Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
26-11-2022 00:14
General
-
Target
8deb6d11e709d78039023f7e935791d31c93846c1991c33dd061595499863feb.exe
-
Size
376KB
-
MD5
459a9784acc3b399353d69f2fa3f8b5b
-
SHA1
5e5e865827862a57962f8e35b09d9bd13743e468
-
SHA256
8deb6d11e709d78039023f7e935791d31c93846c1991c33dd061595499863feb
-
SHA512
69c67f2f337955a1d7a90e0a497b8063ff1c3aa39bb4df8409be785b5201a6a86f59842b296bfd01e9258f3c3bb254b75ebf77477cdf2f7bb0dfd0c99509a41c
-
SSDEEP
3072:LMiftEtorupusNhKBCMLxOAHIxc+4ywEQ2qTHah6YwqsXRmp8l3C8xpayOKOH:LlWtM6hKoInIxc+4Z9aQTmuh7va5pH
Malware Config
Signatures
-
NetWire RAT payload 3 IoCs
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Executes dropped EXE 4 IoCs
-
Modifies Installed Components in the registry 2 TTPs 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Program crash 1 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Drops file in Program Files directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer settings 1 TTPs 39 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of WriteProcessMemory 60 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\8deb6d11e709d78039023f7e935791d31c93846c1991c33dd061595499863feb.exe"C:\Users\Admin\AppData\Local\Temp\8deb6d11e709d78039023f7e935791d31c93846c1991c33dd061595499863feb.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c net stop MpsSvc2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"2⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe" -m C:\Program Files (x86)\Internet Explorer\iexplore.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -m C:\Program Files (x86)\Internet Explorer\iexplore.exe4⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2248 CREDAT:17410 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\8deb6d11e709d78039023f7e935791d31c93846c1991c33dd061595499863feb.exeC:\Users\Admin\AppData\Local\Temp\8deb6d11e709d78039023f7e935791d31c93846c1991c33dd061595499863feb.exe2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe" -m C:\Users\Admin\AppData\Local\Temp\8deb6d11e709d78039023f7e935791d31c93846c1991c33dd061595499863feb.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c net stop MpsSvc4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc6⤵
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 845⤵
- Program crash
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeC:\Users\Admin\AppData\Roaming\Install\Host.exe4⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 220 -ip 2201⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442Filesize
1KB
MD5fe56e8724f14ce1f3b7aefb4a62b0c16
SHA1bdac2e002becfc2b8ffca0973540fa2851d21ebd
SHA2563d06f4d78345d522e29652ada389e858ed290fcf2b3b783b1009f0525d55c7a4
SHA512a5c18aeb916a3d1c68289c1b54a2e2269834bc8cd0df3702e98a4d0d480d74ff1cb663b184de89938f1d9c357d05e075ad27cd2f4bc09e02cd213c1fffb27950
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
471B
MD533b7e09d1c6e875887fd38ae0a7ee659
SHA1192864bc83504fafbd87af8c3834b835076c414a
SHA256f200eaab5663e542461bbae7aac0473f6455eec451011f016c84920520b19dfb
SHA512b1d6872519f5956bb511b4eca8e1b79123482e9aacb1cef704c1d3ef7f9daade10573dd206df4c62c623bbfb10f757f01c914bfc2b0e9ab567981ea08b404799
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442Filesize
446B
MD5a72d70761b62d83237e2f5df550a43bd
SHA1b61b5ac53b50499cca368a04c47b0ddc8c80e622
SHA2567ab93ef8d9ff01bb2bc3aa761c24b1c199d562a923a3bbcb0b0c98dcb3c0feb5
SHA5127b35350654ec75a409491f17d21d75d20bf479407c9387108cc27f5945d3277e974c2ceacde5441c2999338714dedb6ae659dc86ff0aff41d00f9acd87dae1f3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
434B
MD5f2f0d7b44b0e45abe717b0876cdd5328
SHA17b9c983349c23fb67181f800727b120db78e2449
SHA2568147488d67d99c8acadde0f988f84976336ebb50a15af5303a83f955d6ffd0c7
SHA5122cc366ef7cd95c35ee4b53b6d08a230c2d1e9509f721b0b64afed017092003386badde970eb89469a5c4a7fe14c24e960a41417bcda121eda2a1a2ec0182836b
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ckj4gk4\imagestore.datFilesize
4KB
MD5425c6b02ddffe84ed68af9bb0febae53
SHA19ab1e1553fee6f088bea23cece669ad4d00bd360
SHA256929d6ba5648ce8ce15ddb1028ff660299fe1a2c3e2cb4d725c26696a5113f1b0
SHA5122909ff6d06706186c732d9c7d142e907b6779c7e08352c7a106c13c21501d7fca43bdffbd846d82d7cf22bb5dd0f24fcf0e2b324732aff2bf27d92f17b960310
-
C:\Users\Admin\AppData\Local\Temp\8deb6d11e709d78039023f7e935791d31c93846c1991c33dd061595499863feb.exeFilesize
376KB
MD5459a9784acc3b399353d69f2fa3f8b5b
SHA15e5e865827862a57962f8e35b09d9bd13743e468
SHA2568deb6d11e709d78039023f7e935791d31c93846c1991c33dd061595499863feb
SHA51269c67f2f337955a1d7a90e0a497b8063ff1c3aa39bb4df8409be785b5201a6a86f59842b296bfd01e9258f3c3bb254b75ebf77477cdf2f7bb0dfd0c99509a41c
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
814KB
MD55e5f63cd0ca3ee94c61a2db20ce33fc9
SHA1c90ea9645c7cc1ad7553675a7ecdf880b1fb4621
SHA256219280ffebd3d771102fc3a7f26529e5e9161366e3a5de2f8943d81dda7756bf
SHA512b36df698f1cbe52df754db9fcfba7e6811b6fc74f44a89378ce29356630f66a10d526402e9d133f8ab608bb614e2214945c0b732b4db3d0cad3d3665e062edcb
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
376KB
MD5459a9784acc3b399353d69f2fa3f8b5b
SHA15e5e865827862a57962f8e35b09d9bd13743e468
SHA2568deb6d11e709d78039023f7e935791d31c93846c1991c33dd061595499863feb
SHA51269c67f2f337955a1d7a90e0a497b8063ff1c3aa39bb4df8409be785b5201a6a86f59842b296bfd01e9258f3c3bb254b75ebf77477cdf2f7bb0dfd0c99509a41c
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
376KB
MD5459a9784acc3b399353d69f2fa3f8b5b
SHA15e5e865827862a57962f8e35b09d9bd13743e468
SHA2568deb6d11e709d78039023f7e935791d31c93846c1991c33dd061595499863feb
SHA51269c67f2f337955a1d7a90e0a497b8063ff1c3aa39bb4df8409be785b5201a6a86f59842b296bfd01e9258f3c3bb254b75ebf77477cdf2f7bb0dfd0c99509a41c
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
376KB
MD5459a9784acc3b399353d69f2fa3f8b5b
SHA15e5e865827862a57962f8e35b09d9bd13743e468
SHA2568deb6d11e709d78039023f7e935791d31c93846c1991c33dd061595499863feb
SHA51269c67f2f337955a1d7a90e0a497b8063ff1c3aa39bb4df8409be785b5201a6a86f59842b296bfd01e9258f3c3bb254b75ebf77477cdf2f7bb0dfd0c99509a41c
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
376KB
MD5459a9784acc3b399353d69f2fa3f8b5b
SHA15e5e865827862a57962f8e35b09d9bd13743e468
SHA2568deb6d11e709d78039023f7e935791d31c93846c1991c33dd061595499863feb
SHA51269c67f2f337955a1d7a90e0a497b8063ff1c3aa39bb4df8409be785b5201a6a86f59842b296bfd01e9258f3c3bb254b75ebf77477cdf2f7bb0dfd0c99509a41c
-
memory/2164-149-0x0000000000000000-mapping.dmp
-
memory/2264-135-0x0000000000000000-mapping.dmp
-
memory/2376-136-0x0000000000000000-mapping.dmp
-
memory/3508-134-0x0000000000000000-mapping.dmp
-
memory/3684-144-0x0000000000000000-mapping.dmp
-
memory/3728-150-0x0000000000000000-mapping.dmp
-
memory/3980-151-0x0000000000000000-mapping.dmp
-
memory/3980-156-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/3980-158-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/4084-148-0x0000000000000000-mapping.dmp
-
memory/4376-133-0x0000000003900000-0x0000000003904000-memory.dmpFilesize
16KB
-
memory/4596-132-0x0000000000000000-mapping.dmp
-
memory/4660-146-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/4660-142-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/4660-139-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/4660-138-0x0000000000000000-mapping.dmp