Analysis
-
max time kernel
78s -
max time network
84s -
platform
windows7_x64 -
resource
win7-20230703-en -
resource tags
arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system -
submitted
10-07-2023 14:03
Behavioral task
behavioral1
Sample
c3c4ef008ea6903b3aa5eae43.exe
Resource
win7-20230703-en
General
-
Target
c3c4ef008ea6903b3aa5eae43.exe
-
Size
272KB
-
MD5
c3a93f50ff8e4ef3d904133fffd7aced
-
SHA1
e97d588174035ef205041e431e305477991b7d56
-
SHA256
c3c4ef008ea6903b3aa5eae43e7fe959de4438d195979a9fa8e1ae59ce56f1ac
-
SHA512
fcafd024c5036eeab4f5d91a176f5ac1a264796c13f2935bad5a05ca492e7637ca6a229a8818ad27ec3647135c44d25ceaeb417474b62fcfc04ebbcaef77a781
-
SSDEEP
6144:wcCmiQfipBKWzkeHrb08rTj6aBpSYdS1wjzco7qqD9DqIx:wcXiQfipPrb08rTj6+pGHqNhx
Malware Config
Extracted
netwire
212.193.30.230:6826
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
lock_executable
false
-
offline_keylogger
false
-
password
kolabo123
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 2 IoCs
resource yara_rule behavioral1/files/0x000900000001424a-56.dat netwire behavioral1/files/0x000900000001424a-59.dat netwire -
Executes dropped EXE 1 IoCs
pid Process 2316 Host.exe -
Loads dropped DLL 1 IoCs
pid Process 2224 c3c4ef008ea6903b3aa5eae43.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2224 wrote to memory of 2316 2224 c3c4ef008ea6903b3aa5eae43.exe 29 PID 2224 wrote to memory of 2316 2224 c3c4ef008ea6903b3aa5eae43.exe 29 PID 2224 wrote to memory of 2316 2224 c3c4ef008ea6903b3aa5eae43.exe 29 PID 2224 wrote to memory of 2316 2224 c3c4ef008ea6903b3aa5eae43.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\c3c4ef008ea6903b3aa5eae43.exe"C:\Users\Admin\AppData\Local\Temp\c3c4ef008ea6903b3aa5eae43.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"2⤵
- Executes dropped EXE
PID:2316
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
272KB
MD5c3a93f50ff8e4ef3d904133fffd7aced
SHA1e97d588174035ef205041e431e305477991b7d56
SHA256c3c4ef008ea6903b3aa5eae43e7fe959de4438d195979a9fa8e1ae59ce56f1ac
SHA512fcafd024c5036eeab4f5d91a176f5ac1a264796c13f2935bad5a05ca492e7637ca6a229a8818ad27ec3647135c44d25ceaeb417474b62fcfc04ebbcaef77a781
-
Filesize
272KB
MD5c3a93f50ff8e4ef3d904133fffd7aced
SHA1e97d588174035ef205041e431e305477991b7d56
SHA256c3c4ef008ea6903b3aa5eae43e7fe959de4438d195979a9fa8e1ae59ce56f1ac
SHA512fcafd024c5036eeab4f5d91a176f5ac1a264796c13f2935bad5a05ca492e7637ca6a229a8818ad27ec3647135c44d25ceaeb417474b62fcfc04ebbcaef77a781