Malware Analysis Report

2025-01-18 16:52

Sample ID 230618-j6pjhsec66
Target HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe
SHA256 d25e23199a7c7f97e3e21ff927d53002353f22f299c41dca7cd3cdc3cae6531d
Tags
netwire botnet rat stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d25e23199a7c7f97e3e21ff927d53002353f22f299c41dca7cd3cdc3cae6531d

Threat Level: Known bad

The file HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe was found to be: Known bad.

Malicious Activity Summary

netwire botnet rat stealer

NetWire RAT payload

Netwire

Executes dropped EXE

Loads dropped DLL

Drops startup file

Checks computer location settings

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

NTFS ADS

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Delays execution with timeout.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-18 08:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-18 08:17

Reported

2023-06-18 08:19

Platform

win7-20230220-en

Max time kernel

149s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.exe.lnk C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1292 set thread context of 1732 N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\FolderN\name.exe:Zone.Identifier C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1292 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe C:\Windows\SysWOW64\cmd.exe
PID 1292 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe C:\Windows\SysWOW64\cmd.exe
PID 1292 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe C:\Windows\SysWOW64\cmd.exe
PID 1292 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe C:\Windows\SysWOW64\cmd.exe
PID 960 wrote to memory of 1940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 960 wrote to memory of 1940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 960 wrote to memory of 1940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 960 wrote to memory of 1940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1292 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe C:\Users\Admin\AppData\Roaming\tmp.exe
PID 1292 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe C:\Users\Admin\AppData\Roaming\tmp.exe
PID 1292 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe C:\Users\Admin\AppData\Roaming\tmp.exe
PID 1292 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe C:\Users\Admin\AppData\Roaming\tmp.exe
PID 1292 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1292 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1292 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1292 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1292 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1292 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1292 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1292 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1292 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1292 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe C:\Windows\SysWOW64\cmd.exe
PID 1292 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe C:\Windows\SysWOW64\cmd.exe
PID 1292 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe C:\Windows\SysWOW64\cmd.exe
PID 1292 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe C:\Windows\SysWOW64\cmd.exe
PID 1816 wrote to memory of 1772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1816 wrote to memory of 1772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1816 wrote to memory of 1772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1816 wrote to memory of 1772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe

"C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe"

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderN\name.exe.lnk" /f

C:\Users\Admin\AppData\Roaming\tmp.exe

"C:\Users\Admin\AppData\Roaming\tmp.exe"

C:\Users\Admin\AppData\Local\Temp\svhost.exe

"C:\Users\Admin\AppData\Local\Temp\svhost.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Roaming\FolderN\name.exe.bat

C:\Windows\SysWOW64\timeout.exe

timeout /t 300

Network

Country Destination Domain Proto
US 8.8.8.8:53 william1979.ddns.net udp
US 8.8.8.8:53 william1979.ddns.net udp
US 184.105.237.196:4416 william1979.ddns.net tcp
US 184.105.237.196:4416 william1979.ddns.net tcp
US 184.105.237.196:4416 william1979.ddns.net tcp
US 184.105.237.196:4416 william1979.ddns.net tcp
US 184.105.237.196:4416 william1979.ddns.net tcp
US 184.105.237.196:4416 william1979.ddns.net tcp
US 184.105.237.196:4416 william1979.ddns.net tcp
US 184.105.237.196:4416 william1979.ddns.net tcp
US 184.105.237.196:4416 william1979.ddns.net tcp
US 184.105.237.196:4416 william1979.ddns.net tcp
US 184.105.237.196:4416 william1979.ddns.net tcp
US 184.105.237.196:4416 william1979.ddns.net tcp
US 184.105.237.196:4416 william1979.ddns.net tcp
US 184.105.237.196:4416 william1979.ddns.net tcp

Files

memory/1292-54-0x0000000000240000-0x0000000000280000-memory.dmp

C:\Users\Admin\AppData\Roaming\FolderN\name.exe

MD5 da276444d26b555c6c794248df8019c7
SHA1 13bcf9ee210e4130a45dbde394b5e242e34af2e3
SHA256 d25e23199a7c7f97e3e21ff927d53002353f22f299c41dca7cd3cdc3cae6531d
SHA512 4574da66f92cbae2e4b81558a93c28af5ad716dbab9ca6758744ec2a821c9aef36347f3f1418e4d84940bc3baaac5b59377ab224598a2fecc6b3197b8daa8cd6

\Users\Admin\AppData\Roaming\FolderN\name.exe

MD5 da276444d26b555c6c794248df8019c7
SHA1 13bcf9ee210e4130a45dbde394b5e242e34af2e3
SHA256 d25e23199a7c7f97e3e21ff927d53002353f22f299c41dca7cd3cdc3cae6531d
SHA512 4574da66f92cbae2e4b81558a93c28af5ad716dbab9ca6758744ec2a821c9aef36347f3f1418e4d84940bc3baaac5b59377ab224598a2fecc6b3197b8daa8cd6

\Users\Admin\AppData\Roaming\FolderN\name.exe

MD5 da276444d26b555c6c794248df8019c7
SHA1 13bcf9ee210e4130a45dbde394b5e242e34af2e3
SHA256 d25e23199a7c7f97e3e21ff927d53002353f22f299c41dca7cd3cdc3cae6531d
SHA512 4574da66f92cbae2e4b81558a93c28af5ad716dbab9ca6758744ec2a821c9aef36347f3f1418e4d84940bc3baaac5b59377ab224598a2fecc6b3197b8daa8cd6

\Users\Admin\AppData\Roaming\tmp.exe

MD5 9c393cac6ef1c3282e3daf6ec50b79de
SHA1 34afa77f3d276191c278d56fa870d11c5069f48e
SHA256 7231c7a76d9c4d0a307197522a2aec968f31865a4b2c4b962b64b01e9229315b
SHA512 82543c3b43d10616ff9687e468ab75f3e96d0f0fdc795df2ef341b91c4ef915b0bad5bfbf6916939d40596d9bcd3190a1371bced3be16513768cc096c9c9b66e

\Users\Admin\AppData\Roaming\tmp.exe

MD5 9c393cac6ef1c3282e3daf6ec50b79de
SHA1 34afa77f3d276191c278d56fa870d11c5069f48e
SHA256 7231c7a76d9c4d0a307197522a2aec968f31865a4b2c4b962b64b01e9229315b
SHA512 82543c3b43d10616ff9687e468ab75f3e96d0f0fdc795df2ef341b91c4ef915b0bad5bfbf6916939d40596d9bcd3190a1371bced3be16513768cc096c9c9b66e

C:\Users\Admin\AppData\Roaming\tmp.exe

MD5 9c393cac6ef1c3282e3daf6ec50b79de
SHA1 34afa77f3d276191c278d56fa870d11c5069f48e
SHA256 7231c7a76d9c4d0a307197522a2aec968f31865a4b2c4b962b64b01e9229315b
SHA512 82543c3b43d10616ff9687e468ab75f3e96d0f0fdc795df2ef341b91c4ef915b0bad5bfbf6916939d40596d9bcd3190a1371bced3be16513768cc096c9c9b66e

C:\Users\Admin\AppData\Roaming\tmp.exe

MD5 9c393cac6ef1c3282e3daf6ec50b79de
SHA1 34afa77f3d276191c278d56fa870d11c5069f48e
SHA256 7231c7a76d9c4d0a307197522a2aec968f31865a4b2c4b962b64b01e9229315b
SHA512 82543c3b43d10616ff9687e468ab75f3e96d0f0fdc795df2ef341b91c4ef915b0bad5bfbf6916939d40596d9bcd3190a1371bced3be16513768cc096c9c9b66e

\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 2e5f1cf69f92392f8829fc9c9263ae9b
SHA1 97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5
SHA256 51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b
SHA512 f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

memory/1732-78-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1732-79-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1732-80-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1732-81-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1732-82-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1732-83-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 2e5f1cf69f92392f8829fc9c9263ae9b
SHA1 97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5
SHA256 51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b
SHA512 f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

memory/1732-86-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Roaming\FolderN\name.exe.bat

MD5 dca86f6bec779bba1b58d992319e88db
SHA1 844e656d3603d15ae56f36298f8031ad52935829
SHA256 413b4ee68f5400fcd30ae5df957d723989b400637dbc7f5d158fa050bdc20743
SHA512 4b9d532a777921543b3243020ea4b655a8b956c400b237ce714b5bd8e9a3ad7fdbcb11410e84e2e0ecc45e87dcd107385a487f5bb5b359aabd1322314ef2d24c

C:\Users\Admin\AppData\Roaming\FolderN\name.exe.bat

MD5 dca86f6bec779bba1b58d992319e88db
SHA1 844e656d3603d15ae56f36298f8031ad52935829
SHA256 413b4ee68f5400fcd30ae5df957d723989b400637dbc7f5d158fa050bdc20743
SHA512 4b9d532a777921543b3243020ea4b655a8b956c400b237ce714b5bd8e9a3ad7fdbcb11410e84e2e0ecc45e87dcd107385a487f5bb5b359aabd1322314ef2d24c

memory/1732-97-0x0000000000400000-0x0000000000420000-memory.dmp

memory/592-98-0x0000000000400000-0x0000000000420000-memory.dmp

memory/592-100-0x0000000000400000-0x0000000000420000-memory.dmp

memory/592-102-0x0000000000400000-0x0000000000420000-memory.dmp

memory/592-104-0x0000000000400000-0x0000000000420000-memory.dmp

memory/592-106-0x0000000000400000-0x0000000000420000-memory.dmp

memory/592-108-0x0000000000400000-0x0000000000420000-memory.dmp

memory/592-110-0x0000000000400000-0x0000000000420000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-18 08:17

Reported

2023-06-18 08:19

Platform

win10v2004-20230220-en

Max time kernel

148s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.exe.lnk C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1124 set thread context of 4520 N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\FolderN\name.exe:Zone.Identifier C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1124 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe C:\Windows\SysWOW64\cmd.exe
PID 1124 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe C:\Windows\SysWOW64\cmd.exe
PID 1124 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe C:\Windows\SysWOW64\cmd.exe
PID 1400 wrote to memory of 896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1400 wrote to memory of 896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1400 wrote to memory of 896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1124 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe C:\Users\Admin\AppData\Roaming\tmp.exe
PID 1124 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe C:\Users\Admin\AppData\Roaming\tmp.exe
PID 1124 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe C:\Users\Admin\AppData\Roaming\tmp.exe
PID 1124 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1124 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1124 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1124 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1124 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1124 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1124 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1124 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1124 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe C:\Windows\SysWOW64\cmd.exe
PID 1124 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe C:\Windows\SysWOW64\cmd.exe
PID 1124 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe C:\Windows\SysWOW64\cmd.exe
PID 4136 wrote to memory of 1364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4136 wrote to memory of 1364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4136 wrote to memory of 1364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe

"C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe"

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderN\name.exe.lnk" /f

C:\Users\Admin\AppData\Roaming\tmp.exe

"C:\Users\Admin\AppData\Roaming\tmp.exe"

C:\Users\Admin\AppData\Local\Temp\svhost.exe

"C:\Users\Admin\AppData\Local\Temp\svhost.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FolderN\name.exe.bat

C:\Windows\SysWOW64\timeout.exe

timeout /t 300

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 william1979.ddns.net udp
US 184.105.237.196:4416 william1979.ddns.net tcp
US 184.105.237.196:4416 william1979.ddns.net tcp
US 8.8.8.8:53 196.237.105.184.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 20.42.65.90:443 tcp
US 184.105.237.196:4416 william1979.ddns.net tcp
US 184.105.237.196:4416 william1979.ddns.net tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 13.107.4.50:80 tcp
US 13.107.4.50:80 tcp
US 184.105.237.196:4416 william1979.ddns.net tcp
US 184.105.237.196:4416 william1979.ddns.net tcp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
NL 178.79.208.1:80 tcp
US 184.105.237.196:4416 william1979.ddns.net tcp
US 184.105.237.196:4416 william1979.ddns.net tcp
US 184.105.237.196:4416 william1979.ddns.net tcp
US 184.105.237.196:4416 william1979.ddns.net tcp
US 184.105.237.196:4416 william1979.ddns.net tcp
US 184.105.237.196:4416 william1979.ddns.net tcp
US 184.105.237.196:4416 william1979.ddns.net tcp
US 184.105.237.196:4416 william1979.ddns.net tcp

Files

memory/1124-133-0x00000000012F0000-0x0000000001300000-memory.dmp

C:\Users\Admin\AppData\Roaming\FolderN\name.exe

MD5 da276444d26b555c6c794248df8019c7
SHA1 13bcf9ee210e4130a45dbde394b5e242e34af2e3
SHA256 d25e23199a7c7f97e3e21ff927d53002353f22f299c41dca7cd3cdc3cae6531d
SHA512 4574da66f92cbae2e4b81558a93c28af5ad716dbab9ca6758744ec2a821c9aef36347f3f1418e4d84940bc3baaac5b59377ab224598a2fecc6b3197b8daa8cd6

C:\Users\Admin\AppData\Roaming\tmp.exe

MD5 9c393cac6ef1c3282e3daf6ec50b79de
SHA1 34afa77f3d276191c278d56fa870d11c5069f48e
SHA256 7231c7a76d9c4d0a307197522a2aec968f31865a4b2c4b962b64b01e9229315b
SHA512 82543c3b43d10616ff9687e468ab75f3e96d0f0fdc795df2ef341b91c4ef915b0bad5bfbf6916939d40596d9bcd3190a1371bced3be16513768cc096c9c9b66e

C:\Users\Admin\AppData\Roaming\tmp.exe

MD5 9c393cac6ef1c3282e3daf6ec50b79de
SHA1 34afa77f3d276191c278d56fa870d11c5069f48e
SHA256 7231c7a76d9c4d0a307197522a2aec968f31865a4b2c4b962b64b01e9229315b
SHA512 82543c3b43d10616ff9687e468ab75f3e96d0f0fdc795df2ef341b91c4ef915b0bad5bfbf6916939d40596d9bcd3190a1371bced3be16513768cc096c9c9b66e

C:\Users\Admin\AppData\Roaming\tmp.exe

MD5 9c393cac6ef1c3282e3daf6ec50b79de
SHA1 34afa77f3d276191c278d56fa870d11c5069f48e
SHA256 7231c7a76d9c4d0a307197522a2aec968f31865a4b2c4b962b64b01e9229315b
SHA512 82543c3b43d10616ff9687e468ab75f3e96d0f0fdc795df2ef341b91c4ef915b0bad5bfbf6916939d40596d9bcd3190a1371bced3be16513768cc096c9c9b66e

memory/4520-150-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 84c42d0f2c1ae761bef884638bc1eacd
SHA1 4353881e7f4e9c7610f4e0489183b55bb58bb574
SHA256 331487446653875bf1e628b797a5283e40056654f7ff328eafbe39b0304480d3
SHA512 43c307a38faa3a4b311597034cf75035a4434a1024d2a54e867e6a94b53b677898d71a858438d119000e872a7a6e92c5b31d277a8c207a94375ed4fd3c7beb87

C:\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 84c42d0f2c1ae761bef884638bc1eacd
SHA1 4353881e7f4e9c7610f4e0489183b55bb58bb574
SHA256 331487446653875bf1e628b797a5283e40056654f7ff328eafbe39b0304480d3
SHA512 43c307a38faa3a4b311597034cf75035a4434a1024d2a54e867e6a94b53b677898d71a858438d119000e872a7a6e92c5b31d277a8c207a94375ed4fd3c7beb87

memory/4520-156-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4520-162-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Roaming\FolderN\name.exe.bat

MD5 dca86f6bec779bba1b58d992319e88db
SHA1 844e656d3603d15ae56f36298f8031ad52935829
SHA256 413b4ee68f5400fcd30ae5df957d723989b400637dbc7f5d158fa050bdc20743
SHA512 4b9d532a777921543b3243020ea4b655a8b956c400b237ce714b5bd8e9a3ad7fdbcb11410e84e2e0ecc45e87dcd107385a487f5bb5b359aabd1322314ef2d24c

memory/1124-164-0x00000000012F0000-0x0000000001300000-memory.dmp

memory/3040-166-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3040-168-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3040-170-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3040-172-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3040-174-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3040-176-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3040-178-0x0000000000400000-0x0000000000420000-memory.dmp