Analysis
-
max time kernel
100s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system -
submitted
25-06-2023 12:01
Static task
static1
Behavioral task
behavioral1
Sample
91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe
Resource
win7-20230621-en
General
-
Target
91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe
-
Size
420KB
-
MD5
1517814c4d44cc632abb52d2d6307f15
-
SHA1
9ee0404b76fe5bda2692f049bb9fc78e17240708
-
SHA256
91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac
-
SHA512
34e0804548803b4ece092061dc287078f5853b9d73d7759b403fdc5bbc4141ddad2b146c06edf8dbaa5ce055c62e1106e91df05a7866402f47be6f28acddaf7a
-
SSDEEP
6144:QjbeiyDBJNEeHfZEW6GH5W288L5ABAYRb+m112Mppeaibjz90645wZUS+:Qu1PzgGH5W28oANn112tLOE+
Malware Config
Extracted
netwire
qualitytrade12.hopto.org:3194
-
activex_autorun
true
-
activex_key
{KEW5251T-4080-L0OG-0866-B1E0A86Y18A5}
-
copy_executable
true
-
delete_original
false
-
host_id
NEWCLIENT
-
install_path
%AppData%\Install\excel.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
true
-
mutex
RPlPfmOq
-
offline_keylogger
true
-
password
master45
-
registry_autorun
true
-
startup_name
Adobe
-
use_mutex
true
Signatures
-
NetWire RAT payload 5 IoCs
resource yara_rule behavioral2/memory/320-152-0x0000000000400000-0x0000000001080000-memory.dmp netwire behavioral2/memory/320-155-0x0000000000400000-0x0000000001080000-memory.dmp netwire behavioral2/memory/320-156-0x0000000000400000-0x0000000001080000-memory.dmp netwire behavioral2/memory/320-157-0x0000000000400000-0x0000000001080000-memory.dmp netwire behavioral2/memory/320-158-0x0000000000400000-0x0000000000420000-memory.dmp netwire -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2096 1.xyz 320 1.xyz -
resource yara_rule behavioral2/files/0x000e000000023231-141.dat upx behavioral2/files/0x000e000000023231-142.dat upx behavioral2/files/0x000e000000023231-153.dat upx behavioral2/memory/2096-159-0x0000000000400000-0x0000000001400000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2096 set thread context of 320 2096 1.xyz 89 -
Program crash 1 IoCs
pid pid_target Process procid_target 4112 320 WerFault.exe 89 -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2096 1.xyz 2096 1.xyz -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2096 1.xyz 2096 1.xyz -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 3824 wrote to memory of 2096 3824 91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe 84 PID 3824 wrote to memory of 2096 3824 91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe 84 PID 3824 wrote to memory of 2096 3824 91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe 84 PID 2096 wrote to memory of 1812 2096 1.xyz 85 PID 2096 wrote to memory of 1812 2096 1.xyz 85 PID 2096 wrote to memory of 1812 2096 1.xyz 85 PID 2096 wrote to memory of 212 2096 1.xyz 87 PID 2096 wrote to memory of 212 2096 1.xyz 87 PID 2096 wrote to memory of 212 2096 1.xyz 87 PID 2096 wrote to memory of 320 2096 1.xyz 89 PID 2096 wrote to memory of 320 2096 1.xyz 89 PID 2096 wrote to memory of 320 2096 1.xyz 89 PID 2096 wrote to memory of 320 2096 1.xyz 89 PID 2096 wrote to memory of 320 2096 1.xyz 89 PID 2096 wrote to memory of 320 2096 1.xyz 89 PID 2096 wrote to memory of 320 2096 1.xyz 89 PID 2096 wrote to memory of 320 2096 1.xyz 89 PID 2096 wrote to memory of 320 2096 1.xyz 89 PID 2096 wrote to memory of 320 2096 1.xyz 89 PID 2096 wrote to memory of 320 2096 1.xyz 89 PID 2096 wrote to memory of 320 2096 1.xyz 89 PID 2096 wrote to memory of 320 2096 1.xyz 89 PID 212 wrote to memory of 1824 212 cmd.exe 90 PID 212 wrote to memory of 1824 212 cmd.exe 90 PID 212 wrote to memory of 1824 212 cmd.exe 90 PID 1824 wrote to memory of 1836 1824 net.exe 91 PID 1824 wrote to memory of 1836 1824 net.exe 91 PID 1824 wrote to memory of 1836 1824 net.exe 91 PID 2096 wrote to memory of 320 2096 1.xyz 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe"C:\Users\Admin\AppData\Local\Temp\91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"3⤵
- Drops startup file
PID:1812
-
-
C:\Windows\SysWOW64\cmd.exe/c net stop MpsSvc3⤵
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\SysWOW64\net.exenet stop MpsSvc4⤵
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc5⤵PID:1836
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyzC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz3⤵
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 5764⤵
- Program crash
PID:4112
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 320 -ip 3201⤵PID:820
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
132KB
MD54b28fc60df0738257092268a36fe321e
SHA1f3440893908f4e59099664ce0abd323ada87e05c
SHA2567b7170132465e0f87bf9a411324a07c27dd49268f4e9fd8f9d2b61e703b4bd29
SHA5129335d367203da5d9cb452ca12eda00aa26ce451b0ed5d4fea3fbe1cee258b35b983ce96f25745855063fd35f065ed865cce9e9053c5bb29f1b97db6e31e5cb3e
-
Filesize
132KB
MD54b28fc60df0738257092268a36fe321e
SHA1f3440893908f4e59099664ce0abd323ada87e05c
SHA2567b7170132465e0f87bf9a411324a07c27dd49268f4e9fd8f9d2b61e703b4bd29
SHA5129335d367203da5d9cb452ca12eda00aa26ce451b0ed5d4fea3fbe1cee258b35b983ce96f25745855063fd35f065ed865cce9e9053c5bb29f1b97db6e31e5cb3e
-
Filesize
212KB
MD5b2af3b332d92fc09b79c4bf85263fd22
SHA1cbb3c3a4b17ba2888cfd0b96f59a5bc454d4ef32
SHA256b9dd8dfdb9a3fd61b2acffe0018cdf99b02c97025ae0d41a7aac7c9d76647b58
SHA512b6d7271b1b0e7285bff25b8edb0f31cc7076bbbf611a4bfa9a457463c38ba7d0f5694f89b18a5b26b0f793e76dc0a0e5279dbf4cf976a6b52787157523e17932
-
Filesize
212KB
MD5b2af3b332d92fc09b79c4bf85263fd22
SHA1cbb3c3a4b17ba2888cfd0b96f59a5bc454d4ef32
SHA256b9dd8dfdb9a3fd61b2acffe0018cdf99b02c97025ae0d41a7aac7c9d76647b58
SHA512b6d7271b1b0e7285bff25b8edb0f31cc7076bbbf611a4bfa9a457463c38ba7d0f5694f89b18a5b26b0f793e76dc0a0e5279dbf4cf976a6b52787157523e17932
-
Filesize
212KB
MD5b2af3b332d92fc09b79c4bf85263fd22
SHA1cbb3c3a4b17ba2888cfd0b96f59a5bc454d4ef32
SHA256b9dd8dfdb9a3fd61b2acffe0018cdf99b02c97025ae0d41a7aac7c9d76647b58
SHA512b6d7271b1b0e7285bff25b8edb0f31cc7076bbbf611a4bfa9a457463c38ba7d0f5694f89b18a5b26b0f793e76dc0a0e5279dbf4cf976a6b52787157523e17932