netwire | 13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0

Analysis

max time kernel
120s
max time network
169s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 22:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe
Size

175KB
MD5

6aa0e97bec377f4c535c4173f6c256a7
SHA1

d6c4a2d49f3dbfe80a273da580b076a510a88c18
SHA256

13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0
SHA512

ff024f1848816aa385986e6abb8040f329a9d6ceafb28db3d7ffe40e3509a82a3239c84df1c0173ac4eedc61f434da4654db60e7db3b4f714fdb3cec2722fac2
SSDEEP

3072:P4sye0QXZRRDmlglKsXZ19qkGDfpzfhCLGVPUuycMB:wsy7AFygweZ7v6fdhQGhU19

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 9 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1684-62-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/1684-66-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/1684-68-0x0000000000402196-mapping.dmp	netwire
behavioral1/memory/1684-71-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/1684-74-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/1684-77-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/556-105-0x0000000000402196-mapping.dmp	netwire
behavioral1/memory/556-115-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/556-116-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 3 IoCs

Processes:

winkey.exewinkey.exewinkey.exe

pid process

1532 winkey.exe
848 winkey.exe
556 winkey.exe

pid	process
1532	winkey.exe
848	winkey.exe
556	winkey.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

winkey.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{211A0RVQ-83D3-5X7G-288C-CA2A1XM61D56}	winkey.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{211A0RVQ-83D3-5X7G-288C-CA2A1XM61D56}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Folder\\winkey.exe\""	winkey.exe

Loads dropped DLL 9 IoCs

Processes:

13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exewinkey.exewinkey.exe

pid	process
1684	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe
1532	winkey.exe
1532	winkey.exe
1532	winkey.exe
1532	winkey.exe
1532	winkey.exe
556	winkey.exe
556	winkey.exe
556	winkey.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

winkey.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	winkey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Keyfile = "C:\\Users\\Admin\\AppData\\Roaming\\Folder\\winkey.exe"	winkey.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exewinkey.exe

description	pid	process	target process
PID 1252 set thread context of 1684	1252	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe
PID 1532 set thread context of 556	1532	winkey.exe	winkey.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 0f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d80b000000010000001400000055005300450052005400720075007300740000001d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf6708030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d4620000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 190000000100000010000000e843ac3b52ec8c297fa948c9b1fb2819030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d461d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf67080b00000001000000140000005500530045005200540072007500730074000000140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d8090000000100000016000000301406082b0601050507030306082b060105050703080f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb20000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 040000000100000010000000a7f2e41606411150306b9ce3b49cb0c90f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d80b000000010000001400000055005300450052005400720075007300740000001d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf6708030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d46190000000100000010000000e843ac3b52ec8c297fa948c9b1fb281920000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exewinkey.exe

description	pid	process
Token: SeRestorePrivilege	1252	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe
Token: SeBackupPrivilege	1252	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe
Token: SeRestorePrivilege	1532	winkey.exe
Token: SeBackupPrivilege	1532	winkey.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exewinkey.exe

description	pid	process	target process
PID 1252 wrote to memory of 1684	1252	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe
PID 1252 wrote to memory of 1684	1252	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe
PID 1252 wrote to memory of 1684	1252	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe
PID 1252 wrote to memory of 1684	1252	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe
PID 1252 wrote to memory of 1684	1252	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe
PID 1252 wrote to memory of 1684	1252	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe
PID 1252 wrote to memory of 1684	1252	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe
PID 1252 wrote to memory of 1684	1252	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe
PID 1252 wrote to memory of 1684	1252	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe
PID 1252 wrote to memory of 1684	1252	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe
PID 1252 wrote to memory of 1684	1252	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe
PID 1252 wrote to memory of 1684	1252	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe
PID 1684 wrote to memory of 1532	1684	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe	winkey.exe
PID 1684 wrote to memory of 1532	1684	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe	winkey.exe
PID 1684 wrote to memory of 1532	1684	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe	winkey.exe
PID 1684 wrote to memory of 1532	1684	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe	winkey.exe
PID 1684 wrote to memory of 1532	1684	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe	winkey.exe
PID 1684 wrote to memory of 1532	1684	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe	winkey.exe
PID 1684 wrote to memory of 1532	1684	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe	winkey.exe
PID 1532 wrote to memory of 848	1532	winkey.exe	winkey.exe
PID 1532 wrote to memory of 848	1532	winkey.exe	winkey.exe
PID 1532 wrote to memory of 848	1532	winkey.exe	winkey.exe
PID 1532 wrote to memory of 848	1532	winkey.exe	winkey.exe
PID 1532 wrote to memory of 848	1532	winkey.exe	winkey.exe
PID 1532 wrote to memory of 848	1532	winkey.exe	winkey.exe
PID 1532 wrote to memory of 848	1532	winkey.exe	winkey.exe
PID 1532 wrote to memory of 556	1532	winkey.exe	winkey.exe
PID 1532 wrote to memory of 556	1532	winkey.exe	winkey.exe
PID 1532 wrote to memory of 556	1532	winkey.exe	winkey.exe
PID 1532 wrote to memory of 556	1532	winkey.exe	winkey.exe
PID 1532 wrote to memory of 556	1532	winkey.exe	winkey.exe
PID 1532 wrote to memory of 556	1532	winkey.exe	winkey.exe
PID 1532 wrote to memory of 556	1532	winkey.exe	winkey.exe
PID 1532 wrote to memory of 556	1532	winkey.exe	winkey.exe
PID 1532 wrote to memory of 556	1532	winkey.exe	winkey.exe
PID 1532 wrote to memory of 556	1532	winkey.exe	winkey.exe
PID 1532 wrote to memory of 556	1532	winkey.exe	winkey.exe
PID 1532 wrote to memory of 556	1532	winkey.exe	winkey.exe

C:\Users\Admin\AppData\Local\Temp\13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe
"C:\Users\Admin\AppData\Local\Temp\13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1252

C:\Users\Admin\AppData\Local\Temp\13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe
"C:\Users\Admin\AppData\Local\Temp\13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1684

C:\Users\Admin\AppData\Roaming\Folder\winkey.exe
"C:\Users\Admin\AppData\Roaming\Folder\winkey.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1532

C:\Users\Admin\AppData\Roaming\Folder\winkey.exe
"C:\Users\Admin\AppData\Roaming\Folder\winkey.exe"
4⤵
- Executes dropped EXE
PID:848

C:\Users\Admin\AppData\Roaming\Folder\winkey.exe
"C:\Users\Admin\AppData\Roaming\Folder\winkey.exe"
4⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
PID:556

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B90B117906B8A74C79D1BC450C2B94B1_A54F26A8A41DE52C237D54D67F12793F
Filesize
1KB

MD5
511db66daf1be9720dcac760ca8efe02

SHA1
fe5430c8452cd37d68080cd0b58a1fdcfaaa7ce7

SHA256
df0e3c2c6d0bc7e8a6adb9b6fba0c8d04db663af2e7cbaea9e0c9c53760e1e1d

SHA512
c4c51f525201a6c847ad193b4db817d2a1b1e934b5f134a0f0c860ba1953626ec6654542d49b38fbb0d118b17bea1cc2a7420c16d8a3cf617a5cba9cb968c801

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F4D9C889B7AEBCF4E1A2DAABC5C3628A_8575EEAFBE385FF14EE35EA7147E2C76
Filesize
509B

MD5
bd984e33d42f49505c76ba91f6eb687d

SHA1
f140c9e802ab1f7b5da793aa69b73a88665c2e80

SHA256
54af2b435b3273739116a83b15fb09b962686ed737cb509179f17ff659797b49

SHA512
4a54f0b01169b9114729d7119b9426a208c22110e56c904b4b642a1d2e0870c3515b2809791fcce54c006501507a8380a0b08f22987562173f9cad9bd3d0e3c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
fdec4a1c3994339d5d62d221b2d67ca3

SHA1
bbf0dbc51a4b8ad248ad789915ea0aa65ca924f0

SHA256
6f2ef8e6c5d7638c6d6c62d971f5df63ccf684cc3277e312737f03628b25cc0a

SHA512
f515f4613919324009e0f5bfbb13e88c538f925617e52bdaeca022fc7b64f598090beecad9c7a0dfab2a033e491d33a54ec172deea951d1dfb0534dcc972ae44

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B90B117906B8A74C79D1BC450C2B94B1_A54F26A8A41DE52C237D54D67F12793F
Filesize
500B

MD5
9213f167f2983611d0d26de0539e52b8

SHA1
317173b5bbf11ddaee7d9c1962ed880c9dffcf5d

SHA256
d07ba7b938c2698f03ed91f3340d1d73b5fabf74a114faa473070a2f709465ee

SHA512
6017b8e29f6a5ca68544c35cf898a1cc3edc2448ad50348ff9b68cdeb9c9c7c2d454e22ec6cf935eff451e3741e97373901f415580023b741f84309f46f58865

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F4D9C889B7AEBCF4E1A2DAABC5C3628A_8575EEAFBE385FF14EE35EA7147E2C76
Filesize
490B

MD5
249d541694343b0d8e95bef08469ea0f

SHA1
0b37a0a94095576120177c8028bb25409f2ce4ed

SHA256
58a7c366543f21b920acc95900d94ff998945e3697ffbeac00bed058a3427c0c

SHA512
3f03e49d2ce7cb4ec6b90e61fb6d7c6a7f221fd9f8f438dca51793d9905c863719e7c32bb2de50725e0e1329ed795f729e61265f98a82569045b65f6197dad5e

Download Submit
C:\Users\Admin\AppData\Roaming\Folder\winkey.exe
Filesize
175KB

MD5
6aa0e97bec377f4c535c4173f6c256a7

SHA1
d6c4a2d49f3dbfe80a273da580b076a510a88c18

SHA256
13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0

SHA512
ff024f1848816aa385986e6abb8040f329a9d6ceafb28db3d7ffe40e3509a82a3239c84df1c0173ac4eedc61f434da4654db60e7db3b4f714fdb3cec2722fac2

Download Submit
C:\Users\Admin\AppData\Roaming\Folder\winkey.exe
Filesize
175KB

MD5
6aa0e97bec377f4c535c4173f6c256a7

SHA1
d6c4a2d49f3dbfe80a273da580b076a510a88c18

SHA256
13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0

SHA512
ff024f1848816aa385986e6abb8040f329a9d6ceafb28db3d7ffe40e3509a82a3239c84df1c0173ac4eedc61f434da4654db60e7db3b4f714fdb3cec2722fac2

Download Submit
C:\Users\Admin\AppData\Roaming\Folder\winkey.exe
Filesize
175KB

MD5
6aa0e97bec377f4c535c4173f6c256a7

SHA1
d6c4a2d49f3dbfe80a273da580b076a510a88c18

SHA256
13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0

SHA512
ff024f1848816aa385986e6abb8040f329a9d6ceafb28db3d7ffe40e3509a82a3239c84df1c0173ac4eedc61f434da4654db60e7db3b4f714fdb3cec2722fac2

Download Submit
C:\Users\Admin\AppData\Roaming\Folder\winkey.exe
Filesize
175KB

MD5
6aa0e97bec377f4c535c4173f6c256a7

SHA1
d6c4a2d49f3dbfe80a273da580b076a510a88c18

SHA256
13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0

SHA512
ff024f1848816aa385986e6abb8040f329a9d6ceafb28db3d7ffe40e3509a82a3239c84df1c0173ac4eedc61f434da4654db60e7db3b4f714fdb3cec2722fac2

Download Submit
\Users\Admin\AppData\Roaming\Folder\winkey.exe
Filesize
175KB

MD5
6aa0e97bec377f4c535c4173f6c256a7

SHA1
d6c4a2d49f3dbfe80a273da580b076a510a88c18

SHA256
13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0

SHA512
ff024f1848816aa385986e6abb8040f329a9d6ceafb28db3d7ffe40e3509a82a3239c84df1c0173ac4eedc61f434da4654db60e7db3b4f714fdb3cec2722fac2

Download Submit
\Users\Admin\AppData\Roaming\Folder\winkey.exe
Filesize
175KB

MD5
6aa0e97bec377f4c535c4173f6c256a7

SHA1
d6c4a2d49f3dbfe80a273da580b076a510a88c18

SHA256
13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0

SHA512
ff024f1848816aa385986e6abb8040f329a9d6ceafb28db3d7ffe40e3509a82a3239c84df1c0173ac4eedc61f434da4654db60e7db3b4f714fdb3cec2722fac2

Download Submit
\Users\Admin\AppData\Roaming\Folder\winkey.exe
Filesize
175KB

MD5
6aa0e97bec377f4c535c4173f6c256a7

SHA1
d6c4a2d49f3dbfe80a273da580b076a510a88c18

SHA256
13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0

SHA512
ff024f1848816aa385986e6abb8040f329a9d6ceafb28db3d7ffe40e3509a82a3239c84df1c0173ac4eedc61f434da4654db60e7db3b4f714fdb3cec2722fac2

Download Submit
\Users\Admin\AppData\Roaming\Folder\winkey.exe
Filesize
175KB

MD5
6aa0e97bec377f4c535c4173f6c256a7

SHA1
d6c4a2d49f3dbfe80a273da580b076a510a88c18

SHA256
13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0

SHA512
ff024f1848816aa385986e6abb8040f329a9d6ceafb28db3d7ffe40e3509a82a3239c84df1c0173ac4eedc61f434da4654db60e7db3b4f714fdb3cec2722fac2

Download Submit
\Users\Admin\AppData\Roaming\Folder\winkey.exe
Filesize
175KB

MD5
6aa0e97bec377f4c535c4173f6c256a7

SHA1
d6c4a2d49f3dbfe80a273da580b076a510a88c18

SHA256
13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0

SHA512
ff024f1848816aa385986e6abb8040f329a9d6ceafb28db3d7ffe40e3509a82a3239c84df1c0173ac4eedc61f434da4654db60e7db3b4f714fdb3cec2722fac2

Download Submit
\Users\Admin\AppData\Roaming\Folder\winkey.exe
Filesize
175KB

MD5
6aa0e97bec377f4c535c4173f6c256a7

SHA1
d6c4a2d49f3dbfe80a273da580b076a510a88c18

SHA256
13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0

SHA512
ff024f1848816aa385986e6abb8040f329a9d6ceafb28db3d7ffe40e3509a82a3239c84df1c0173ac4eedc61f434da4654db60e7db3b4f714fdb3cec2722fac2

Download Submit
\Users\Admin\AppData\Roaming\Folder\winkey.exe
Filesize
175KB

MD5
6aa0e97bec377f4c535c4173f6c256a7

SHA1
d6c4a2d49f3dbfe80a273da580b076a510a88c18

SHA256
13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0

SHA512
ff024f1848816aa385986e6abb8040f329a9d6ceafb28db3d7ffe40e3509a82a3239c84df1c0173ac4eedc61f434da4654db60e7db3b4f714fdb3cec2722fac2

Download Submit
\Users\Admin\AppData\Roaming\Folder\winkey.exe
Filesize
175KB

MD5
6aa0e97bec377f4c535c4173f6c256a7

SHA1
d6c4a2d49f3dbfe80a273da580b076a510a88c18

SHA256
13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0

SHA512
ff024f1848816aa385986e6abb8040f329a9d6ceafb28db3d7ffe40e3509a82a3239c84df1c0173ac4eedc61f434da4654db60e7db3b4f714fdb3cec2722fac2

Download Submit
\Users\Admin\AppData\Roaming\Folder\winkey.exe
Filesize
175KB

MD5
6aa0e97bec377f4c535c4173f6c256a7

SHA1
d6c4a2d49f3dbfe80a273da580b076a510a88c18

SHA256
13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0

SHA512
ff024f1848816aa385986e6abb8040f329a9d6ceafb28db3d7ffe40e3509a82a3239c84df1c0173ac4eedc61f434da4654db60e7db3b4f714fdb3cec2722fac2

Download Submit
memory/556-105-0x0000000000402196-mapping.dmp

Download
memory/556-115-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/556-116-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1252-54-0x0000000076381000-0x0000000076383000-memory.dmp

Filesize
8KB

Download
memory/1252-55-0x00000000743E0000-0x000000007498B000-memory.dmp

Filesize
5.7MB

Download
memory/1252-73-0x00000000743E0000-0x000000007498B000-memory.dmp

Filesize
5.7MB

Download
memory/1532-85-0x0000000074390000-0x000000007493B000-memory.dmp

Filesize
5.7MB

Download
memory/1532-108-0x0000000074390000-0x000000007493B000-memory.dmp

Filesize
5.7MB

Download
memory/1532-76-0x0000000000000000-mapping.dmp

Download
memory/1684-68-0x0000000000402196-mapping.dmp

Download
memory/1684-77-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1684-66-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1684-74-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1684-57-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1684-56-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1684-71-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1684-59-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1684-62-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download