Analysis
-
max time kernel
135s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
02-05-2023 22:16
Static task
static1
Behavioral task
behavioral1
Sample
1A2C28A7682C26DDB97885FC056DC72B2C2DF437C5FA3.exe
Resource
win7-20230220-en
General
-
Target
1A2C28A7682C26DDB97885FC056DC72B2C2DF437C5FA3.exe
-
Size
1.1MB
-
MD5
9c6d1aca02db373a52401485c376d87e
-
SHA1
9cc4435729a11d7c524d761b67de508b4474b206
-
SHA256
1a2c28a7682c26ddb97885fc056dc72b2c2df437c5fa3031226e34775095df06
-
SHA512
9f4aaadf939a97e2354f18ef1943594edf2c6eb04852e4fecc68ff1eeee9146ff1ec1ac26191f8c9435e39b765da23f14aa835313de670d3235e6b4eb890955d
-
SSDEEP
24576:iCdxte/80jYLT3U1jfsWa/69ryeoEuGfYsoRzDQ:zw80cTsjkWa/FR4
Malware Config
Extracted
netwire
halwachi50.mymediapc.net:5868
-
activex_autorun
false
-
copy_executable
true
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
true
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3748-133-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral2/memory/3748-142-0x0000000000400000-0x000000000042C000-memory.dmp netwire -
Executes dropped EXE 1 IoCs
Processes:
Host.exepid process 4760 Host.exe -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Install\Host.exe autoit_exe C:\Users\Admin\AppData\Roaming\Install\Host.exe autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
1A2C28A7682C26DDB97885FC056DC72B2C2DF437C5FA3.exedescription pid process target process PID 3280 set thread context of 3748 3280 1A2C28A7682C26DDB97885FC056DC72B2C2DF437C5FA3.exe 1A2C28A7682C26DDB97885FC056DC72B2C2DF437C5FA3.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
1A2C28A7682C26DDB97885FC056DC72B2C2DF437C5FA3.exeHost.exepid process 3280 1A2C28A7682C26DDB97885FC056DC72B2C2DF437C5FA3.exe 3280 1A2C28A7682C26DDB97885FC056DC72B2C2DF437C5FA3.exe 3280 1A2C28A7682C26DDB97885FC056DC72B2C2DF437C5FA3.exe 3280 1A2C28A7682C26DDB97885FC056DC72B2C2DF437C5FA3.exe 4760 Host.exe 4760 Host.exe 4760 Host.exe 4760 Host.exe 4760 Host.exe 4760 Host.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
1A2C28A7682C26DDB97885FC056DC72B2C2DF437C5FA3.exeHost.exepid process 3280 1A2C28A7682C26DDB97885FC056DC72B2C2DF437C5FA3.exe 3280 1A2C28A7682C26DDB97885FC056DC72B2C2DF437C5FA3.exe 3280 1A2C28A7682C26DDB97885FC056DC72B2C2DF437C5FA3.exe 4760 Host.exe 4760 Host.exe 4760 Host.exe -
Suspicious use of SendNotifyMessage 6 IoCs
Processes:
1A2C28A7682C26DDB97885FC056DC72B2C2DF437C5FA3.exeHost.exepid process 3280 1A2C28A7682C26DDB97885FC056DC72B2C2DF437C5FA3.exe 3280 1A2C28A7682C26DDB97885FC056DC72B2C2DF437C5FA3.exe 3280 1A2C28A7682C26DDB97885FC056DC72B2C2DF437C5FA3.exe 4760 Host.exe 4760 Host.exe 4760 Host.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
1A2C28A7682C26DDB97885FC056DC72B2C2DF437C5FA3.exe1A2C28A7682C26DDB97885FC056DC72B2C2DF437C5FA3.exedescription pid process target process PID 3280 wrote to memory of 3748 3280 1A2C28A7682C26DDB97885FC056DC72B2C2DF437C5FA3.exe 1A2C28A7682C26DDB97885FC056DC72B2C2DF437C5FA3.exe PID 3280 wrote to memory of 3748 3280 1A2C28A7682C26DDB97885FC056DC72B2C2DF437C5FA3.exe 1A2C28A7682C26DDB97885FC056DC72B2C2DF437C5FA3.exe PID 3280 wrote to memory of 3748 3280 1A2C28A7682C26DDB97885FC056DC72B2C2DF437C5FA3.exe 1A2C28A7682C26DDB97885FC056DC72B2C2DF437C5FA3.exe PID 3280 wrote to memory of 3748 3280 1A2C28A7682C26DDB97885FC056DC72B2C2DF437C5FA3.exe 1A2C28A7682C26DDB97885FC056DC72B2C2DF437C5FA3.exe PID 3280 wrote to memory of 3748 3280 1A2C28A7682C26DDB97885FC056DC72B2C2DF437C5FA3.exe 1A2C28A7682C26DDB97885FC056DC72B2C2DF437C5FA3.exe PID 3748 wrote to memory of 4760 3748 1A2C28A7682C26DDB97885FC056DC72B2C2DF437C5FA3.exe Host.exe PID 3748 wrote to memory of 4760 3748 1A2C28A7682C26DDB97885FC056DC72B2C2DF437C5FA3.exe Host.exe PID 3748 wrote to memory of 4760 3748 1A2C28A7682C26DDB97885FC056DC72B2C2DF437C5FA3.exe Host.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1A2C28A7682C26DDB97885FC056DC72B2C2DF437C5FA3.exe"C:\Users\Admin\AppData\Local\Temp\1A2C28A7682C26DDB97885FC056DC72B2C2DF437C5FA3.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1A2C28A7682C26DDB97885FC056DC72B2C2DF437C5FA3.exe"C:\Users\Admin\AppData\Local\Temp\1A2C28A7682C26DDB97885FC056DC72B2C2DF437C5FA3.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
1.1MB
MD59c6d1aca02db373a52401485c376d87e
SHA19cc4435729a11d7c524d761b67de508b4474b206
SHA2561a2c28a7682c26ddb97885fc056dc72b2c2df437c5fa3031226e34775095df06
SHA5129f4aaadf939a97e2354f18ef1943594edf2c6eb04852e4fecc68ff1eeee9146ff1ec1ac26191f8c9435e39b765da23f14aa835313de670d3235e6b4eb890955d
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
1.1MB
MD59c6d1aca02db373a52401485c376d87e
SHA19cc4435729a11d7c524d761b67de508b4474b206
SHA2561a2c28a7682c26ddb97885fc056dc72b2c2df437c5fa3031226e34775095df06
SHA5129f4aaadf939a97e2354f18ef1943594edf2c6eb04852e4fecc68ff1eeee9146ff1ec1ac26191f8c9435e39b765da23f14aa835313de670d3235e6b4eb890955d
-
memory/3280-143-0x0000000001670000-0x0000000001671000-memory.dmpFilesize
4KB
-
memory/3748-133-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/3748-142-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB