Analysis
-
max time kernel
150s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 13:09
Static task
static1
Behavioral task
behavioral1
Sample
b79dae4f637d5de6f2fbbf5792ee32722855966a72f0a5cf674a1f972da5af4a.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
b79dae4f637d5de6f2fbbf5792ee32722855966a72f0a5cf674a1f972da5af4a.exe
Resource
win10v2004-20220812-en
General
-
Target
b79dae4f637d5de6f2fbbf5792ee32722855966a72f0a5cf674a1f972da5af4a.exe
-
Size
156KB
-
MD5
c066281525814a0b9b70842dfba0a728
-
SHA1
0191c82db08d05a914cc6450206b92bf64270232
-
SHA256
b79dae4f637d5de6f2fbbf5792ee32722855966a72f0a5cf674a1f972da5af4a
-
SHA512
da77f2c75a4f277d15216a20578fe602be4492dde0b11bf788b3347b3d85d430b05a1a5cb85617da249fa3cb3306a4b778768c63c8cf1bd1081c89c0959a9ff9
-
SSDEEP
3072:oN++i8L367k7uY+5BaGNQVbls/k+HNwC4zRviN9K:ocC67lfOAQhMTHNws
Malware Config
Signatures
-
NetWire RAT payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2000-57-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral1/memory/2000-58-0x0000000000402196-mapping.dmp netwire behavioral1/memory/2000-62-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral1/memory/2000-63-0x0000000000400000-0x000000000041E000-memory.dmp netwire -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
b79dae4f637d5de6f2fbbf5792ee32722855966a72f0a5cf674a1f972da5af4a.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{QEFI6MD4-2J84-6AEO-0572-0M0V56652NB5} b79dae4f637d5de6f2fbbf5792ee32722855966a72f0a5cf674a1f972da5af4a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{QEFI6MD4-2J84-6AEO-0572-0M0V56652NB5}\StubPath = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\b79dae4f637d5de6f2fbbf5792ee32722855966a72f0a5cf674a1f972da5af4a.exe\"" b79dae4f637d5de6f2fbbf5792ee32722855966a72f0a5cf674a1f972da5af4a.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
b79dae4f637d5de6f2fbbf5792ee32722855966a72f0a5cf674a1f972da5af4a.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\upload = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b79dae4f637d5de6f2fbbf5792ee32722855966a72f0a5cf674a1f972da5af4a.exe" b79dae4f637d5de6f2fbbf5792ee32722855966a72f0a5cf674a1f972da5af4a.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ b79dae4f637d5de6f2fbbf5792ee32722855966a72f0a5cf674a1f972da5af4a.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
b79dae4f637d5de6f2fbbf5792ee32722855966a72f0a5cf674a1f972da5af4a.exedescription pid process target process PID 1920 set thread context of 2000 1920 b79dae4f637d5de6f2fbbf5792ee32722855966a72f0a5cf674a1f972da5af4a.exe b79dae4f637d5de6f2fbbf5792ee32722855966a72f0a5cf674a1f972da5af4a.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
b79dae4f637d5de6f2fbbf5792ee32722855966a72f0a5cf674a1f972da5af4a.exepid process 1920 b79dae4f637d5de6f2fbbf5792ee32722855966a72f0a5cf674a1f972da5af4a.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
b79dae4f637d5de6f2fbbf5792ee32722855966a72f0a5cf674a1f972da5af4a.exedescription pid process target process PID 1920 wrote to memory of 2000 1920 b79dae4f637d5de6f2fbbf5792ee32722855966a72f0a5cf674a1f972da5af4a.exe b79dae4f637d5de6f2fbbf5792ee32722855966a72f0a5cf674a1f972da5af4a.exe PID 1920 wrote to memory of 2000 1920 b79dae4f637d5de6f2fbbf5792ee32722855966a72f0a5cf674a1f972da5af4a.exe b79dae4f637d5de6f2fbbf5792ee32722855966a72f0a5cf674a1f972da5af4a.exe PID 1920 wrote to memory of 2000 1920 b79dae4f637d5de6f2fbbf5792ee32722855966a72f0a5cf674a1f972da5af4a.exe b79dae4f637d5de6f2fbbf5792ee32722855966a72f0a5cf674a1f972da5af4a.exe PID 1920 wrote to memory of 2000 1920 b79dae4f637d5de6f2fbbf5792ee32722855966a72f0a5cf674a1f972da5af4a.exe b79dae4f637d5de6f2fbbf5792ee32722855966a72f0a5cf674a1f972da5af4a.exe PID 1920 wrote to memory of 2000 1920 b79dae4f637d5de6f2fbbf5792ee32722855966a72f0a5cf674a1f972da5af4a.exe b79dae4f637d5de6f2fbbf5792ee32722855966a72f0a5cf674a1f972da5af4a.exe PID 1920 wrote to memory of 2000 1920 b79dae4f637d5de6f2fbbf5792ee32722855966a72f0a5cf674a1f972da5af4a.exe b79dae4f637d5de6f2fbbf5792ee32722855966a72f0a5cf674a1f972da5af4a.exe PID 1920 wrote to memory of 2000 1920 b79dae4f637d5de6f2fbbf5792ee32722855966a72f0a5cf674a1f972da5af4a.exe b79dae4f637d5de6f2fbbf5792ee32722855966a72f0a5cf674a1f972da5af4a.exe PID 1920 wrote to memory of 2000 1920 b79dae4f637d5de6f2fbbf5792ee32722855966a72f0a5cf674a1f972da5af4a.exe b79dae4f637d5de6f2fbbf5792ee32722855966a72f0a5cf674a1f972da5af4a.exe PID 1920 wrote to memory of 2000 1920 b79dae4f637d5de6f2fbbf5792ee32722855966a72f0a5cf674a1f972da5af4a.exe b79dae4f637d5de6f2fbbf5792ee32722855966a72f0a5cf674a1f972da5af4a.exe PID 1920 wrote to memory of 2000 1920 b79dae4f637d5de6f2fbbf5792ee32722855966a72f0a5cf674a1f972da5af4a.exe b79dae4f637d5de6f2fbbf5792ee32722855966a72f0a5cf674a1f972da5af4a.exe PID 1920 wrote to memory of 2000 1920 b79dae4f637d5de6f2fbbf5792ee32722855966a72f0a5cf674a1f972da5af4a.exe b79dae4f637d5de6f2fbbf5792ee32722855966a72f0a5cf674a1f972da5af4a.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b79dae4f637d5de6f2fbbf5792ee32722855966a72f0a5cf674a1f972da5af4a.exe"C:\Users\Admin\AppData\Local\Temp\b79dae4f637d5de6f2fbbf5792ee32722855966a72f0a5cf674a1f972da5af4a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b79dae4f637d5de6f2fbbf5792ee32722855966a72f0a5cf674a1f972da5af4a.exe"C:\Users\Admin\AppData\Local\Temp\b79dae4f637d5de6f2fbbf5792ee32722855966a72f0a5cf674a1f972da5af4a.exe"2⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1920-56-0x00000000763F1000-0x00000000763F3000-memory.dmpFilesize
8KB
-
memory/1920-60-0x00000000001C0000-0x00000000001C6000-memory.dmpFilesize
24KB
-
memory/2000-57-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2000-58-0x0000000000402196-mapping.dmp
-
memory/2000-62-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2000-63-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB