Analysis
-
max time kernel
225s -
max time network
294s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
27-11-2022 14:39
General
-
Target
00356e79e7a08ebf31b17e50182868d721e250858eb143e3b31e5c4d05e8a25b.exe
-
Size
950KB
-
MD5
5e0194f52714555150f5a255b41c1f45
-
SHA1
1da2e3af983e08dbeec3931c796cc6c22d7ab67f
-
SHA256
00356e79e7a08ebf31b17e50182868d721e250858eb143e3b31e5c4d05e8a25b
-
SHA512
e2d61183e260a093d36e2c4b4a1394197790ed4622bb4c87191fb9e1ab53e548d79e8845adf275ed7faa8d89bbcf1237e909c9de1365448adadbf927f6175585
-
SSDEEP
24576:W4lavt0LkLL9IMixoEgeaqbQ9N/q9MmCS:hkwkn9IMHeaqbiaPCS
Malware Config
Signatures
-
NetWire RAT payload 4 IoCs
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Executes dropped EXE 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\00356e79e7a08ebf31b17e50182868d721e250858eb143e3b31e5c4d05e8a25b.exe"C:\Users\Admin\AppData\Local\Temp\00356e79e7a08ebf31b17e50182868d721e250858eb143e3b31e5c4d05e8a25b.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3944\3944.exe"C:\Users\Admin\AppData\Local\Temp\3944\3944.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3944\3944.exeFilesize
81KB
MD5a727bf4a943b54b94109e90b91517313
SHA17cbbaf0c1f08003e3133b1ba78292b4f07ccd314
SHA2562fd2c2d91bb345f187e54d3b75dc08678ae0effff6d0e385c84f823e3ca4374a
SHA512c85d6155f2e95a7cde387b7a88249fe40113e301823636aeb9dda02d03f2a8c7cac8cc6b1cd6b6f5302f900282c9ed0e34c3d0da617832ce064c4e1d258817a2
-
C:\Users\Admin\AppData\Local\Temp\3944\3944.exeFilesize
81KB
MD5a727bf4a943b54b94109e90b91517313
SHA17cbbaf0c1f08003e3133b1ba78292b4f07ccd314
SHA2562fd2c2d91bb345f187e54d3b75dc08678ae0effff6d0e385c84f823e3ca4374a
SHA512c85d6155f2e95a7cde387b7a88249fe40113e301823636aeb9dda02d03f2a8c7cac8cc6b1cd6b6f5302f900282c9ed0e34c3d0da617832ce064c4e1d258817a2
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
81KB
MD5a727bf4a943b54b94109e90b91517313
SHA17cbbaf0c1f08003e3133b1ba78292b4f07ccd314
SHA2562fd2c2d91bb345f187e54d3b75dc08678ae0effff6d0e385c84f823e3ca4374a
SHA512c85d6155f2e95a7cde387b7a88249fe40113e301823636aeb9dda02d03f2a8c7cac8cc6b1cd6b6f5302f900282c9ed0e34c3d0da617832ce064c4e1d258817a2
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
81KB
MD5a727bf4a943b54b94109e90b91517313
SHA17cbbaf0c1f08003e3133b1ba78292b4f07ccd314
SHA2562fd2c2d91bb345f187e54d3b75dc08678ae0effff6d0e385c84f823e3ca4374a
SHA512c85d6155f2e95a7cde387b7a88249fe40113e301823636aeb9dda02d03f2a8c7cac8cc6b1cd6b6f5302f900282c9ed0e34c3d0da617832ce064c4e1d258817a2
-
memory/4052-132-0x0000000000000000-mapping.dmp
-
memory/4952-135-0x0000000000000000-mapping.dmp