Analysis
-
max time kernel
154s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10-04-2024 12:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe
Resource
win7-20240221-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe
-
Size
628KB
-
MD5
afe6d7985388013e32ae388a29600ae2
-
SHA1
f8082260e1591b439fdaf2ccfe3c80ccfe9d8ea6
-
SHA256
87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329
-
SHA512
98b7d345a39c755c16ff17f167de868d7b5ab9acba40f9bb9afe34056698809a5591924c9197689fb05062ed8ea68d61a91404c8e879bad4d24e5bb544782c1c
-
SSDEEP
6144:9qqDLuK1hG/uo0luLBjUX3DPg5trMON1JIIAFwp1I40zL75grM5IEu7h95Pp3qI:AqnuKTo0YSXbg5twsoEa375Z5VgfP
Malware Config
Extracted
Family
netwire
C2
atlaswebportal.zapto.org:4000
Attributes
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
R4_UPD_24.10.16
-
keylogger_dir
C:\NVIDIA\profile\
-
lock_executable
false
-
offline_keylogger
true
-
password
Micr0s0ft4456877
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 28 IoCs
resource yara_rule behavioral1/memory/2600-2-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral1/memory/2600-4-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral1/memory/2600-6-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral1/memory/2600-8-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral1/memory/2600-10-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral1/memory/2600-12-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral1/memory/2600-14-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral1/memory/2600-16-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral1/memory/2600-18-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral1/memory/2600-20-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral1/memory/2600-22-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral1/memory/2600-24-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral1/memory/2600-26-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral1/memory/2600-28-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral1/memory/2600-30-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral1/memory/2600-32-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral1/memory/2600-34-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral1/memory/2600-40-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral1/memory/2600-42-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral1/memory/2600-44-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral1/memory/2600-46-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral1/memory/2600-48-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral1/memory/2600-50-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral1/memory/2600-56-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral1/memory/2600-58-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral1/memory/2600-60-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral1/memory/2600-62-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral1/memory/2600-64-0x0000000000400000-0x000000000041E000-memory.dmp netwire -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28 PID 2180 wrote to memory of 2600 2180 87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe"C:\Users\Admin\AppData\Local\Temp\87ea2dbafe7338c46b8ff3e83d14e03bfcd8cb71a0b29b54dfd8a8691ffa2329.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵PID:2600
-