Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10-04-2024 11:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
General
-
Target
6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe
-
Size
232KB
-
MD5
e6714e3bd83b4a349ab48cc203b91813
-
SHA1
5f691a8f917a30129dfba99513648b884521caba
-
SHA256
6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686
-
SHA512
903bb279293d8d9f99dd1fd5eb1c98d1e0379c06677d97e3f7dbab3790f2fa90c582c55a73b32117c627ded1c6dfd8fb6e7502757d8725882b6c1bbab5de96e3
-
SSDEEP
6144:fqqDLuH5Qq1BpPrWCFb26J7XUsf32v8ysFsi:CqnuZxfFb9Oncsi
Malware Config
Extracted
Family
netwire
C2
atlaswebportal.zapto.org:4000
Attributes
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
R5_04.08.16_02
-
keylogger_dir
C:\NVIDIA\profile\
-
lock_executable
false
-
offline_keylogger
true
-
password
Micr0s0ft4456877
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 28 IoCs
resource yara_rule behavioral1/memory/2444-4-0x0000000000400000-0x000000000041F000-memory.dmp netwire behavioral1/memory/2444-6-0x0000000000400000-0x000000000041F000-memory.dmp netwire behavioral1/memory/2444-8-0x0000000000400000-0x000000000041F000-memory.dmp netwire behavioral1/memory/2444-10-0x0000000000400000-0x000000000041F000-memory.dmp netwire behavioral1/memory/2444-12-0x0000000000400000-0x000000000041F000-memory.dmp netwire behavioral1/memory/2444-14-0x0000000000400000-0x000000000041F000-memory.dmp netwire behavioral1/memory/2444-16-0x0000000000400000-0x000000000041F000-memory.dmp netwire behavioral1/memory/2444-18-0x0000000000400000-0x000000000041F000-memory.dmp netwire behavioral1/memory/2444-20-0x0000000000400000-0x000000000041F000-memory.dmp netwire behavioral1/memory/2444-22-0x0000000000400000-0x000000000041F000-memory.dmp netwire behavioral1/memory/2444-24-0x0000000000400000-0x000000000041F000-memory.dmp netwire behavioral1/memory/2444-26-0x0000000000400000-0x000000000041F000-memory.dmp netwire behavioral1/memory/2444-28-0x0000000000400000-0x000000000041F000-memory.dmp netwire behavioral1/memory/2444-30-0x0000000000400000-0x000000000041F000-memory.dmp netwire behavioral1/memory/2444-32-0x0000000000400000-0x000000000041F000-memory.dmp netwire behavioral1/memory/2444-34-0x0000000000400000-0x000000000041F000-memory.dmp netwire behavioral1/memory/2444-36-0x0000000000400000-0x000000000041F000-memory.dmp netwire behavioral1/memory/2444-42-0x0000000000400000-0x000000000041F000-memory.dmp netwire behavioral1/memory/2444-44-0x0000000000400000-0x000000000041F000-memory.dmp netwire behavioral1/memory/2444-46-0x0000000000400000-0x000000000041F000-memory.dmp netwire behavioral1/memory/2444-48-0x0000000000400000-0x000000000041F000-memory.dmp netwire behavioral1/memory/2444-50-0x0000000000400000-0x000000000041F000-memory.dmp netwire behavioral1/memory/2444-52-0x0000000000400000-0x000000000041F000-memory.dmp netwire behavioral1/memory/2444-58-0x0000000000400000-0x000000000041F000-memory.dmp netwire behavioral1/memory/2444-60-0x0000000000400000-0x000000000041F000-memory.dmp netwire behavioral1/memory/2444-62-0x0000000000400000-0x000000000041F000-memory.dmp netwire behavioral1/memory/2444-64-0x0000000000400000-0x000000000041F000-memory.dmp netwire behavioral1/memory/2444-66-0x0000000000400000-0x000000000041F000-memory.dmp netwire -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioWizard.lnk 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30 PID 2372 wrote to memory of 2444 2372 6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe"C:\Users\Admin\AppData\Local\Temp\6905b9a6b31ab4fee60d50165318d52e49e0883e1ec1e93133b4a0722cbb7686.exe"1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵PID:2444
-