Analysis
-
max time kernel
117s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
11-10-2023 11:08
Static task
static1
Behavioral task
behavioral1
Sample
3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe
Resource
win7-20230831-en
General
-
Target
3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe
-
Size
15.2MB
-
MD5
38be94769e4f59d9a90e551e505c2e07
-
SHA1
cac71ca2dd32cbe99614870ef01851e0d54bff84
-
SHA256
3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956
-
SHA512
47ef669a5be744235e10ba65d7deb8bdd46544cd6dc4532fa4b43fdc3b5d9b6b49febbef8906870b321281c47ca45f9b679e65eabfeffbf6deffc96fa27e24a5
-
SSDEEP
393216:J8/uxLqG0/kfQslis6SAVDfINRPcji3Zhtnh0:Bv0/kr8s6SA5QUji3ZhtnK
Malware Config
Extracted
netwire
qayshaija.ddns.net:1515
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 3 IoCs
resource yara_rule behavioral1/memory/600-56-0x0000000000400000-0x000000000042B000-memory.dmp netwire behavioral1/memory/600-58-0x0000000000400000-0x000000000042B000-memory.dmp netwire behavioral1/memory/600-60-0x0000000000400000-0x000000000042B000-memory.dmp netwire -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion install.exe -
Executes dropped EXE 3 IoCs
pid Process 2576 OInstall.exe 2700 install.exe 2500 files.dat -
Loads dropped DLL 11 IoCs
pid Process 2216 3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe 2216 3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe 2216 3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe 2216 3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe 2216 3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe 2216 3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe 2216 3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe 2216 3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe 2700 install.exe 2700 install.exe 2700 install.exe -
resource yara_rule behavioral1/files/0x000e000000012268-2.dat upx behavioral1/files/0x000e000000012268-5.dat upx behavioral1/files/0x000e000000012268-11.dat upx behavioral1/files/0x000e000000012268-9.dat upx behavioral1/files/0x000e000000012268-6.dat upx behavioral1/files/0x000e000000012268-13.dat upx behavioral1/memory/2216-29-0x0000000008E60000-0x000000000A161000-memory.dmp upx behavioral1/memory/2576-33-0x0000000000400000-0x0000000001701000-memory.dmp upx behavioral1/files/0x000e000000012268-34.dat upx behavioral1/memory/2576-53-0x0000000000400000-0x0000000001701000-memory.dmp upx behavioral1/memory/2576-67-0x0000000000400000-0x0000000001701000-memory.dmp upx -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2700 set thread context of 600 2700 install.exe 36 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 740 600 WerFault.exe 36 -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer install.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 2500 files.dat -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2700 install.exe 2700 install.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 2216 3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe 2216 3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe 2216 3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe 2216 3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 2216 3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe 2216 3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe 2216 3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe 2216 3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 2216 wrote to memory of 2576 2216 3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe 28 PID 2216 wrote to memory of 2576 2216 3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe 28 PID 2216 wrote to memory of 2576 2216 3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe 28 PID 2216 wrote to memory of 2576 2216 3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe 28 PID 2216 wrote to memory of 2576 2216 3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe 28 PID 2216 wrote to memory of 2576 2216 3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe 28 PID 2216 wrote to memory of 2576 2216 3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe 28 PID 2216 wrote to memory of 2700 2216 3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe 29 PID 2216 wrote to memory of 2700 2216 3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe 29 PID 2216 wrote to memory of 2700 2216 3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe 29 PID 2216 wrote to memory of 2700 2216 3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe 29 PID 2216 wrote to memory of 2700 2216 3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe 29 PID 2216 wrote to memory of 2700 2216 3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe 29 PID 2216 wrote to memory of 2700 2216 3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe 29 PID 2576 wrote to memory of 2968 2576 OInstall.exe 30 PID 2576 wrote to memory of 2968 2576 OInstall.exe 30 PID 2576 wrote to memory of 2968 2576 OInstall.exe 30 PID 2576 wrote to memory of 2968 2576 OInstall.exe 30 PID 2576 wrote to memory of 2600 2576 OInstall.exe 32 PID 2576 wrote to memory of 2600 2576 OInstall.exe 32 PID 2576 wrote to memory of 2600 2576 OInstall.exe 32 PID 2576 wrote to memory of 2600 2576 OInstall.exe 32 PID 2600 wrote to memory of 2500 2600 cmd.exe 34 PID 2600 wrote to memory of 2500 2600 cmd.exe 34 PID 2600 wrote to memory of 2500 2600 cmd.exe 34 PID 2600 wrote to memory of 2500 2600 cmd.exe 34 PID 2700 wrote to memory of 564 2700 install.exe 35 PID 2700 wrote to memory of 564 2700 install.exe 35 PID 2700 wrote to memory of 564 2700 install.exe 35 PID 2700 wrote to memory of 564 2700 install.exe 35 PID 2700 wrote to memory of 564 2700 install.exe 35 PID 2700 wrote to memory of 564 2700 install.exe 35 PID 2700 wrote to memory of 564 2700 install.exe 35 PID 2700 wrote to memory of 600 2700 install.exe 36 PID 2700 wrote to memory of 600 2700 install.exe 36 PID 2700 wrote to memory of 600 2700 install.exe 36 PID 2700 wrote to memory of 600 2700 install.exe 36 PID 2700 wrote to memory of 600 2700 install.exe 36 PID 2700 wrote to memory of 600 2700 install.exe 36 PID 2700 wrote to memory of 600 2700 install.exe 36 PID 2700 wrote to memory of 600 2700 install.exe 36 PID 600 wrote to memory of 740 600 RegAsm.exe 37 PID 600 wrote to memory of 740 600 RegAsm.exe 37 PID 600 wrote to memory of 740 600 RegAsm.exe 37 PID 600 wrote to memory of 740 600 RegAsm.exe 37 PID 600 wrote to memory of 740 600 RegAsm.exe 37 PID 600 wrote to memory of 740 600 RegAsm.exe 37 PID 600 wrote to memory of 740 600 RegAsm.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe"C:\Users\Admin\AppData\Local\Temp\3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe"1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Users\Admin\AppData\Local\Temp\OInstall.exe"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /D /c copy C:\Windows\system32\Tasks\OInstall "C:\Windows\Temp\OInstall.tmp" /Y3⤵PID:2968
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /D /c files.dat -y -pkmsauto3⤵
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Users\Admin\AppData\Local\Temp\files\files.datfiles.dat -y -pkmsauto4⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2500
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"2⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"3⤵PID:564
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:600 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 600 -s 2804⤵
- Program crash
PID:740
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.8MB
MD578ffd4acc57558d2b0e6b89fff8930f4
SHA14513925109addb215d1004399302fb076fefdd43
SHA2560c0a89c18afc28ffaf49d10153e4b81178c511cfb5594d893c9510c24c193e7e
SHA51276685f2cf94bd8d15288696205a38033942f21def78c1d6fe503b94764fcbf46bfb01f7d9cf3d9adfe4136fc0b1eb395e071a3691bce0762038975eec259d566
-
Filesize
9.8MB
MD578ffd4acc57558d2b0e6b89fff8930f4
SHA14513925109addb215d1004399302fb076fefdd43
SHA2560c0a89c18afc28ffaf49d10153e4b81178c511cfb5594d893c9510c24c193e7e
SHA51276685f2cf94bd8d15288696205a38033942f21def78c1d6fe503b94764fcbf46bfb01f7d9cf3d9adfe4136fc0b1eb395e071a3691bce0762038975eec259d566
-
Filesize
9.8MB
MD578ffd4acc57558d2b0e6b89fff8930f4
SHA14513925109addb215d1004399302fb076fefdd43
SHA2560c0a89c18afc28ffaf49d10153e4b81178c511cfb5594d893c9510c24c193e7e
SHA51276685f2cf94bd8d15288696205a38033942f21def78c1d6fe503b94764fcbf46bfb01f7d9cf3d9adfe4136fc0b1eb395e071a3691bce0762038975eec259d566
-
Filesize
707KB
MD555d21b2c272a5d6b9f54fa9ed82bf9eb
SHA132464cba823cd9b7e94e4fa1a32a8f2344b0f33b
SHA2567a1c82e264258470d14ca345ea1a9b6fc34fa19b393a92077a01be5f1ad08f47
SHA5121b68d0c61367717529be4a3aa347bb69d3e21de7a89b10e8b0aa54d40af988cc0cc8e63298ba595a93c3372aca3770ace1eee2780a59238d0948499dbb4be725
-
Filesize
707KB
MD555d21b2c272a5d6b9f54fa9ed82bf9eb
SHA132464cba823cd9b7e94e4fa1a32a8f2344b0f33b
SHA2567a1c82e264258470d14ca345ea1a9b6fc34fa19b393a92077a01be5f1ad08f47
SHA5121b68d0c61367717529be4a3aa347bb69d3e21de7a89b10e8b0aa54d40af988cc0cc8e63298ba595a93c3372aca3770ace1eee2780a59238d0948499dbb4be725
-
Filesize
304KB
MD56037361243f8c390326debbea5b85ac2
SHA1654fca850890949bbbd41a7e4c481ab89e10839a
SHA256b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5
SHA512434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929
-
Filesize
304KB
MD56037361243f8c390326debbea5b85ac2
SHA1654fca850890949bbbd41a7e4c481ab89e10839a
SHA256b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5
SHA512434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929
-
Filesize
304KB
MD56037361243f8c390326debbea5b85ac2
SHA1654fca850890949bbbd41a7e4c481ab89e10839a
SHA256b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5
SHA512434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929
-
Filesize
9.8MB
MD578ffd4acc57558d2b0e6b89fff8930f4
SHA14513925109addb215d1004399302fb076fefdd43
SHA2560c0a89c18afc28ffaf49d10153e4b81178c511cfb5594d893c9510c24c193e7e
SHA51276685f2cf94bd8d15288696205a38033942f21def78c1d6fe503b94764fcbf46bfb01f7d9cf3d9adfe4136fc0b1eb395e071a3691bce0762038975eec259d566
-
Filesize
9.8MB
MD578ffd4acc57558d2b0e6b89fff8930f4
SHA14513925109addb215d1004399302fb076fefdd43
SHA2560c0a89c18afc28ffaf49d10153e4b81178c511cfb5594d893c9510c24c193e7e
SHA51276685f2cf94bd8d15288696205a38033942f21def78c1d6fe503b94764fcbf46bfb01f7d9cf3d9adfe4136fc0b1eb395e071a3691bce0762038975eec259d566
-
Filesize
9.8MB
MD578ffd4acc57558d2b0e6b89fff8930f4
SHA14513925109addb215d1004399302fb076fefdd43
SHA2560c0a89c18afc28ffaf49d10153e4b81178c511cfb5594d893c9510c24c193e7e
SHA51276685f2cf94bd8d15288696205a38033942f21def78c1d6fe503b94764fcbf46bfb01f7d9cf3d9adfe4136fc0b1eb395e071a3691bce0762038975eec259d566
-
Filesize
9.8MB
MD578ffd4acc57558d2b0e6b89fff8930f4
SHA14513925109addb215d1004399302fb076fefdd43
SHA2560c0a89c18afc28ffaf49d10153e4b81178c511cfb5594d893c9510c24c193e7e
SHA51276685f2cf94bd8d15288696205a38033942f21def78c1d6fe503b94764fcbf46bfb01f7d9cf3d9adfe4136fc0b1eb395e071a3691bce0762038975eec259d566
-
Filesize
304KB
MD56037361243f8c390326debbea5b85ac2
SHA1654fca850890949bbbd41a7e4c481ab89e10839a
SHA256b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5
SHA512434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929
-
Filesize
304KB
MD56037361243f8c390326debbea5b85ac2
SHA1654fca850890949bbbd41a7e4c481ab89e10839a
SHA256b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5
SHA512434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929
-
Filesize
304KB
MD56037361243f8c390326debbea5b85ac2
SHA1654fca850890949bbbd41a7e4c481ab89e10839a
SHA256b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5
SHA512434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929
-
Filesize
304KB
MD56037361243f8c390326debbea5b85ac2
SHA1654fca850890949bbbd41a7e4c481ab89e10839a
SHA256b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5
SHA512434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929
-
Filesize
304KB
MD56037361243f8c390326debbea5b85ac2
SHA1654fca850890949bbbd41a7e4c481ab89e10839a
SHA256b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5
SHA512434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929
-
Filesize
304KB
MD56037361243f8c390326debbea5b85ac2
SHA1654fca850890949bbbd41a7e4c481ab89e10839a
SHA256b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5
SHA512434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929
-
Filesize
304KB
MD56037361243f8c390326debbea5b85ac2
SHA1654fca850890949bbbd41a7e4c481ab89e10839a
SHA256b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5
SHA512434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929