Analysis
-
max time kernel
40s -
max time network
37s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
03-04-2024 10:26
General
-
Target
73a730cc05e127b85ff61ee79abe22e97c3bd8e607e410e8537896fd414bc748.exe
-
Size
990KB
-
MD5
fbb147938c449be95316ff77906d3ecc
-
SHA1
06c46e8176c2ed1731a4a9644a15ee3404c21ce6
-
SHA256
73a730cc05e127b85ff61ee79abe22e97c3bd8e607e410e8537896fd414bc748
-
SHA512
aae86b03cc809772ac97d6992df21b19f9c33de082f478e682a97a23acd078573ea95b1eef90c19575b43f7985e077236d6f651690c82c0995d035303fe74e35
-
SSDEEP
24576:rfd8z4byilBdlfYB9GfxVAk+r8sYi/bhA:rf8IN19zfxWHA
Malware Config
Extracted
netwire
43.226.229.43:2030
-
activex_autorun
false
-
copy_executable
true
-
delete_original
false
-
host_id
Bo Tango
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
Password
-
registry_autorun
true
-
startup_name
NetWire
-
use_mutex
false
Extracted
nanocore
1.2.2.0
79.134.225.12:1414
c6a98da5-e0f9-45b5-be57-98059178c440
-
activate_away_mode
true
-
backup_connection_host
79.134.225.12
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-04-20T13:14:05.944029236Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1414
-
default_group
Directdeposit
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
c6a98da5-e0f9-45b5-be57-98059178c440
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
79.134.225.12
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
NetWire RAT payload 8 IoCs
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 4 IoCs
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\73a730cc05e127b85ff61ee79abe22e97c3bd8e607e410e8537896fd414bc748.exe"C:\Users\Admin\AppData\Local\Temp\73a730cc05e127b85ff61ee79abe22e97c3bd8e607e410e8537896fd414bc748.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bob.exe"C:\Users\Admin\AppData\Local\Temp\bob.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
-
-
-
C:\Users\Admin\AppData\Local\Temp\73a730cc05e127b85ff61ee79abe22e97c3bd8e607e410e8537896fd414bc748.exe"C:\Users\Admin\AppData\Local\Temp\73a730cc05e127b85ff61ee79abe22e97c3bd8e607e410e8537896fd414bc748.exe"2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\73a730cc05e127b85ff61ee79abe22e97c3bd8e607e410e8537896fd414bc748.exe"C:\Users\Admin\AppData\Local\Temp\73a730cc05e127b85ff61ee79abe22e97c3bd8e607e410e8537896fd414bc748.exe" 2 2476 2594001782⤵
- Suspicious behavior: EnumeratesProcesses
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
160KB
MD57bdc150a1a6b6dd0e2f700a4fa6bde6b
SHA15b196643432be8a2ce3b1816420a20a8bad4fa65
SHA256529ce287a09dfac4d212f2871c0ed7a0f9580b1c55cf4afe0853b8ff3b1fdc1c
SHA5127ec7f213cb8fefbfb1288f40e339c4ebefcce56866b9eaa2b8f4bb7dbdffdc7fc691f1d9f7575cdf82f952e7d096a00141d74b712685d8f0070c0933bc70b3e2
-
Filesize
1016KB
-
Filesize
76KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
5.7MB
-
Filesize
508KB
-
Filesize
224KB
-
Filesize
224KB
-
Filesize
1.1MB
-
Filesize
508KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
1.1MB
-
Filesize
64KB
-
Filesize
1.1MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
256KB
-
Filesize
508KB
-
Filesize
1.1MB
-
Filesize
508KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
5.7MB
-
Filesize
1.1MB
-
Filesize
64KB
-
Filesize
508KB
-
Filesize
64KB
-
Filesize
1.1MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
1016KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
204KB
-
Filesize
204KB