Malware Analysis Report

2025-01-18 16:52

Sample ID 230625-1fwnkseg52
Target HEUR-Trojan.MSIL.Generic-d15f99dbd30bae6e896c.exe
SHA256 d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81
Tags
netwire botnet persistence rat stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81

Threat Level: Known bad

The file HEUR-Trojan.MSIL.Generic-d15f99dbd30bae6e896c.exe was found to be: Known bad.

Malicious Activity Summary

netwire botnet persistence rat stealer

Netwire

NetWire RAT payload

Modifies Installed Components in the registry

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Drops startup file

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-25 21:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-25 21:36

Reported

2023-06-25 21:38

Platform

win7-20230621-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Generic-d15f99dbd30bae6e896c.exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{OTGC73Q0-N4WA-4861-311L-BE075477ANH7} C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{OTGC73Q0-N4WA-4861-311L-BE075477ANH7}\StubPath = "\"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\AppLaunch.exe\"" C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Generic-d15f99dbd30bae6e896c.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Generic-d15f99dbd30bae6e896c.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.kst1onho.lnk C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Generic-d15f99dbd30bae6e896c.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows defender = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\AppLaunch.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1328 set thread context of 1636 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\Settings.ini C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\Settings.ini C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Generic-d15f99dbd30bae6e896c.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Generic-d15f99dbd30bae6e896c.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1624 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Generic-d15f99dbd30bae6e896c.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe
PID 1624 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Generic-d15f99dbd30bae6e896c.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe
PID 1624 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Generic-d15f99dbd30bae6e896c.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe
PID 1624 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Generic-d15f99dbd30bae6e896c.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe
PID 1328 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe
PID 1328 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe
PID 1328 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe
PID 1328 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe
PID 1328 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 1328 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 1328 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 1328 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 1328 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 1328 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 1328 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 1328 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 1328 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 1328 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 1328 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 1328 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe

Processes

C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Generic-d15f99dbd30bae6e896c.exe

"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Generic-d15f99dbd30bae6e896c.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 sosclient.duckdns.org udp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 8.8.8.8:53 sosclient.duckdns.org udp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 8.8.8.8:53 sosclient.duckdns.org udp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 tcp

Files

memory/1624-54-0x0000000000D70000-0x0000000000DB0000-memory.dmp

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe

MD5 7a6a6b35d4bc575897a1420134afc96a
SHA1 9c5e87ce87b70a52f57097172c2babde2021454b
SHA256 d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81
SHA512 b879c2bf81017f8f97d4db3b458d6f3ff6eb1acb6e28394d9a292d58e83194857c6c5981378170e81d383340eb3eff42d2d64ce54ebd7a3e7357988428da5d2e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe

MD5 7a6a6b35d4bc575897a1420134afc96a
SHA1 9c5e87ce87b70a52f57097172c2babde2021454b
SHA256 d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81
SHA512 b879c2bf81017f8f97d4db3b458d6f3ff6eb1acb6e28394d9a292d58e83194857c6c5981378170e81d383340eb3eff42d2d64ce54ebd7a3e7357988428da5d2e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe

MD5 7a6a6b35d4bc575897a1420134afc96a
SHA1 9c5e87ce87b70a52f57097172c2babde2021454b
SHA256 d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81
SHA512 b879c2bf81017f8f97d4db3b458d6f3ff6eb1acb6e28394d9a292d58e83194857c6c5981378170e81d383340eb3eff42d2d64ce54ebd7a3e7357988428da5d2e

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe

MD5 7a6a6b35d4bc575897a1420134afc96a
SHA1 9c5e87ce87b70a52f57097172c2babde2021454b
SHA256 d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81
SHA512 b879c2bf81017f8f97d4db3b458d6f3ff6eb1acb6e28394d9a292d58e83194857c6c5981378170e81d383340eb3eff42d2d64ce54ebd7a3e7357988428da5d2e

memory/1328-64-0x00000000020E0000-0x0000000002120000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe

MD5 7a6a6b35d4bc575897a1420134afc96a
SHA1 9c5e87ce87b70a52f57097172c2babde2021454b
SHA256 d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81
SHA512 b879c2bf81017f8f97d4db3b458d6f3ff6eb1acb6e28394d9a292d58e83194857c6c5981378170e81d383340eb3eff42d2d64ce54ebd7a3e7357988428da5d2e

memory/1456-66-0x0000000001F60000-0x0000000001FA0000-memory.dmp

memory/1328-67-0x00000000020E0000-0x0000000002120000-memory.dmp

memory/1456-68-0x0000000001F60000-0x0000000001FA0000-memory.dmp

memory/1636-69-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1636-71-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1636-75-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1636-76-0x0000000000400000-0x0000000000420000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-25 21:36

Reported

2023-06-25 21:38

Platform

win10v2004-20230621-en

Max time kernel

161s

Max time network

163s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Generic-d15f99dbd30bae6e896c.exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{OTGC73Q0-N4WA-4861-311L-BE075477ANH7} C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{OTGC73Q0-N4WA-4861-311L-BE075477ANH7}\StubPath = "\"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\AppLaunch.exe\"" C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Generic-d15f99dbd30bae6e896c.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Generic-d15f99dbd30bae6e896c.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.0o0qtkon.lnk C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Generic-d15f99dbd30bae6e896c.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Generic-d15f99dbd30bae6e896c.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows defender = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\AppLaunch.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 228 set thread context of 2704 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\Settings.ini C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\Settings.ini C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Generic-d15f99dbd30bae6e896c.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Generic-d15f99dbd30bae6e896c.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5068 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Generic-d15f99dbd30bae6e896c.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe
PID 5068 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Generic-d15f99dbd30bae6e896c.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe
PID 5068 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Generic-d15f99dbd30bae6e896c.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe
PID 228 wrote to memory of 752 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe
PID 228 wrote to memory of 752 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe
PID 228 wrote to memory of 752 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe
PID 228 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 228 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 228 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 228 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 228 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 228 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 228 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 228 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe

Processes

C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Generic-d15f99dbd30bae6e896c.exe

"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Generic-d15f99dbd30bae6e896c.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 229.78.74.40.in-addr.arpa udp
US 8.8.8.8:53 58.104.205.20.in-addr.arpa udp
US 192.229.221.95:80 tcp
US 8.8.8.8:53 sosclient.duckdns.org udp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 8.8.8.8:53 26.69.169.192.in-addr.arpa udp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
JP 13.78.111.199:443 tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
GB 23.44.233.195:443 tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 62.13.109.52.in-addr.arpa udp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 8.8.8.8:53 sosclient.duckdns.org udp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 8.8.8.8:53 sosclient.duckdns.org udp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 8.8.8.8:53 16.42.107.13.in-addr.arpa udp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp
US 192.169.69.26:9002 sosclient.duckdns.org tcp

Files

memory/5068-133-0x0000000001920000-0x0000000001930000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe

MD5 7a6a6b35d4bc575897a1420134afc96a
SHA1 9c5e87ce87b70a52f57097172c2babde2021454b
SHA256 d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81
SHA512 b879c2bf81017f8f97d4db3b458d6f3ff6eb1acb6e28394d9a292d58e83194857c6c5981378170e81d383340eb3eff42d2d64ce54ebd7a3e7357988428da5d2e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe

MD5 7a6a6b35d4bc575897a1420134afc96a
SHA1 9c5e87ce87b70a52f57097172c2babde2021454b
SHA256 d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81
SHA512 b879c2bf81017f8f97d4db3b458d6f3ff6eb1acb6e28394d9a292d58e83194857c6c5981378170e81d383340eb3eff42d2d64ce54ebd7a3e7357988428da5d2e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe

MD5 7a6a6b35d4bc575897a1420134afc96a
SHA1 9c5e87ce87b70a52f57097172c2babde2021454b
SHA256 d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81
SHA512 b879c2bf81017f8f97d4db3b458d6f3ff6eb1acb6e28394d9a292d58e83194857c6c5981378170e81d383340eb3eff42d2d64ce54ebd7a3e7357988428da5d2e

memory/228-145-0x0000000000C80000-0x0000000000C90000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe

MD5 7a6a6b35d4bc575897a1420134afc96a
SHA1 9c5e87ce87b70a52f57097172c2babde2021454b
SHA256 d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81
SHA512 b879c2bf81017f8f97d4db3b458d6f3ff6eb1acb6e28394d9a292d58e83194857c6c5981378170e81d383340eb3eff42d2d64ce54ebd7a3e7357988428da5d2e

memory/752-149-0x0000000000F10000-0x0000000000F20000-memory.dmp

memory/752-150-0x0000000000F10000-0x0000000000F20000-memory.dmp

memory/2704-151-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2704-153-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2704-156-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2704-157-0x0000000000400000-0x0000000000420000-memory.dmp