Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
10-07-2023 14:03
Behavioral task
behavioral1
Sample
c3c4ef008ea6903b3aa5eae43.exe
Resource
win7-20230703-en
General
-
Target
c3c4ef008ea6903b3aa5eae43.exe
-
Size
272KB
-
MD5
c3a93f50ff8e4ef3d904133fffd7aced
-
SHA1
e97d588174035ef205041e431e305477991b7d56
-
SHA256
c3c4ef008ea6903b3aa5eae43e7fe959de4438d195979a9fa8e1ae59ce56f1ac
-
SHA512
fcafd024c5036eeab4f5d91a176f5ac1a264796c13f2935bad5a05ca492e7637ca6a229a8818ad27ec3647135c44d25ceaeb417474b62fcfc04ebbcaef77a781
-
SSDEEP
6144:wcCmiQfipBKWzkeHrb08rTj6aBpSYdS1wjzco7qqD9DqIx:wcXiQfipPrb08rTj6+pGHqNhx
Malware Config
Extracted
netwire
212.193.30.230:6826
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
lock_executable
false
-
offline_keylogger
false
-
password
kolabo123
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 3 IoCs
resource yara_rule behavioral2/files/0x000800000002320d-137.dat netwire behavioral2/files/0x000800000002320d-139.dat netwire behavioral2/files/0x000800000002320d-140.dat netwire -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Control Panel\International\Geo\Nation c3c4ef008ea6903b3aa5eae43.exe -
Executes dropped EXE 1 IoCs
pid Process 4740 Host.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3412 wrote to memory of 4740 3412 c3c4ef008ea6903b3aa5eae43.exe 83 PID 3412 wrote to memory of 4740 3412 c3c4ef008ea6903b3aa5eae43.exe 83 PID 3412 wrote to memory of 4740 3412 c3c4ef008ea6903b3aa5eae43.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\c3c4ef008ea6903b3aa5eae43.exe"C:\Users\Admin\AppData\Local\Temp\c3c4ef008ea6903b3aa5eae43.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3412 -
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"2⤵
- Executes dropped EXE
PID:4740
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
272KB
MD5c3a93f50ff8e4ef3d904133fffd7aced
SHA1e97d588174035ef205041e431e305477991b7d56
SHA256c3c4ef008ea6903b3aa5eae43e7fe959de4438d195979a9fa8e1ae59ce56f1ac
SHA512fcafd024c5036eeab4f5d91a176f5ac1a264796c13f2935bad5a05ca492e7637ca6a229a8818ad27ec3647135c44d25ceaeb417474b62fcfc04ebbcaef77a781
-
Filesize
272KB
MD5c3a93f50ff8e4ef3d904133fffd7aced
SHA1e97d588174035ef205041e431e305477991b7d56
SHA256c3c4ef008ea6903b3aa5eae43e7fe959de4438d195979a9fa8e1ae59ce56f1ac
SHA512fcafd024c5036eeab4f5d91a176f5ac1a264796c13f2935bad5a05ca492e7637ca6a229a8818ad27ec3647135c44d25ceaeb417474b62fcfc04ebbcaef77a781
-
Filesize
272KB
MD5c3a93f50ff8e4ef3d904133fffd7aced
SHA1e97d588174035ef205041e431e305477991b7d56
SHA256c3c4ef008ea6903b3aa5eae43e7fe959de4438d195979a9fa8e1ae59ce56f1ac
SHA512fcafd024c5036eeab4f5d91a176f5ac1a264796c13f2935bad5a05ca492e7637ca6a229a8818ad27ec3647135c44d25ceaeb417474b62fcfc04ebbcaef77a781