Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
01-04-2023 05:02
Behavioral task
behavioral1
Sample
r.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
r.exe
Resource
win10v2004-20230220-en
General
-
Target
r.exe
-
Size
160KB
-
MD5
fb8441287cef7a3c0a67a24830a648f3
-
SHA1
6fef02a3793b481a2603da3d5051698ea752f4ab
-
SHA256
10a9942365cfd73d8c11b5b8e46763a53c642e5ddd9577a21c2388e7bc99d910
-
SHA512
660a630c200f34808deba9484d416a8292176f18516a33d9af7c0ec3e5764f41c9a77d8fbf42dd123b8cdbe71e7537a2f63ccc675b2271c85b7a4164c0b4ad0e
-
SSDEEP
3072:jOzPcXa+ND32eioGHlz8rnAE0HCXh0edLv1YMjMqqDvFf:jOTcK+NrRioGHlz8rz0i/1zQqqDvFf
Malware Config
Extracted
netwire
wire.universitynetservice1979.info:8888
167.179.102.70:8888
62.234.24.30:8888
-
activex_autorun
false
-
copy_executable
true
-
delete_original
true
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\svchost.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
olflQfiP
-
offline_keylogger
true
-
password
win
-
registry_autorun
true
-
startup_name
netloading
-
use_mutex
true
Signatures
-
NetWire RAT payload 12 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Install\svchost.exe netwire \Users\Admin\AppData\Roaming\Install\svchost.exe netwire C:\Users\Admin\AppData\Roaming\Install\svchost.exe netwire C:\Users\Admin\AppData\Roaming\Install\svchost.exe netwire behavioral1/memory/1192-62-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1076-64-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1076-66-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1076-73-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1076-74-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1076-75-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1076-76-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1076-77-0x0000000000400000-0x0000000000433000-memory.dmp netwire -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 1076 svchost.exe -
Loads dropped DLL 2 IoCs
Processes:
r.exepid process 1192 r.exe 1192 r.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\netloading = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\svchost.exe" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
r.exedescription pid process target process PID 1192 wrote to memory of 1076 1192 r.exe svchost.exe PID 1192 wrote to memory of 1076 1192 r.exe svchost.exe PID 1192 wrote to memory of 1076 1192 r.exe svchost.exe PID 1192 wrote to memory of 1076 1192 r.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\r.exe"C:\Users\Admin\AppData\Local\Temp\r.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\svchost.exe"C:\Users\Admin\AppData\Roaming\Install\svchost.exe" -m "C:\Users\Admin\AppData\Local\Temp\r.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Install\svchost.exeFilesize
160KB
MD5fb8441287cef7a3c0a67a24830a648f3
SHA16fef02a3793b481a2603da3d5051698ea752f4ab
SHA25610a9942365cfd73d8c11b5b8e46763a53c642e5ddd9577a21c2388e7bc99d910
SHA512660a630c200f34808deba9484d416a8292176f18516a33d9af7c0ec3e5764f41c9a77d8fbf42dd123b8cdbe71e7537a2f63ccc675b2271c85b7a4164c0b4ad0e
-
C:\Users\Admin\AppData\Roaming\Install\svchost.exeFilesize
160KB
MD5fb8441287cef7a3c0a67a24830a648f3
SHA16fef02a3793b481a2603da3d5051698ea752f4ab
SHA25610a9942365cfd73d8c11b5b8e46763a53c642e5ddd9577a21c2388e7bc99d910
SHA512660a630c200f34808deba9484d416a8292176f18516a33d9af7c0ec3e5764f41c9a77d8fbf42dd123b8cdbe71e7537a2f63ccc675b2271c85b7a4164c0b4ad0e
-
\Users\Admin\AppData\Roaming\Install\svchost.exeFilesize
160KB
MD5fb8441287cef7a3c0a67a24830a648f3
SHA16fef02a3793b481a2603da3d5051698ea752f4ab
SHA25610a9942365cfd73d8c11b5b8e46763a53c642e5ddd9577a21c2388e7bc99d910
SHA512660a630c200f34808deba9484d416a8292176f18516a33d9af7c0ec3e5764f41c9a77d8fbf42dd123b8cdbe71e7537a2f63ccc675b2271c85b7a4164c0b4ad0e
-
\Users\Admin\AppData\Roaming\Install\svchost.exeFilesize
160KB
MD5fb8441287cef7a3c0a67a24830a648f3
SHA16fef02a3793b481a2603da3d5051698ea752f4ab
SHA25610a9942365cfd73d8c11b5b8e46763a53c642e5ddd9577a21c2388e7bc99d910
SHA512660a630c200f34808deba9484d416a8292176f18516a33d9af7c0ec3e5764f41c9a77d8fbf42dd123b8cdbe71e7537a2f63ccc675b2271c85b7a4164c0b4ad0e
-
memory/1076-64-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1076-66-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1076-73-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1076-74-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1076-75-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1076-76-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1076-77-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1192-62-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB