Analysis
-
max time kernel
100s -
max time network
103s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
14-06-2023 01:21
Static task
static1
Behavioral task
behavioral1
Sample
2b5eca0c8dcfd123b1790a137feb4146.exe
Resource
win7-20230220-en
General
-
Target
2b5eca0c8dcfd123b1790a137feb4146.exe
-
Size
2.9MB
-
MD5
2b5eca0c8dcfd123b1790a137feb4146
-
SHA1
57ba47e17ab6de85a6cefa26b3b80a0efa72d4e5
-
SHA256
1f64ef3c5f7690033cf54608c3f4ba61a99c1494a2a2d5aa06f8b6634d8e305b
-
SHA512
94058f6b34f3820130571aec3f82fc89a3ba4198b65fe80e705f82ee7187ac2027ffe054ddabf945c7fff4db36224c74c95e1756ed755de7ea13dfb142c40a94
-
SSDEEP
49152:Qmd9Cf3Vvwxrb/T2vO90d7HjmAFd4A64nsfJdVfZgXKRQHfDTJz1jStov0hlZ0Az:+3qH8qo8V0A
Malware Config
Extracted
netwire
127.0.0.1:3360
needforrat.hopto.org:3360
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
TestLink.lnk
-
lock_executable
false
-
mutex
JjkhHVmd
-
offline_keylogger
false
-
password
Password
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 3 IoCs
resource yara_rule behavioral1/files/0x000b00000001230b-57.dat netwire behavioral1/files/0x000b00000001230b-59.dat netwire behavioral1/files/0x000b00000001230b-58.dat netwire -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TestLink.lnk go-memexec-4007945008.exe -
Executes dropped EXE 1 IoCs
pid Process 1704 go-memexec-4007945008.exe -
Loads dropped DLL 1 IoCs
pid Process 1704 go-memexec-4007945008.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1680 wrote to memory of 1704 1680 2b5eca0c8dcfd123b1790a137feb4146.exe 29 PID 1680 wrote to memory of 1704 1680 2b5eca0c8dcfd123b1790a137feb4146.exe 29 PID 1680 wrote to memory of 1704 1680 2b5eca0c8dcfd123b1790a137feb4146.exe 29 PID 1680 wrote to memory of 1704 1680 2b5eca0c8dcfd123b1790a137feb4146.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b5eca0c8dcfd123b1790a137feb4146.exe"C:\Users\Admin\AppData\Local\Temp\2b5eca0c8dcfd123b1790a137feb4146.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Users\Admin\AppData\Local\Temp\go-memexec-4007945008.exeC:\Users\Admin\AppData\Local\Temp\go-memexec-4007945008.exe2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
PID:1704
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
273KB
MD58d832a17a7134571f228bc0da586a541
SHA1274f83a8874d16ff937d3e8c231bcf4916d18fe8
SHA25636b9e2e48e5f7ab4543df7f80d299bb72e65c5f343d8bb1d8bff39764a829c8f
SHA5120b5e00c88a35eb72b0f06d82fe3cd5a84c0520480f3d631ca42c7d3bc04bf33001f84943c6d4e9c8e1abb00414669a978de45b72b6bb8a002cc5c53d86d88bcb
-
Filesize
273KB
MD58d832a17a7134571f228bc0da586a541
SHA1274f83a8874d16ff937d3e8c231bcf4916d18fe8
SHA25636b9e2e48e5f7ab4543df7f80d299bb72e65c5f343d8bb1d8bff39764a829c8f
SHA5120b5e00c88a35eb72b0f06d82fe3cd5a84c0520480f3d631ca42c7d3bc04bf33001f84943c6d4e9c8e1abb00414669a978de45b72b6bb8a002cc5c53d86d88bcb
-
Filesize
273KB
MD58d832a17a7134571f228bc0da586a541
SHA1274f83a8874d16ff937d3e8c231bcf4916d18fe8
SHA25636b9e2e48e5f7ab4543df7f80d299bb72e65c5f343d8bb1d8bff39764a829c8f
SHA5120b5e00c88a35eb72b0f06d82fe3cd5a84c0520480f3d631ca42c7d3bc04bf33001f84943c6d4e9c8e1abb00414669a978de45b72b6bb8a002cc5c53d86d88bcb