Analysis
-
max time kernel
141s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 16:33
Behavioral task
behavioral1
Sample
74fa65bdc2b30888cd6732f8ccf9c438.exe
Resource
win7-20231215-en
General
-
Target
74fa65bdc2b30888cd6732f8ccf9c438.exe
-
Size
397KB
-
MD5
74fa65bdc2b30888cd6732f8ccf9c438
-
SHA1
a2aa0495113e0f9db4153fc087048b53fdb1e18d
-
SHA256
8c3515df37a219842450dd3fb91bbade7cf8d8ec7fe17427f37cb4b83a3a237a
-
SHA512
95048ef938c046348cf420cf9da70c30a21a1bb4bb56b507a856a224c552e4eb08acd463e574b79eeef3e9bcc374cc11fd6f7331cac239f16b84bc856ab8b4d3
-
SSDEEP
6144:mZFV6YJoVLIW91ILonX9buxDNae0rMAZZV8mS2vS+44kgQj1nKh/AY6PuqjDobEH:0T6eoVH91nnX84vS+4qQNUhqjDoIYof
Malware Config
Extracted
netwire
155.94.198.169:9112
-
activex_autorun
false
-
copy_executable
true
-
delete_original
false
-
host_id
Corona-Virus
-
install_path
%AppData%\Install\offiice365.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
Pounds
-
registry_autorun
true
-
startup_name
officeii365
-
use_mutex
false
Signatures
-
NetWire RAT payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1460-16-0x0000000000400000-0x0000000000434000-memory.dmp netwire behavioral1/memory/2844-18-0x0000000000400000-0x0000000000434000-memory.dmp netwire behavioral1/memory/2844-20-0x0000000000400000-0x0000000000434000-memory.dmp netwire -
Executes dropped EXE 2 IoCs
Processes:
test.exeoffiice365.exepid process 1460 test.exe 2844 offiice365.exe -
Loads dropped DLL 4 IoCs
Processes:
cmd.exetest.exepid process 1776 cmd.exe 1776 cmd.exe 1460 test.exe 1460 test.exe -
Processes:
resource yara_rule behavioral1/memory/2236-0-0x0000000000400000-0x00000000004E9000-memory.dmp upx \Users\Admin\AppData\Local\Temp\test.exe upx behavioral1/memory/1460-7-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1460-16-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2844-18-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2236-19-0x0000000000400000-0x00000000004E9000-memory.dmp upx behavioral1/memory/2844-20-0x0000000000400000-0x0000000000434000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
offiice365.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\officeii365 = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\offiice365.exe" offiice365.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
74fa65bdc2b30888cd6732f8ccf9c438.execmd.exetest.exedescription pid process target process PID 2236 wrote to memory of 1776 2236 74fa65bdc2b30888cd6732f8ccf9c438.exe cmd.exe PID 2236 wrote to memory of 1776 2236 74fa65bdc2b30888cd6732f8ccf9c438.exe cmd.exe PID 2236 wrote to memory of 1776 2236 74fa65bdc2b30888cd6732f8ccf9c438.exe cmd.exe PID 2236 wrote to memory of 1776 2236 74fa65bdc2b30888cd6732f8ccf9c438.exe cmd.exe PID 1776 wrote to memory of 1460 1776 cmd.exe test.exe PID 1776 wrote to memory of 1460 1776 cmd.exe test.exe PID 1776 wrote to memory of 1460 1776 cmd.exe test.exe PID 1776 wrote to memory of 1460 1776 cmd.exe test.exe PID 1460 wrote to memory of 2844 1460 test.exe offiice365.exe PID 1460 wrote to memory of 2844 1460 test.exe offiice365.exe PID 1460 wrote to memory of 2844 1460 test.exe offiice365.exe PID 1460 wrote to memory of 2844 1460 test.exe offiice365.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\74fa65bdc2b30888cd6732f8ccf9c438.exe"C:\Users\Admin\AppData\Local\Temp\74fa65bdc2b30888cd6732f8ccf9c438.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c test.exe2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Users\Admin\AppData\Local\Temp\test.exetest.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Users\Admin\AppData\Roaming\Install\offiice365.exe"C:\Users\Admin\AppData\Roaming\Install\offiice365.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2844
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\test.exeFilesize
70KB
MD5eacc8434d9ddd4c93ea0cb0283db90a6
SHA1f60e1dc07f5238d688b22d8e46d9924b7a9d2872
SHA256696063cab6b63873c298a5033e5be6b3b8213cc06df33221238d37cddd3c7187
SHA512d96ba53db82185f00b787014fa12e45bb62f614f395b55354266499b9175a6710bcd312774cce41b6d7c4eab1361a4730b50ca5880cf82895be445821a0b5817
-
memory/1460-7-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/1460-16-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/1776-4-0x0000000000120000-0x0000000000154000-memory.dmpFilesize
208KB
-
memory/2236-0-0x0000000000400000-0x00000000004E9000-memory.dmpFilesize
932KB
-
memory/2236-19-0x0000000000400000-0x00000000004E9000-memory.dmpFilesize
932KB
-
memory/2844-18-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/2844-20-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB