Analysis Overview
SHA256
1f64ef3c5f7690033cf54608c3f4ba61a99c1494a2a2d5aa06f8b6634d8e305b
Threat Level: Known bad
The file outputmalware.exe was found to be: Known bad.
Malicious Activity Summary
NetWire RAT payload
Netwire
Loads dropped DLL
Drops startup file
Executes dropped EXE
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-07-09 12:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-07-09 12:26
Reported
2023-07-09 12:29
Platform
win10v2004-20230703-en
Max time kernel
142s
Max time network
149s
Command Line
Signatures
NetWire RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Netwire
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TestLink.lnk | C:\Users\Admin\AppData\Local\Temp\go-memexec-169167430.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\go-memexec-169167430.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2080 wrote to memory of 1504 | N/A | C:\Users\Admin\AppData\Local\Temp\outputmalware.exe | C:\Users\Admin\AppData\Local\Temp\go-memexec-169167430.exe |
| PID 2080 wrote to memory of 1504 | N/A | C:\Users\Admin\AppData\Local\Temp\outputmalware.exe | C:\Users\Admin\AppData\Local\Temp\go-memexec-169167430.exe |
| PID 2080 wrote to memory of 1504 | N/A | C:\Users\Admin\AppData\Local\Temp\outputmalware.exe | C:\Users\Admin\AppData\Local\Temp\go-memexec-169167430.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\outputmalware.exe
"C:\Users\Admin\AppData\Local\Temp\outputmalware.exe"
C:\Users\Admin\AppData\Local\Temp\go-memexec-169167430.exe
C:\Users\Admin\AppData\Local\Temp\go-memexec-169167430.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:3360 | tcp | |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.23.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.233.44.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | needforrat.hopto.org | udp |
| PK | 182.180.49.15:3360 | needforrat.hopto.org | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.112.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\go-memexec-169167430.exe
| MD5 | 8d832a17a7134571f228bc0da586a541 |
| SHA1 | 274f83a8874d16ff937d3e8c231bcf4916d18fe8 |
| SHA256 | 36b9e2e48e5f7ab4543df7f80d299bb72e65c5f343d8bb1d8bff39764a829c8f |
| SHA512 | 0b5e00c88a35eb72b0f06d82fe3cd5a84c0520480f3d631ca42c7d3bc04bf33001f84943c6d4e9c8e1abb00414669a978de45b72b6bb8a002cc5c53d86d88bcb |
C:\Users\Admin\AppData\Local\Temp\go-memexec-169167430.exe
| MD5 | 8d832a17a7134571f228bc0da586a541 |
| SHA1 | 274f83a8874d16ff937d3e8c231bcf4916d18fe8 |
| SHA256 | 36b9e2e48e5f7ab4543df7f80d299bb72e65c5f343d8bb1d8bff39764a829c8f |
| SHA512 | 0b5e00c88a35eb72b0f06d82fe3cd5a84c0520480f3d631ca42c7d3bc04bf33001f84943c6d4e9c8e1abb00414669a978de45b72b6bb8a002cc5c53d86d88bcb |
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-09 12:26
Reported
2023-07-09 12:29
Platform
win7-20230703-en
Max time kernel
78s
Max time network
92s
Command Line
Signatures
NetWire RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Netwire
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TestLink.lnk | C:\Users\Admin\AppData\Local\Temp\go-memexec-2909003178.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\go-memexec-2909003178.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\go-memexec-2909003178.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2204 wrote to memory of 3032 | N/A | C:\Users\Admin\AppData\Local\Temp\outputmalware.exe | C:\Users\Admin\AppData\Local\Temp\go-memexec-2909003178.exe |
| PID 2204 wrote to memory of 3032 | N/A | C:\Users\Admin\AppData\Local\Temp\outputmalware.exe | C:\Users\Admin\AppData\Local\Temp\go-memexec-2909003178.exe |
| PID 2204 wrote to memory of 3032 | N/A | C:\Users\Admin\AppData\Local\Temp\outputmalware.exe | C:\Users\Admin\AppData\Local\Temp\go-memexec-2909003178.exe |
| PID 2204 wrote to memory of 3032 | N/A | C:\Users\Admin\AppData\Local\Temp\outputmalware.exe | C:\Users\Admin\AppData\Local\Temp\go-memexec-2909003178.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\outputmalware.exe
"C:\Users\Admin\AppData\Local\Temp\outputmalware.exe"
C:\Users\Admin\AppData\Local\Temp\go-memexec-2909003178.exe
C:\Users\Admin\AppData\Local\Temp\go-memexec-2909003178.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:3360 | tcp | |
| US | 8.8.8.8:53 | needforrat.hopto.org | udp |
| PK | 182.180.49.15:3360 | needforrat.hopto.org | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\go-memexec-2909003178.exe
| MD5 | 8d832a17a7134571f228bc0da586a541 |
| SHA1 | 274f83a8874d16ff937d3e8c231bcf4916d18fe8 |
| SHA256 | 36b9e2e48e5f7ab4543df7f80d299bb72e65c5f343d8bb1d8bff39764a829c8f |
| SHA512 | 0b5e00c88a35eb72b0f06d82fe3cd5a84c0520480f3d631ca42c7d3bc04bf33001f84943c6d4e9c8e1abb00414669a978de45b72b6bb8a002cc5c53d86d88bcb |
C:\Users\Admin\AppData\Local\Temp\go-memexec-2909003178.exe
| MD5 | 8d832a17a7134571f228bc0da586a541 |
| SHA1 | 274f83a8874d16ff937d3e8c231bcf4916d18fe8 |
| SHA256 | 36b9e2e48e5f7ab4543df7f80d299bb72e65c5f343d8bb1d8bff39764a829c8f |
| SHA512 | 0b5e00c88a35eb72b0f06d82fe3cd5a84c0520480f3d631ca42c7d3bc04bf33001f84943c6d4e9c8e1abb00414669a978de45b72b6bb8a002cc5c53d86d88bcb |
\Users\Admin\AppData\Local\Temp\go-memexec-2909003178.exe
| MD5 | 8d832a17a7134571f228bc0da586a541 |
| SHA1 | 274f83a8874d16ff937d3e8c231bcf4916d18fe8 |
| SHA256 | 36b9e2e48e5f7ab4543df7f80d299bb72e65c5f343d8bb1d8bff39764a829c8f |
| SHA512 | 0b5e00c88a35eb72b0f06d82fe3cd5a84c0520480f3d631ca42c7d3bc04bf33001f84943c6d4e9c8e1abb00414669a978de45b72b6bb8a002cc5c53d86d88bcb |