Analysis
-
max time kernel
166s -
max time network
176s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-10-2022 16:12
Static task
static1
Behavioral task
behavioral1
Sample
2fa74537582a2a72b07847c6b16a61b70fec38038af88e8dbf57fbeddd8237b9.exe
Resource
win7-20220812-en
General
-
Target
2fa74537582a2a72b07847c6b16a61b70fec38038af88e8dbf57fbeddd8237b9.exe
-
Size
924KB
-
MD5
880ca8b15d56cb742217ba3ce2f22b14
-
SHA1
8109d350ef22987756d142cfb39abe4e28573b0d
-
SHA256
2fa74537582a2a72b07847c6b16a61b70fec38038af88e8dbf57fbeddd8237b9
-
SHA512
c5e287c92f575fcba2cf08121627690103f812fd3e92f65a0a2629f58645335e85e4ff51d4aa8e967e8e95615fa2f1541e1f4e38ec2b7d4d63245c9b12345f63
-
SSDEEP
12288:769WY6/b3qvL7si6BYdLl9Ir+Jsh9nGk3CL6d6T4AHW/UN28IGWCvXZGe:+L+3ALAi39z0DC06TDHW/UNHJn/n
Malware Config
Signatures
-
NetWire RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4516-137-0x0000000000400000-0x000000000041E000-memory.dmp netwire -
Executes dropped EXE 2 IoCs
Processes:
detect.exedetect.exepid process 1948 detect.exe 4516 detect.exe -
Drops startup file 1 IoCs
Processes:
detect.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ID Detector.vbs detect.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
detect.exedescription pid process target process PID 1948 set thread context of 4516 1948 detect.exe detect.exe -
NTFS ADS 1 IoCs
Processes:
2fa74537582a2a72b07847c6b16a61b70fec38038af88e8dbf57fbeddd8237b9.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe:ZoneIdentifier 2fa74537582a2a72b07847c6b16a61b70fec38038af88e8dbf57fbeddd8237b9.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
2fa74537582a2a72b07847c6b16a61b70fec38038af88e8dbf57fbeddd8237b9.exedetect.exepid process 2092 2fa74537582a2a72b07847c6b16a61b70fec38038af88e8dbf57fbeddd8237b9.exe 2092 2fa74537582a2a72b07847c6b16a61b70fec38038af88e8dbf57fbeddd8237b9.exe 2092 2fa74537582a2a72b07847c6b16a61b70fec38038af88e8dbf57fbeddd8237b9.exe 2092 2fa74537582a2a72b07847c6b16a61b70fec38038af88e8dbf57fbeddd8237b9.exe 2092 2fa74537582a2a72b07847c6b16a61b70fec38038af88e8dbf57fbeddd8237b9.exe 2092 2fa74537582a2a72b07847c6b16a61b70fec38038af88e8dbf57fbeddd8237b9.exe 2092 2fa74537582a2a72b07847c6b16a61b70fec38038af88e8dbf57fbeddd8237b9.exe 2092 2fa74537582a2a72b07847c6b16a61b70fec38038af88e8dbf57fbeddd8237b9.exe 2092 2fa74537582a2a72b07847c6b16a61b70fec38038af88e8dbf57fbeddd8237b9.exe 2092 2fa74537582a2a72b07847c6b16a61b70fec38038af88e8dbf57fbeddd8237b9.exe 1948 detect.exe 1948 detect.exe 1948 detect.exe 1948 detect.exe 1948 detect.exe 1948 detect.exe 1948 detect.exe 1948 detect.exe 1948 detect.exe 1948 detect.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
detect.exepid process 1948 detect.exe 1948 detect.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
2fa74537582a2a72b07847c6b16a61b70fec38038af88e8dbf57fbeddd8237b9.exedetect.exedescription pid process target process PID 2092 wrote to memory of 1948 2092 2fa74537582a2a72b07847c6b16a61b70fec38038af88e8dbf57fbeddd8237b9.exe detect.exe PID 2092 wrote to memory of 1948 2092 2fa74537582a2a72b07847c6b16a61b70fec38038af88e8dbf57fbeddd8237b9.exe detect.exe PID 2092 wrote to memory of 1948 2092 2fa74537582a2a72b07847c6b16a61b70fec38038af88e8dbf57fbeddd8237b9.exe detect.exe PID 1948 wrote to memory of 4516 1948 detect.exe detect.exe PID 1948 wrote to memory of 4516 1948 detect.exe detect.exe PID 1948 wrote to memory of 4516 1948 detect.exe detect.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2fa74537582a2a72b07847c6b16a61b70fec38038af88e8dbf57fbeddd8237b9.exe"C:\Users\Admin\AppData\Local\Temp\2fa74537582a2a72b07847c6b16a61b70fec38038af88e8dbf57fbeddd8237b9.exe"1⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"3⤵
- Executes dropped EXE
PID:4516
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exeFilesize
924KB
MD5880ca8b15d56cb742217ba3ce2f22b14
SHA18109d350ef22987756d142cfb39abe4e28573b0d
SHA2562fa74537582a2a72b07847c6b16a61b70fec38038af88e8dbf57fbeddd8237b9
SHA512c5e287c92f575fcba2cf08121627690103f812fd3e92f65a0a2629f58645335e85e4ff51d4aa8e967e8e95615fa2f1541e1f4e38ec2b7d4d63245c9b12345f63
-
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exeFilesize
924KB
MD5880ca8b15d56cb742217ba3ce2f22b14
SHA18109d350ef22987756d142cfb39abe4e28573b0d
SHA2562fa74537582a2a72b07847c6b16a61b70fec38038af88e8dbf57fbeddd8237b9
SHA512c5e287c92f575fcba2cf08121627690103f812fd3e92f65a0a2629f58645335e85e4ff51d4aa8e967e8e95615fa2f1541e1f4e38ec2b7d4d63245c9b12345f63
-
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exeFilesize
924KB
MD5880ca8b15d56cb742217ba3ce2f22b14
SHA18109d350ef22987756d142cfb39abe4e28573b0d
SHA2562fa74537582a2a72b07847c6b16a61b70fec38038af88e8dbf57fbeddd8237b9
SHA512c5e287c92f575fcba2cf08121627690103f812fd3e92f65a0a2629f58645335e85e4ff51d4aa8e967e8e95615fa2f1541e1f4e38ec2b7d4d63245c9b12345f63
-
memory/1948-132-0x0000000000000000-mapping.dmp
-
memory/4516-135-0x0000000000000000-mapping.dmp
-
memory/4516-137-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB