilesize
212KB
MD5ef4dc688cea9947303bffe8b9952e9d4
SHA1f37002c49495e867d1d151e33c5ece0a955b1d54
SHA256309f1fdb12349a92d91f910056004bb865f1a5dd28bdedba3d969c9cdb724465
SHA512f9b5bae16b810066b50c4a03e7b6cf8166df8c950bf2a3de212179fc808ed069d8c33cd8c3107e5509b90f55992f92917d07f2a2260ada8e37161dcbbd6ba50b
-
\Users\Admin\AppData\Roaming\Imgburn\Imgburn.exeFilesize
212KB
MD5ef4dc688cea9947303bffe8b9952e9d4
SHA1f37002c49495e867d1d151e33c5ece0a955b1d54
SHA256309f1fdb12349a92d91f910056004bb865f1a5dd28bdedba3d969c9cdb724465
SHA512f9b5bae16b810066b50c4a03e7b6cf8166df8c950bf2a3de212179fc808ed069d8c33cd8c3107e5509b90f55992f92917d07f2a2260ada8e37161dcbbd6ba50b
-
\Users\Admin\AppData\Roaming\Imgburn\Imgburn.exeFilesize
212KB
MD5ef4dc688cea9947303bffe8b9952e9d4
SHA1f37002c49495e867d1d151e33c5ece0a955b1d54
SHA256309f1fdb12349a92d91f910056004bb865f1a5dd28bdedba3d969c9cdb724465
SHA512f9b5bae16b810066b50c4a03e7b6cf8166df8c950bf2a3de212179fc808ed069d8c33cd8c3107e5509b90f55992f92917d07f2a2260ada8e37161dcbbd6ba50b
-
memory/912-58-0x0000000000000000-mapping.dmp
-
memory/912-60-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/912-61-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/912-66-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1108-71-0x0000000000000000-mapping.dmp
-
memory/1108-74-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1108-75-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1624-64-0x0000000000000000-mapping.dmp
-
memory/1684-59-0x0000000000230000-0x0000000000235000-memory.dmpFilesize
20KB
-
memory/1684-56-0x0000000000230000-0x0000000000235000-memory.dmpFilesize
20KB
-
memory/1684-57-0x0000000076401000-0x0000000076403000-memory.dmpFilesize
8KB