Analysis

  • max time kernel
    141s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    30-10-2022 14:37

General

  • Target

    955669cb66cbfba78d1291a18a8f7c077a7adcb13bf727f757a31b886385e6d9.exe

  • Size

    176KB

  • MD5

    9268508a09560d1b1a357ef733516b90

  • SHA1

    9d0707e5d3a8c21b88eea5b1f931da6706560550

  • SHA256

    955669cb66cbfba78d1291a18a8f7c077a7adcb13bf727f757a31b886385e6d9

  • SHA512

    442c4c0b001cc1156294a5aad3346e084ed83e82fa08bff13e046f24c90e2ef0264cf73576399c16cff1e48f6ec6ca4a4a228e33d5539da51227fc08319b9833

  • SSDEEP

    3072:s+Ny9+cjza5VAkkP/6ady9I7mcvho6UbquHBjH9zbd66:s+AUcPajFa6sy98vd6tO

Malware Config

Signatures

  • NetWire RAT payload 4 IoCs
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\955669cb66cbfba78d1291a18a8f7c077a7adcb13bf727f757a31b886385e6d9.exe
    "C:\Users\Admin\AppData\Local\Temp\955669cb66cbfba78d1291a18a8f7c077a7adcb13bf727f757a31b886385e6d9.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1480
    • C:\Users\Admin\AppData\Local\Temp\955669cb66cbfba78d1291a18a8f7c077a7adcb13bf727f757a31b886385e6d9.exe
      "C:\Users\Admin\AppData\Local\Temp\955669cb66cbfba78d1291a18a8f7c077a7adcb13bf727f757a31b886385e6d9.exe"
      2⤵
      • Modifies Installed Components in the registry
      • Adds Run key to start application
      PID:1608

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

2
T1060

Defense Evasion

Modify Registry

2
T1112

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1480-56-0x0000000076261000-0x0000000076263000-memory.dmp
    Filesize

    8KB

  • memory/1480-59-0x00000000003C0000-0x00000000003C6000-memory.dmp
    Filesize

    24KB

  • memory/1608-58-0x0000000000402196-mapping.dmp
  • memory/1608-57-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

  • memory/1608-62-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

  • memory/1608-63-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB