Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
18-06-2023 08:18
Static task
static1
Behavioral task
behavioral1
Sample
HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe
Resource
win7-20230220-en
General
-
Target
HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe
-
Size
389KB
-
MD5
da276444d26b555c6c794248df8019c7
-
SHA1
13bcf9ee210e4130a45dbde394b5e242e34af2e3
-
SHA256
d25e23199a7c7f97e3e21ff927d53002353f22f299c41dca7cd3cdc3cae6531d
-
SHA512
4574da66f92cbae2e4b81558a93c28af5ad716dbab9ca6758744ec2a821c9aef36347f3f1418e4d84940bc3baaac5b59377ab224598a2fecc6b3197b8daa8cd6
-
SSDEEP
6144:93PyM/PNbjuSR81Uwzqs52CEhuA0Xop90V/az3Ws2of1Q:RPyCV/o/qUWDAopyV/rZof1Q
Malware Config
Extracted
netwire
william1979.ddns.net:4416
mathkros79.ddns.net:4416
engine79.ddns.net:4416
chrisle79.ddns.net:4416
jacknop79.ddns.net:4416
smath79.ddns.net:4416
whatis79.ddns.net:4416
goodgt79.ddns.net:4416
bonding79.ddns.net:4416
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
Jan 2018
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
Password2$
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 11 IoCs
resource yara_rule behavioral1/files/0x00080000000122ee-69.dat netwire behavioral1/files/0x00080000000122ee-67.dat netwire behavioral1/files/0x00080000000122ee-65.dat netwire behavioral1/files/0x00080000000122ee-71.dat netwire behavioral1/memory/1352-81-0x0000000000400000-0x0000000000420000-memory.dmp netwire behavioral1/memory/1352-83-0x0000000000400000-0x0000000000420000-memory.dmp netwire behavioral1/memory/1352-86-0x0000000000400000-0x0000000000420000-memory.dmp netwire behavioral1/memory/1352-89-0x0000000000400000-0x0000000000420000-memory.dmp netwire behavioral1/memory/588-98-0x0000000000400000-0x0000000000420000-memory.dmp netwire behavioral1/memory/588-101-0x0000000000400000-0x0000000000420000-memory.dmp netwire behavioral1/memory/588-111-0x0000000000400000-0x0000000000420000-memory.dmp netwire -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.exe.lnk HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe -
Executes dropped EXE 2 IoCs
pid Process 588 tmp.exe 1352 svhost.exe -
Loads dropped DLL 5 IoCs
pid Process 1060 HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe 1060 HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe 1060 HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe 1060 HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe 1060 HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1060 set thread context of 1352 1060 HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 908 timeout.exe -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\FolderN\name.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 1060 HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe 1060 HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe 1060 HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe 1060 HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe 1060 HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe 1060 HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe 1060 HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe 1060 HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe 1060 HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe 1060 HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe 1060 HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe 1060 HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe 1060 HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1060 HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 1060 wrote to memory of 1100 1060 HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe 28 PID 1060 wrote to memory of 1100 1060 HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe 28 PID 1060 wrote to memory of 1100 1060 HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe 28 PID 1060 wrote to memory of 1100 1060 HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe 28 PID 1100 wrote to memory of 1168 1100 cmd.exe 30 PID 1100 wrote to memory of 1168 1100 cmd.exe 30 PID 1100 wrote to memory of 1168 1100 cmd.exe 30 PID 1100 wrote to memory of 1168 1100 cmd.exe 30 PID 1060 wrote to memory of 588 1060 HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe 31 PID 1060 wrote to memory of 588 1060 HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe 31 PID 1060 wrote to memory of 588 1060 HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe 31 PID 1060 wrote to memory of 588 1060 HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe 31 PID 1060 wrote to memory of 1352 1060 HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe 32 PID 1060 wrote to memory of 1352 1060 HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe 32 PID 1060 wrote to memory of 1352 1060 HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe 32 PID 1060 wrote to memory of 1352 1060 HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe 32 PID 1060 wrote to memory of 1352 1060 HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe 32 PID 1060 wrote to memory of 1352 1060 HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe 32 PID 1060 wrote to memory of 1352 1060 HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe 32 PID 1060 wrote to memory of 1352 1060 HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe 32 PID 1060 wrote to memory of 1352 1060 HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe 32 PID 1060 wrote to memory of 308 1060 HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe 34 PID 1060 wrote to memory of 308 1060 HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe 34 PID 1060 wrote to memory of 308 1060 HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe 34 PID 1060 wrote to memory of 308 1060 HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe 34 PID 308 wrote to memory of 908 308 cmd.exe 35 PID 308 wrote to memory of 908 308 cmd.exe 35 PID 308 wrote to memory of 908 308 cmd.exe 35 PID 308 wrote to memory of 908 308 cmd.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe"C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderN\name.exe.lnk" /f3⤵PID:1168
-
-
-
C:\Users\Admin\AppData\Roaming\tmp.exe"C:\Users\Admin\AppData\Roaming\tmp.exe"2⤵
- Executes dropped EXE
PID:588
-
-
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"2⤵
- Executes dropped EXE
PID:1352
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\FolderN\name.exe.bat2⤵
- Suspicious use of WriteProcessMemory
PID:308 -
C:\Windows\SysWOW64\timeout.exetimeout /t 3003⤵
- Delays execution with timeout.exe
PID:908
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
85KB
MD52e5f1cf69f92392f8829fc9c9263ae9b
SHA197b9ca766bbbdaa8c9ec960dc41b598f7fad82a5
SHA25651985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b
SHA512f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883
-
Filesize
389KB
MD5da276444d26b555c6c794248df8019c7
SHA113bcf9ee210e4130a45dbde394b5e242e34af2e3
SHA256d25e23199a7c7f97e3e21ff927d53002353f22f299c41dca7cd3cdc3cae6531d
SHA5124574da66f92cbae2e4b81558a93c28af5ad716dbab9ca6758744ec2a821c9aef36347f3f1418e4d84940bc3baaac5b59377ab224598a2fecc6b3197b8daa8cd6
-
Filesize
189B
MD5dca86f6bec779bba1b58d992319e88db
SHA1844e656d3603d15ae56f36298f8031ad52935829
SHA256413b4ee68f5400fcd30ae5df957d723989b400637dbc7f5d158fa050bdc20743
SHA5124b9d532a777921543b3243020ea4b655a8b956c400b237ce714b5bd8e9a3ad7fdbcb11410e84e2e0ecc45e87dcd107385a487f5bb5b359aabd1322314ef2d24c
-
Filesize
189B
MD5dca86f6bec779bba1b58d992319e88db
SHA1844e656d3603d15ae56f36298f8031ad52935829
SHA256413b4ee68f5400fcd30ae5df957d723989b400637dbc7f5d158fa050bdc20743
SHA5124b9d532a777921543b3243020ea4b655a8b956c400b237ce714b5bd8e9a3ad7fdbcb11410e84e2e0ecc45e87dcd107385a487f5bb5b359aabd1322314ef2d24c
-
Filesize
89KB
MD59c393cac6ef1c3282e3daf6ec50b79de
SHA134afa77f3d276191c278d56fa870d11c5069f48e
SHA2567231c7a76d9c4d0a307197522a2aec968f31865a4b2c4b962b64b01e9229315b
SHA51282543c3b43d10616ff9687e468ab75f3e96d0f0fdc795df2ef341b91c4ef915b0bad5bfbf6916939d40596d9bcd3190a1371bced3be16513768cc096c9c9b66e
-
Filesize
89KB
MD59c393cac6ef1c3282e3daf6ec50b79de
SHA134afa77f3d276191c278d56fa870d11c5069f48e
SHA2567231c7a76d9c4d0a307197522a2aec968f31865a4b2c4b962b64b01e9229315b
SHA51282543c3b43d10616ff9687e468ab75f3e96d0f0fdc795df2ef341b91c4ef915b0bad5bfbf6916939d40596d9bcd3190a1371bced3be16513768cc096c9c9b66e
-
Filesize
85KB
MD52e5f1cf69f92392f8829fc9c9263ae9b
SHA197b9ca766bbbdaa8c9ec960dc41b598f7fad82a5
SHA25651985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b
SHA512f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883
-
Filesize
389KB
MD5da276444d26b555c6c794248df8019c7
SHA113bcf9ee210e4130a45dbde394b5e242e34af2e3
SHA256d25e23199a7c7f97e3e21ff927d53002353f22f299c41dca7cd3cdc3cae6531d
SHA5124574da66f92cbae2e4b81558a93c28af5ad716dbab9ca6758744ec2a821c9aef36347f3f1418e4d84940bc3baaac5b59377ab224598a2fecc6b3197b8daa8cd6
-
Filesize
389KB
MD5da276444d26b555c6c794248df8019c7
SHA113bcf9ee210e4130a45dbde394b5e242e34af2e3
SHA256d25e23199a7c7f97e3e21ff927d53002353f22f299c41dca7cd3cdc3cae6531d
SHA5124574da66f92cbae2e4b81558a93c28af5ad716dbab9ca6758744ec2a821c9aef36347f3f1418e4d84940bc3baaac5b59377ab224598a2fecc6b3197b8daa8cd6
-
Filesize
89KB
MD59c393cac6ef1c3282e3daf6ec50b79de
SHA134afa77f3d276191c278d56fa870d11c5069f48e
SHA2567231c7a76d9c4d0a307197522a2aec968f31865a4b2c4b962b64b01e9229315b
SHA51282543c3b43d10616ff9687e468ab75f3e96d0f0fdc795df2ef341b91c4ef915b0bad5bfbf6916939d40596d9bcd3190a1371bced3be16513768cc096c9c9b66e
-
Filesize
89KB
MD59c393cac6ef1c3282e3daf6ec50b79de
SHA134afa77f3d276191c278d56fa870d11c5069f48e
SHA2567231c7a76d9c4d0a307197522a2aec968f31865a4b2c4b962b64b01e9229315b
SHA51282543c3b43d10616ff9687e468ab75f3e96d0f0fdc795df2ef341b91c4ef915b0bad5bfbf6916939d40596d9bcd3190a1371bced3be16513768cc096c9c9b66e