Analysis
-
max time kernel
149s -
max time network
159s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
05-05-2023 19:54
Static task
static1
Behavioral task
behavioral1
Sample
D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe
Resource
win10v2004-20230220-en
General
-
Target
D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe
-
Size
432KB
-
MD5
9b07a0fdaa64049e857b3982eeb3a575
-
SHA1
63d7d2eefd78ee4736243c8e32c305366603c579
-
SHA256
d8d4a25dd484e96413ff9530e93621af5c53e96cf2b0435968f5fc72dad85d9b
-
SHA512
49db3c66ee829534937ba0cc8f62f568cc04891b141e402d5c2c7961335efbd453f33bc57b218f9cf609b4a665df4b31810d4215d6e994c03934264b184c770a
-
SSDEEP
6144:SPn3xY3d6ND9D/S4mAC09X1Qd6pOzWqGLDUz7j42W3Llin:SLNoS1Y6pq1AUvjW3Un
Malware Config
Extracted
netwire
forgiveme.workisboring.com:3360
-
activex_autorun
true
-
activex_key
{TN38RH36-U670-03U7-57DE-24XMTWQBHGH1}
-
copy_executable
true
-
delete_original
false
-
host_id
bendal
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
Password
-
registry_autorun
true
-
startup_name
centosffjk
-
use_mutex
false
Signatures
-
NetWire RAT payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/2024-54-0x0000000000400000-0x0000000000470000-memory.dmp netwire behavioral1/memory/2024-60-0x0000000000400000-0x0000000000470000-memory.dmp netwire behavioral1/memory/620-63-0x0000000000400000-0x0000000000470000-memory.dmp netwire behavioral1/memory/620-66-0x0000000000400000-0x0000000000470000-memory.dmp netwire behavioral1/memory/620-68-0x0000000000400000-0x0000000000470000-memory.dmp netwire behavioral1/memory/620-71-0x0000000000400000-0x0000000000470000-memory.dmp netwire -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
Host.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{TN38RH36-U670-03U7-57DE-24XMTWQBHGH1} Host.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{TN38RH36-U670-03U7-57DE-24XMTWQBHGH1}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe\"" Host.exe -
Executes dropped EXE 1 IoCs
Processes:
Host.exepid process 620 Host.exe -
Loads dropped DLL 1 IoCs
Processes:
D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exepid process 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Host.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Host.exe Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\centosffjk = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe" Host.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exepid process 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exeHost.exepid process 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe 620 Host.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exedescription pid process target process PID 2024 wrote to memory of 620 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe Host.exe PID 2024 wrote to memory of 620 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe Host.exe PID 2024 wrote to memory of 620 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe Host.exe PID 2024 wrote to memory of 620 2024 D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe Host.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe"C:\Users\Admin\AppData\Local\Temp\D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
432KB
MD59b07a0fdaa64049e857b3982eeb3a575
SHA163d7d2eefd78ee4736243c8e32c305366603c579
SHA256d8d4a25dd484e96413ff9530e93621af5c53e96cf2b0435968f5fc72dad85d9b
SHA51249db3c66ee829534937ba0cc8f62f568cc04891b141e402d5c2c7961335efbd453f33bc57b218f9cf609b4a665df4b31810d4215d6e994c03934264b184c770a
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
432KB
MD59b07a0fdaa64049e857b3982eeb3a575
SHA163d7d2eefd78ee4736243c8e32c305366603c579
SHA256d8d4a25dd484e96413ff9530e93621af5c53e96cf2b0435968f5fc72dad85d9b
SHA51249db3c66ee829534937ba0cc8f62f568cc04891b141e402d5c2c7961335efbd453f33bc57b218f9cf609b4a665df4b31810d4215d6e994c03934264b184c770a
-
\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
432KB
MD59b07a0fdaa64049e857b3982eeb3a575
SHA163d7d2eefd78ee4736243c8e32c305366603c579
SHA256d8d4a25dd484e96413ff9530e93621af5c53e96cf2b0435968f5fc72dad85d9b
SHA51249db3c66ee829534937ba0cc8f62f568cc04891b141e402d5c2c7961335efbd453f33bc57b218f9cf609b4a665df4b31810d4215d6e994c03934264b184c770a
-
memory/620-63-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/620-66-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/620-68-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/620-71-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/2024-54-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/2024-61-0x00000000003A0000-0x00000000003DA000-memory.dmpFilesize
232KB
-
memory/2024-60-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB