netwire | 13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0

Analysis

max time kernel
123s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2022 22:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe
Size

175KB
MD5

6aa0e97bec377f4c535c4173f6c256a7
SHA1

d6c4a2d49f3dbfe80a273da580b076a510a88c18
SHA256

13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0
SHA512

ff024f1848816aa385986e6abb8040f329a9d6ceafb28db3d7ffe40e3509a82a3239c84df1c0173ac4eedc61f434da4654db60e7db3b4f714fdb3cec2722fac2
SSDEEP

3072:P4sye0QXZRRDmlglKsXZ19qkGDfpzfhCLGVPUuycMB:wsy7AFygweZ7v6fdhQGhU19

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3408-135-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/3408-137-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/3408-140-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/3408-144-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/2212-167-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/2212-168-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

winkey.exewinkey.exe

pid process

4872 winkey.exe
2212 winkey.exe

pid	process
4872	winkey.exe
2212	winkey.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

winkey.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{211A0RVQ-83D3-5X7G-288C-CA2A1XM61D56}	winkey.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{211A0RVQ-83D3-5X7G-288C-CA2A1XM61D56}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Folder\\winkey.exe\""	winkey.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

winkey.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Keyfile = "C:\\Users\\Admin\\AppData\\Roaming\\Folder\\winkey.exe"	winkey.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	winkey.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exewinkey.exe

description	pid	process	target process
PID 4944 set thread context of 3408	4944	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe
PID 4872 set thread context of 2212	4872	winkey.exe	winkey.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 5c00000001000000040000000008000019000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c03000000010000001400000002faf3e291435468607857694df5e45b688518687e0000000100000008000000000063f58926d7011d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b0400000001000000100000001d3554048578b03f42424dbf20730a3f20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70103000000010000001400000002faf3e291435468607857694df5e45b6885186820000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 19000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c03000000010000001400000002faf3e291435468607857694df5e45b688518687e0000000100000008000000000063f58926d7011d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0400000001000000100000001d3554048578b03f42424dbf20730a3f0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70103000000010000001400000002faf3e291435468607857694df5e45b6885186819000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exewinkey.exe

description	pid	process	target process
PID 4944 wrote to memory of 3408	4944	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe
PID 4944 wrote to memory of 3408	4944	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe
PID 4944 wrote to memory of 3408	4944	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe
PID 4944 wrote to memory of 3408	4944	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe
PID 4944 wrote to memory of 3408	4944	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe
PID 4944 wrote to memory of 3408	4944	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe
PID 4944 wrote to memory of 3408	4944	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe
PID 4944 wrote to memory of 3408	4944	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe
PID 4944 wrote to memory of 3408	4944	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe
PID 3408 wrote to memory of 4872	3408	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe	winkey.exe
PID 3408 wrote to memory of 4872	3408	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe	winkey.exe
PID 3408 wrote to memory of 4872	3408	13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe	winkey.exe
PID 4872 wrote to memory of 2212	4872	winkey.exe	winkey.exe
PID 4872 wrote to memory of 2212	4872	winkey.exe	winkey.exe
PID 4872 wrote to memory of 2212	4872	winkey.exe	winkey.exe
PID 4872 wrote to memory of 2212	4872	winkey.exe	winkey.exe
PID 4872 wrote to memory of 2212	4872	winkey.exe	winkey.exe
PID 4872 wrote to memory of 2212	4872	winkey.exe	winkey.exe
PID 4872 wrote to memory of 2212	4872	winkey.exe	winkey.exe
PID 4872 wrote to memory of 2212	4872	winkey.exe	winkey.exe
PID 4872 wrote to memory of 2212	4872	winkey.exe	winkey.exe

C:\Users\Admin\AppData\Local\Temp\13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe
"C:\Users\Admin\AppData\Local\Temp\13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4944

C:\Users\Admin\AppData\Local\Temp\13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe
"C:\Users\Admin\AppData\Local\Temp\13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3408

C:\Users\Admin\AppData\Roaming\Folder\winkey.exe
"C:\Users\Admin\AppData\Roaming\Folder\winkey.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4872

C:\Users\Admin\AppData\Roaming\Folder\winkey.exe
"C:\Users\Admin\AppData\Roaming\Folder\winkey.exe"
4⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:2212

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1F356F4D07FE8C483E769E4586569404
Filesize
112KB

MD5
18733016048ac2238cfe9ce495bf73c4

SHA1
aaacf6ed16fc16f8092803cb6542edd5a0239f65

SHA256
a13ecd0c5090ecdd71bd2e77362d27cc94c8b198b46bd63199dd76a0eb864419

SHA512
052115cd6dd387d089965beb7285e1cc76aa6e5a5b26c34989a11518861d84424fdd967c7c370b4afe95b3b734384b7de90c14f3663dc80023462a0ebbf063b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3B6E683A7A45CC59BF035C9BA8C7AB9D
Filesize
494B

MD5
069bcf63aec8ff28665d6eb5ae5256fe

SHA1
4dfe27d1e0d5213da443dd3f2fe9bee05b3484f3

SHA256
e899fefd27028e7001c5395a0dd721addbb76ccba7834609dbaffc7cadc61d84

SHA512
144744cf680a4a2c0966e996883a4fcdb50682006d15f5e08e2f7bf61ea190e12e95e12a51026269292ed3499c374cb722f83018075ebb724fbba2f6b9074048

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0
Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B90B117906B8A74C79D1BC450C2B94B1_A54F26A8A41DE52C237D54D67F12793F
Filesize
1KB

MD5
511db66daf1be9720dcac760ca8efe02

SHA1
fe5430c8452cd37d68080cd0b58a1fdcfaaa7ce7

SHA256
df0e3c2c6d0bc7e8a6adb9b6fba0c8d04db663af2e7cbaea9e0c9c53760e1e1d

SHA512
c4c51f525201a6c847ad193b4db817d2a1b1e934b5f134a0f0c860ba1953626ec6654542d49b38fbb0d118b17bea1cc2a7420c16d8a3cf617a5cba9cb968c801

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F4D9C889B7AEBCF4E1A2DAABC5C3628A_8575EEAFBE385FF14EE35EA7147E2C76
Filesize
509B

MD5
bd984e33d42f49505c76ba91f6eb687d

SHA1
f140c9e802ab1f7b5da793aa69b73a88665c2e80

SHA256
54af2b435b3273739116a83b15fb09b962686ed737cb509179f17ff659797b49

SHA512
4a54f0b01169b9114729d7119b9426a208c22110e56c904b4b642a1d2e0870c3515b2809791fcce54c006501507a8380a0b08f22987562173f9cad9bd3d0e3c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1F356F4D07FE8C483E769E4586569404
Filesize
248B

MD5
bd81a35fded577aa4058036ad161b85d

SHA1
2957f357f7f2358e172acbe503afd65aac38b733

SHA256
f192cfe949231faf299fefd9eae5a13ab9109302bb3b3428cefacba7ca23ea00

SHA512
948da0d2816b2914dee6ae646167dae790fd97a82062e95c90e738b51a165005a304258ed3c0a4ae2d9f5474b08cc280d4e0bad02d875902a222b36146c59898

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3B6E683A7A45CC59BF035C9BA8C7AB9D
Filesize
250B

MD5
fd12128c70bf77d502375477f4429697

SHA1
704122b280dc879aaea36568aa53e3813447b228

SHA256
72dce6f8e3c6d5a80626fc2fefd5fa42f6b73ada7d43cbc4d6c918123e34b7be

SHA512
6170fa4ecb2a6e43fd7bef0c6a51651f539da18ac41604fd57dcce190b4d7df12e192eee6c79ddbd90150bbe62c2b40755bd9d0642fe559a1c2f90806c5e563d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0
Filesize
398B

MD5
ea90fe684318ae51238c8c1e478fe806

SHA1
f3b8177caf2536b33446bf5ac2c79b9aea87a8b7

SHA256
7e4d83a7563e1f6c370b3cf5271d464f5d31d384fb5032599b192934c0460153

SHA512
aa60c20bef7f6f0b7f818b037996b7944d466fa5d58db9cce92832d9059e90afc0efdcc7a3e76e8cac33b34882c97212822426b0192632171024ca764ad64741

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B90B117906B8A74C79D1BC450C2B94B1_A54F26A8A41DE52C237D54D67F12793F
Filesize
500B

MD5
28ff91c950e9d4f247e17dd1c00c1801

SHA1
643670f13be15ecde6b91c2b07d05030dc29fe92

SHA256
30a2246719301ed350022e5cedd8f45e7e32f00be5e0a73dfcba34834ae4ffa5

SHA512
dcaf6bdec4de6d83be8e805b4b43a6736867612673d2de3d3c64a5388f15c5b95ee3aab1faa8c7e20084bd5b04ebf237d2935259e971b5f48257a87778f0acd1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F4D9C889B7AEBCF4E1A2DAABC5C3628A_8575EEAFBE385FF14EE35EA7147E2C76
Filesize
490B

MD5
eba0abff3c0d19afb01dab0c1bd57290

SHA1
d0cff486ee16d01bb1ffc8499b6620f7ddcd8d7f

SHA256
d3e1608d413f715bebe061b494db12f1a1d8fdb836510204bc4d5f67763166f3

SHA512
679e43c254148ef30db8b500118a5aa5f4b8afd0ccb15c46e5822607d77f3744a303dc208da69f298e29c5f0042976e7d640bfdd9fd71076ddbf44a6af45f73d

Download Submit
C:\Users\Admin\AppData\Roaming\Folder\winkey.exe
Filesize
175KB

MD5
6aa0e97bec377f4c535c4173f6c256a7

SHA1
d6c4a2d49f3dbfe80a273da580b076a510a88c18

SHA256
13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0

SHA512
ff024f1848816aa385986e6abb8040f329a9d6ceafb28db3d7ffe40e3509a82a3239c84df1c0173ac4eedc61f434da4654db60e7db3b4f714fdb3cec2722fac2

Download Submit
C:\Users\Admin\AppData\Roaming\Folder\winkey.exe
Filesize
175KB

MD5
6aa0e97bec377f4c535c4173f6c256a7

SHA1
d6c4a2d49f3dbfe80a273da580b076a510a88c18

SHA256
13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0

SHA512
ff024f1848816aa385986e6abb8040f329a9d6ceafb28db3d7ffe40e3509a82a3239c84df1c0173ac4eedc61f434da4654db60e7db3b4f714fdb3cec2722fac2

Download Submit
C:\Users\Admin\AppData\Roaming\Folder\winkey.exe
Filesize
175KB

MD5
6aa0e97bec377f4c535c4173f6c256a7

SHA1
d6c4a2d49f3dbfe80a273da580b076a510a88c18

SHA256
13cea6d656bcb5b411cb752db32350c51ce1e6794b75de96bdb20efe6ea4ceb0

SHA512
ff024f1848816aa385986e6abb8040f329a9d6ceafb28db3d7ffe40e3509a82a3239c84df1c0173ac4eedc61f434da4654db60e7db3b4f714fdb3cec2722fac2

Download Submit
memory/2212-168-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2212-167-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2212-156-0x0000000000000000-mapping.dmp

Download
memory/3408-134-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3408-135-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3408-133-0x0000000000000000-mapping.dmp

Download
memory/3408-137-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3408-140-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3408-144-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4872-159-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/4872-141-0x0000000000000000-mapping.dmp

Download
memory/4872-166-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/4944-132-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/4944-145-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download