Analysis
-
max time kernel
144s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230621-en -
resource tags
arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system -
submitted
25-06-2023 12:01
Static task
static1
Behavioral task
behavioral1
Sample
91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe
Resource
win7-20230621-en
General
-
Target
91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe
-
Size
420KB
-
MD5
1517814c4d44cc632abb52d2d6307f15
-
SHA1
9ee0404b76fe5bda2692f049bb9fc78e17240708
-
SHA256
91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac
-
SHA512
34e0804548803b4ece092061dc287078f5853b9d73d7759b403fdc5bbc4141ddad2b146c06edf8dbaa5ce055c62e1106e91df05a7866402f47be6f28acddaf7a
-
SSDEEP
6144:QjbeiyDBJNEeHfZEW6GH5W288L5ABAYRb+m112Mppeaibjz90645wZUS+:Qu1PzgGH5W28oANn112tLOE+
Malware Config
Extracted
netwire
qualitytrade12.hopto.org:3194
-
activex_autorun
true
-
activex_key
{KEW5251T-4080-L0OG-0866-B1E0A86Y18A5}
-
copy_executable
true
-
delete_original
false
-
host_id
NEWCLIENT
-
install_path
%AppData%\Install\excel.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
true
-
mutex
RPlPfmOq
-
offline_keylogger
true
-
password
master45
-
registry_autorun
true
-
startup_name
Adobe
-
use_mutex
true
Signatures
-
NetWire RAT payload 8 IoCs
resource yara_rule behavioral1/memory/1168-80-0x0000000000400000-0x0000000001080000-memory.dmp netwire behavioral1/memory/1168-81-0x0000000000400000-0x0000000001080000-memory.dmp netwire behavioral1/memory/1168-82-0x0000000000400000-0x0000000001080000-memory.dmp netwire behavioral1/memory/1168-83-0x0000000000400000-0x0000000001080000-memory.dmp netwire behavioral1/memory/1168-85-0x0000000000400000-0x0000000001080000-memory.dmp netwire behavioral1/memory/1168-88-0x0000000000400000-0x0000000001080000-memory.dmp netwire behavioral1/memory/1168-97-0x0000000000400000-0x0000000001080000-memory.dmp netwire behavioral1/memory/1168-100-0x0000000000400000-0x0000000000420000-memory.dmp netwire -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 608 1.xyz 1168 1.xyz -
Loads dropped DLL 10 IoCs
pid Process 1724 91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe 1724 91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe 608 1.xyz 1672 WerFault.exe 1672 WerFault.exe 1672 WerFault.exe 1672 WerFault.exe 1672 WerFault.exe 1672 WerFault.exe 1672 WerFault.exe -
resource yara_rule behavioral1/files/0x000b0000000122f5-58.dat upx behavioral1/files/0x000b0000000122f5-62.dat upx behavioral1/files/0x000b0000000122f5-64.dat upx behavioral1/files/0x000b0000000122f5-60.dat upx behavioral1/files/0x000b0000000122f5-65.dat upx behavioral1/files/0x000b0000000122f5-75.dat upx behavioral1/files/0x000b0000000122f5-86.dat upx behavioral1/files/0x000b0000000122f5-93.dat upx behavioral1/files/0x000b0000000122f5-96.dat upx behavioral1/files/0x000b0000000122f5-95.dat upx behavioral1/files/0x000b0000000122f5-94.dat upx behavioral1/files/0x000b0000000122f5-92.dat upx behavioral1/files/0x000b0000000122f5-91.dat upx behavioral1/files/0x000b0000000122f5-98.dat upx behavioral1/memory/608-99-0x0000000000400000-0x0000000001400000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce 91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 608 set thread context of 1168 608 1.xyz 31 -
Program crash 1 IoCs
pid pid_target Process procid_target 1672 1168 WerFault.exe 31 -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 608 1.xyz -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 608 1.xyz 608 1.xyz -
Suspicious use of WriteProcessMemory 59 IoCs
description pid Process procid_target PID 1724 wrote to memory of 608 1724 91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe 27 PID 1724 wrote to memory of 608 1724 91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe 27 PID 1724 wrote to memory of 608 1724 91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe 27 PID 1724 wrote to memory of 608 1724 91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe 27 PID 1724 wrote to memory of 608 1724 91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe 27 PID 1724 wrote to memory of 608 1724 91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe 27 PID 1724 wrote to memory of 608 1724 91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe 27 PID 608 wrote to memory of 588 608 1.xyz 28 PID 608 wrote to memory of 588 608 1.xyz 28 PID 608 wrote to memory of 588 608 1.xyz 28 PID 608 wrote to memory of 588 608 1.xyz 28 PID 608 wrote to memory of 588 608 1.xyz 28 PID 608 wrote to memory of 588 608 1.xyz 28 PID 608 wrote to memory of 588 608 1.xyz 28 PID 608 wrote to memory of 268 608 1.xyz 30 PID 608 wrote to memory of 268 608 1.xyz 30 PID 608 wrote to memory of 268 608 1.xyz 30 PID 608 wrote to memory of 268 608 1.xyz 30 PID 608 wrote to memory of 268 608 1.xyz 30 PID 608 wrote to memory of 268 608 1.xyz 30 PID 608 wrote to memory of 268 608 1.xyz 30 PID 608 wrote to memory of 1168 608 1.xyz 31 PID 608 wrote to memory of 1168 608 1.xyz 31 PID 608 wrote to memory of 1168 608 1.xyz 31 PID 608 wrote to memory of 1168 608 1.xyz 31 PID 608 wrote to memory of 1168 608 1.xyz 31 PID 608 wrote to memory of 1168 608 1.xyz 31 PID 608 wrote to memory of 1168 608 1.xyz 31 PID 608 wrote to memory of 1168 608 1.xyz 31 PID 608 wrote to memory of 1168 608 1.xyz 31 PID 268 wrote to memory of 1096 268 cmd.exe 33 PID 268 wrote to memory of 1096 268 cmd.exe 33 PID 268 wrote to memory of 1096 268 cmd.exe 33 PID 268 wrote to memory of 1096 268 cmd.exe 33 PID 268 wrote to memory of 1096 268 cmd.exe 33 PID 268 wrote to memory of 1096 268 cmd.exe 33 PID 268 wrote to memory of 1096 268 cmd.exe 33 PID 608 wrote to memory of 1168 608 1.xyz 31 PID 1096 wrote to memory of 1500 1096 net.exe 34 PID 1096 wrote to memory of 1500 1096 net.exe 34 PID 1096 wrote to memory of 1500 1096 net.exe 34 PID 1096 wrote to memory of 1500 1096 net.exe 34 PID 1096 wrote to memory of 1500 1096 net.exe 34 PID 1096 wrote to memory of 1500 1096 net.exe 34 PID 1096 wrote to memory of 1500 1096 net.exe 34 PID 608 wrote to memory of 1168 608 1.xyz 31 PID 608 wrote to memory of 1168 608 1.xyz 31 PID 608 wrote to memory of 1168 608 1.xyz 31 PID 608 wrote to memory of 1168 608 1.xyz 31 PID 608 wrote to memory of 1168 608 1.xyz 31 PID 608 wrote to memory of 1168 608 1.xyz 31 PID 608 wrote to memory of 1168 608 1.xyz 31 PID 1168 wrote to memory of 1672 1168 1.xyz 35 PID 1168 wrote to memory of 1672 1168 1.xyz 35 PID 1168 wrote to memory of 1672 1168 1.xyz 35 PID 1168 wrote to memory of 1672 1168 1.xyz 35 PID 1168 wrote to memory of 1672 1168 1.xyz 35 PID 1168 wrote to memory of 1672 1168 1.xyz 35 PID 1168 wrote to memory of 1672 1168 1.xyz 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe"C:\Users\Admin\AppData\Local\Temp\91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:608 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"3⤵
- Drops startup file
PID:588
-
-
C:\Windows\SysWOW64\cmd.exe/c net stop MpsSvc3⤵
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Windows\SysWOW64\net.exenet stop MpsSvc4⤵
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc5⤵PID:1500
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 2924⤵
- Loads dropped DLL
- Program crash
PID:1672
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
132KB
MD54b28fc60df0738257092268a36fe321e
SHA1f3440893908f4e59099664ce0abd323ada87e05c
SHA2567b7170132465e0f87bf9a411324a07c27dd49268f4e9fd8f9d2b61e703b4bd29
SHA5129335d367203da5d9cb452ca12eda00aa26ce451b0ed5d4fea3fbe1cee258b35b983ce96f25745855063fd35f065ed865cce9e9053c5bb29f1b97db6e31e5cb3e
-
Filesize
132KB
MD54b28fc60df0738257092268a36fe321e
SHA1f3440893908f4e59099664ce0abd323ada87e05c
SHA2567b7170132465e0f87bf9a411324a07c27dd49268f4e9fd8f9d2b61e703b4bd29
SHA5129335d367203da5d9cb452ca12eda00aa26ce451b0ed5d4fea3fbe1cee258b35b983ce96f25745855063fd35f065ed865cce9e9053c5bb29f1b97db6e31e5cb3e
-
Filesize
212KB
MD5b2af3b332d92fc09b79c4bf85263fd22
SHA1cbb3c3a4b17ba2888cfd0b96f59a5bc454d4ef32
SHA256b9dd8dfdb9a3fd61b2acffe0018cdf99b02c97025ae0d41a7aac7c9d76647b58
SHA512b6d7271b1b0e7285bff25b8edb0f31cc7076bbbf611a4bfa9a457463c38ba7d0f5694f89b18a5b26b0f793e76dc0a0e5279dbf4cf976a6b52787157523e17932
-
Filesize
212KB
MD5b2af3b332d92fc09b79c4bf85263fd22
SHA1cbb3c3a4b17ba2888cfd0b96f59a5bc454d4ef32
SHA256b9dd8dfdb9a3fd61b2acffe0018cdf99b02c97025ae0d41a7aac7c9d76647b58
SHA512b6d7271b1b0e7285bff25b8edb0f31cc7076bbbf611a4bfa9a457463c38ba7d0f5694f89b18a5b26b0f793e76dc0a0e5279dbf4cf976a6b52787157523e17932
-
Filesize
212KB
MD5b2af3b332d92fc09b79c4bf85263fd22
SHA1cbb3c3a4b17ba2888cfd0b96f59a5bc454d4ef32
SHA256b9dd8dfdb9a3fd61b2acffe0018cdf99b02c97025ae0d41a7aac7c9d76647b58
SHA512b6d7271b1b0e7285bff25b8edb0f31cc7076bbbf611a4bfa9a457463c38ba7d0f5694f89b18a5b26b0f793e76dc0a0e5279dbf4cf976a6b52787157523e17932
-
Filesize
212KB
MD5b2af3b332d92fc09b79c4bf85263fd22
SHA1cbb3c3a4b17ba2888cfd0b96f59a5bc454d4ef32
SHA256b9dd8dfdb9a3fd61b2acffe0018cdf99b02c97025ae0d41a7aac7c9d76647b58
SHA512b6d7271b1b0e7285bff25b8edb0f31cc7076bbbf611a4bfa9a457463c38ba7d0f5694f89b18a5b26b0f793e76dc0a0e5279dbf4cf976a6b52787157523e17932
-
Filesize
212KB
MD5b2af3b332d92fc09b79c4bf85263fd22
SHA1cbb3c3a4b17ba2888cfd0b96f59a5bc454d4ef32
SHA256b9dd8dfdb9a3fd61b2acffe0018cdf99b02c97025ae0d41a7aac7c9d76647b58
SHA512b6d7271b1b0e7285bff25b8edb0f31cc7076bbbf611a4bfa9a457463c38ba7d0f5694f89b18a5b26b0f793e76dc0a0e5279dbf4cf976a6b52787157523e17932
-
Filesize
212KB
MD5b2af3b332d92fc09b79c4bf85263fd22
SHA1cbb3c3a4b17ba2888cfd0b96f59a5bc454d4ef32
SHA256b9dd8dfdb9a3fd61b2acffe0018cdf99b02c97025ae0d41a7aac7c9d76647b58
SHA512b6d7271b1b0e7285bff25b8edb0f31cc7076bbbf611a4bfa9a457463c38ba7d0f5694f89b18a5b26b0f793e76dc0a0e5279dbf4cf976a6b52787157523e17932
-
Filesize
212KB
MD5b2af3b332d92fc09b79c4bf85263fd22
SHA1cbb3c3a4b17ba2888cfd0b96f59a5bc454d4ef32
SHA256b9dd8dfdb9a3fd61b2acffe0018cdf99b02c97025ae0d41a7aac7c9d76647b58
SHA512b6d7271b1b0e7285bff25b8edb0f31cc7076bbbf611a4bfa9a457463c38ba7d0f5694f89b18a5b26b0f793e76dc0a0e5279dbf4cf976a6b52787157523e17932
-
Filesize
212KB
MD5b2af3b332d92fc09b79c4bf85263fd22
SHA1cbb3c3a4b17ba2888cfd0b96f59a5bc454d4ef32
SHA256b9dd8dfdb9a3fd61b2acffe0018cdf99b02c97025ae0d41a7aac7c9d76647b58
SHA512b6d7271b1b0e7285bff25b8edb0f31cc7076bbbf611a4bfa9a457463c38ba7d0f5694f89b18a5b26b0f793e76dc0a0e5279dbf4cf976a6b52787157523e17932
-
Filesize
212KB
MD5b2af3b332d92fc09b79c4bf85263fd22
SHA1cbb3c3a4b17ba2888cfd0b96f59a5bc454d4ef32
SHA256b9dd8dfdb9a3fd61b2acffe0018cdf99b02c97025ae0d41a7aac7c9d76647b58
SHA512b6d7271b1b0e7285bff25b8edb0f31cc7076bbbf611a4bfa9a457463c38ba7d0f5694f89b18a5b26b0f793e76dc0a0e5279dbf4cf976a6b52787157523e17932
-
Filesize
212KB
MD5b2af3b332d92fc09b79c4bf85263fd22
SHA1cbb3c3a4b17ba2888cfd0b96f59a5bc454d4ef32
SHA256b9dd8dfdb9a3fd61b2acffe0018cdf99b02c97025ae0d41a7aac7c9d76647b58
SHA512b6d7271b1b0e7285bff25b8edb0f31cc7076bbbf611a4bfa9a457463c38ba7d0f5694f89b18a5b26b0f793e76dc0a0e5279dbf4cf976a6b52787157523e17932
-
Filesize
212KB
MD5b2af3b332d92fc09b79c4bf85263fd22
SHA1cbb3c3a4b17ba2888cfd0b96f59a5bc454d4ef32
SHA256b9dd8dfdb9a3fd61b2acffe0018cdf99b02c97025ae0d41a7aac7c9d76647b58
SHA512b6d7271b1b0e7285bff25b8edb0f31cc7076bbbf611a4bfa9a457463c38ba7d0f5694f89b18a5b26b0f793e76dc0a0e5279dbf4cf976a6b52787157523e17932
-
Filesize
212KB
MD5b2af3b332d92fc09b79c4bf85263fd22
SHA1cbb3c3a4b17ba2888cfd0b96f59a5bc454d4ef32
SHA256b9dd8dfdb9a3fd61b2acffe0018cdf99b02c97025ae0d41a7aac7c9d76647b58
SHA512b6d7271b1b0e7285bff25b8edb0f31cc7076bbbf611a4bfa9a457463c38ba7d0f5694f89b18a5b26b0f793e76dc0a0e5279dbf4cf976a6b52787157523e17932
-
Filesize
212KB
MD5b2af3b332d92fc09b79c4bf85263fd22
SHA1cbb3c3a4b17ba2888cfd0b96f59a5bc454d4ef32
SHA256b9dd8dfdb9a3fd61b2acffe0018cdf99b02c97025ae0d41a7aac7c9d76647b58
SHA512b6d7271b1b0e7285bff25b8edb0f31cc7076bbbf611a4bfa9a457463c38ba7d0f5694f89b18a5b26b0f793e76dc0a0e5279dbf4cf976a6b52787157523e17932
-
Filesize
212KB
MD5b2af3b332d92fc09b79c4bf85263fd22
SHA1cbb3c3a4b17ba2888cfd0b96f59a5bc454d4ef32
SHA256b9dd8dfdb9a3fd61b2acffe0018cdf99b02c97025ae0d41a7aac7c9d76647b58
SHA512b6d7271b1b0e7285bff25b8edb0f31cc7076bbbf611a4bfa9a457463c38ba7d0f5694f89b18a5b26b0f793e76dc0a0e5279dbf4cf976a6b52787157523e17932