Analysis
-
max time kernel
110s -
max time network
112s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
03-02-2023 09:03
Static task
static1
Behavioral task
behavioral1
Sample
f1a220c982fa2b7330cd7c7671f8733c.exe
Resource
win7-20221111-en
windows7-x64
7 signatures
150 seconds
General
-
Target
f1a220c982fa2b7330cd7c7671f8733c.exe
-
Size
393KB
-
MD5
f1a220c982fa2b7330cd7c7671f8733c
-
SHA1
9f20d00b4ec898a33e130720d4d29e94070e1575
-
SHA256
15ed48a323171f521247258630d9ef6d3fe785b5fe3aa9ff77b58b150b734310
-
SHA512
face49fa9216d325062326c475fa88b5170ac39ea2bed44de721276ddd79f45c620064ef01372f8b90e7104c3cab9ec0a1b76a98357c7efeedcd47a1608e22c1
-
SSDEEP
12288:9YfbednM3kIg00BJ1sKN+zNva8lq1NtWH:9YenIqqFlqdWH
Malware Config
Extracted
Family
netwire
C2
bright1.awsmppl.com:4770
ml.warzonedns.com:4770
Attributes
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-yoAwQw
-
keylogger_dir
C:\Users\Admin\AppData\Roaming\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/892-57-0x0000000000400000-0x0000000000425000-memory.dmp netwire -
Drops startup file 1 IoCs
Processes:
f1a220c982fa2b7330cd7c7671f8733c.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mvnrdwndlnkngyb.vbs f1a220c982fa2b7330cd7c7671f8733c.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
f1a220c982fa2b7330cd7c7671f8733c.exedescription pid process target process PID 1320 set thread context of 892 1320 f1a220c982fa2b7330cd7c7671f8733c.exe f1a220c982fa2b7330cd7c7671f8733c.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
f1a220c982fa2b7330cd7c7671f8733c.exepid process 1320 f1a220c982fa2b7330cd7c7671f8733c.exe 1320 f1a220c982fa2b7330cd7c7671f8733c.exe 1320 f1a220c982fa2b7330cd7c7671f8733c.exe 1320 f1a220c982fa2b7330cd7c7671f8733c.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
f1a220c982fa2b7330cd7c7671f8733c.exepid process 1320 f1a220c982fa2b7330cd7c7671f8733c.exe 1320 f1a220c982fa2b7330cd7c7671f8733c.exe 1320 f1a220c982fa2b7330cd7c7671f8733c.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
f1a220c982fa2b7330cd7c7671f8733c.exedescription pid process target process PID 1320 wrote to memory of 736 1320 f1a220c982fa2b7330cd7c7671f8733c.exe f1a220c982fa2b7330cd7c7671f8733c.exe PID 1320 wrote to memory of 736 1320 f1a220c982fa2b7330cd7c7671f8733c.exe f1a220c982fa2b7330cd7c7671f8733c.exe PID 1320 wrote to memory of 736 1320 f1a220c982fa2b7330cd7c7671f8733c.exe f1a220c982fa2b7330cd7c7671f8733c.exe PID 1320 wrote to memory of 736 1320 f1a220c982fa2b7330cd7c7671f8733c.exe f1a220c982fa2b7330cd7c7671f8733c.exe PID 1320 wrote to memory of 896 1320 f1a220c982fa2b7330cd7c7671f8733c.exe f1a220c982fa2b7330cd7c7671f8733c.exe PID 1320 wrote to memory of 896 1320 f1a220c982fa2b7330cd7c7671f8733c.exe f1a220c982fa2b7330cd7c7671f8733c.exe PID 1320 wrote to memory of 896 1320 f1a220c982fa2b7330cd7c7671f8733c.exe f1a220c982fa2b7330cd7c7671f8733c.exe PID 1320 wrote to memory of 896 1320 f1a220c982fa2b7330cd7c7671f8733c.exe f1a220c982fa2b7330cd7c7671f8733c.exe PID 1320 wrote to memory of 892 1320 f1a220c982fa2b7330cd7c7671f8733c.exe f1a220c982fa2b7330cd7c7671f8733c.exe PID 1320 wrote to memory of 892 1320 f1a220c982fa2b7330cd7c7671f8733c.exe f1a220c982fa2b7330cd7c7671f8733c.exe PID 1320 wrote to memory of 892 1320 f1a220c982fa2b7330cd7c7671f8733c.exe f1a220c982fa2b7330cd7c7671f8733c.exe PID 1320 wrote to memory of 892 1320 f1a220c982fa2b7330cd7c7671f8733c.exe f1a220c982fa2b7330cd7c7671f8733c.exe PID 1320 wrote to memory of 892 1320 f1a220c982fa2b7330cd7c7671f8733c.exe f1a220c982fa2b7330cd7c7671f8733c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1a220c982fa2b7330cd7c7671f8733c.exe"C:\Users\Admin\AppData\Local\Temp\f1a220c982fa2b7330cd7c7671f8733c.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f1a220c982fa2b7330cd7c7671f8733c.exe"C:\Users\Admin\AppData\Local\Temp\f1a220c982fa2b7330cd7c7671f8733c.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\f1a220c982fa2b7330cd7c7671f8733c.exe"C:\Users\Admin\AppData\Local\Temp\f1a220c982fa2b7330cd7c7671f8733c.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\f1a220c982fa2b7330cd7c7671f8733c.exe"C:\Users\Admin\AppData\Local\Temp\f1a220c982fa2b7330cd7c7671f8733c.exe"2⤵