Analysis
-
max time kernel
135s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2023 01:21
Static task
static1
Behavioral task
behavioral1
Sample
2b5eca0c8dcfd123b1790a137feb4146.exe
Resource
win7-20230220-en
General
-
Target
2b5eca0c8dcfd123b1790a137feb4146.exe
-
Size
2.9MB
-
MD5
2b5eca0c8dcfd123b1790a137feb4146
-
SHA1
57ba47e17ab6de85a6cefa26b3b80a0efa72d4e5
-
SHA256
1f64ef3c5f7690033cf54608c3f4ba61a99c1494a2a2d5aa06f8b6634d8e305b
-
SHA512
94058f6b34f3820130571aec3f82fc89a3ba4198b65fe80e705f82ee7187ac2027ffe054ddabf945c7fff4db36224c74c95e1756ed755de7ea13dfb142c40a94
-
SSDEEP
49152:Qmd9Cf3Vvwxrb/T2vO90d7HjmAFd4A64nsfJdVfZgXKRQHfDTJz1jStov0hlZ0Az:+3qH8qo8V0A
Malware Config
Extracted
netwire
127.0.0.1:3360
needforrat.hopto.org:3360
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
TestLink.lnk
-
lock_executable
false
-
mutex
JjkhHVmd
-
offline_keylogger
false
-
password
Password
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 2 IoCs
resource yara_rule behavioral2/files/0x0007000000023165-135.dat netwire behavioral2/files/0x0007000000023165-136.dat netwire -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TestLink.lnk go-memexec-4057215992.exe -
Executes dropped EXE 1 IoCs
pid Process 3088 go-memexec-4057215992.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4980 wrote to memory of 3088 4980 2b5eca0c8dcfd123b1790a137feb4146.exe 84 PID 4980 wrote to memory of 3088 4980 2b5eca0c8dcfd123b1790a137feb4146.exe 84 PID 4980 wrote to memory of 3088 4980 2b5eca0c8dcfd123b1790a137feb4146.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b5eca0c8dcfd123b1790a137feb4146.exe"C:\Users\Admin\AppData\Local\Temp\2b5eca0c8dcfd123b1790a137feb4146.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Users\Admin\AppData\Local\Temp\go-memexec-4057215992.exeC:\Users\Admin\AppData\Local\Temp\go-memexec-4057215992.exe2⤵
- Drops startup file
- Executes dropped EXE
PID:3088
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
273KB
MD58d832a17a7134571f228bc0da586a541
SHA1274f83a8874d16ff937d3e8c231bcf4916d18fe8
SHA25636b9e2e48e5f7ab4543df7f80d299bb72e65c5f343d8bb1d8bff39764a829c8f
SHA5120b5e00c88a35eb72b0f06d82fe3cd5a84c0520480f3d631ca42c7d3bc04bf33001f84943c6d4e9c8e1abb00414669a978de45b72b6bb8a002cc5c53d86d88bcb
-
Filesize
273KB
MD58d832a17a7134571f228bc0da586a541
SHA1274f83a8874d16ff937d3e8c231bcf4916d18fe8
SHA25636b9e2e48e5f7ab4543df7f80d299bb72e65c5f343d8bb1d8bff39764a829c8f
SHA5120b5e00c88a35eb72b0f06d82fe3cd5a84c0520480f3d631ca42c7d3bc04bf33001f84943c6d4e9c8e1abb00414669a978de45b72b6bb8a002cc5c53d86d88bcb