Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
17-04-2024 12:58
Static task
static1
Behavioral task
behavioral1
Sample
d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81.exe
Resource
win10v2004-20240412-en
General
-
Target
d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81.exe
-
Size
171KB
-
MD5
7a6a6b35d4bc575897a1420134afc96a
-
SHA1
9c5e87ce87b70a52f57097172c2babde2021454b
-
SHA256
d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81
-
SHA512
b879c2bf81017f8f97d4db3b458d6f3ff6eb1acb6e28394d9a292d58e83194857c6c5981378170e81d383340eb3eff42d2d64ce54ebd7a3e7357988428da5d2e
-
SSDEEP
3072:k/0CVy40hsbOeOyupBfOP8S6Uj9Av0fEdiFxFXwElgdEA/fLpujDqTrk3mjcqfZ:kswhwyJLjzfiib53W/fLpsDq/k7qf
Malware Config
Extracted
netwire
sosclient.duckdns.org:9002
-
activex_autorun
true
-
activex_key
{OTGC73Q0-N4WA-4861-311L-BE075477ANH7}
-
copy_executable
false
-
delete_original
false
-
host_id
08-%Rand%
-
lock_executable
true
-
mutex
stostmDW
-
offline_keylogger
false
-
password
10203010Aa
-
registry_autorun
true
-
startup_name
Windows defender
-
use_mutex
true
Signatures
-
NetWire RAT payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/2752-24-0x0000000000400000-0x0000000000420000-memory.dmp netwire behavioral2/memory/2752-27-0x0000000000400000-0x0000000000420000-memory.dmp netwire behavioral2/memory/2752-31-0x0000000000400000-0x0000000000420000-memory.dmp netwire behavioral2/memory/2752-34-0x0000000000400000-0x0000000000420000-memory.dmp netwire -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
AppLaunch.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{OTGC73Q0-N4WA-4861-311L-BE075477ANH7} AppLaunch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{OTGC73Q0-N4WA-4861-311L-BE075477ANH7}\StubPath = "\"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\AppLaunch.exe\"" AppLaunch.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81.exerundlll32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81.exe Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation rundlll32.exe -
Drops startup file 3 IoCs
Processes:
d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.tbgljov2.lnk d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81.exe -
Executes dropped EXE 2 IoCs
Processes:
rundlll32.exerundlll32.exepid process 2024 rundlll32.exe 456 rundlll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
AppLaunch.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows defender = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\AppLaunch.exe" AppLaunch.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundlll32.exedescription pid process target process PID 2024 set thread context of 2752 2024 rundlll32.exe AppLaunch.exe -
Drops file in Windows directory 3 IoCs
Processes:
AppLaunch.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\Settings.ini AppLaunch.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe AppLaunch.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\Settings.ini AppLaunch.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81.exerundlll32.exerundlll32.exedescription pid process Token: SeDebugPrivilege 1600 d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81.exe Token: SeDebugPrivilege 2024 rundlll32.exe Token: SeDebugPrivilege 456 rundlll32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81.exepid process 1600 d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81.exepid process 1600 d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81.exerundlll32.exedescription pid process target process PID 1600 wrote to memory of 2024 1600 d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81.exe rundlll32.exe PID 1600 wrote to memory of 2024 1600 d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81.exe rundlll32.exe PID 1600 wrote to memory of 2024 1600 d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81.exe rundlll32.exe PID 2024 wrote to memory of 456 2024 rundlll32.exe rundlll32.exe PID 2024 wrote to memory of 456 2024 rundlll32.exe rundlll32.exe PID 2024 wrote to memory of 456 2024 rundlll32.exe rundlll32.exe PID 2024 wrote to memory of 2752 2024 rundlll32.exe AppLaunch.exe PID 2024 wrote to memory of 2752 2024 rundlll32.exe AppLaunch.exe PID 2024 wrote to memory of 2752 2024 rundlll32.exe AppLaunch.exe PID 2024 wrote to memory of 2752 2024 rundlll32.exe AppLaunch.exe PID 2024 wrote to memory of 2752 2024 rundlll32.exe AppLaunch.exe PID 2024 wrote to memory of 2752 2024 rundlll32.exe AppLaunch.exe PID 2024 wrote to memory of 2752 2024 rundlll32.exe AppLaunch.exe PID 2024 wrote to memory of 2752 2024 rundlll32.exe AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81.exe"C:\Users\Admin\AppData\Local\Temp\d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81.exe"1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"3⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in Windows directory
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundlll32.exeFilesize
171KB
MD57a6a6b35d4bc575897a1420134afc96a
SHA19c5e87ce87b70a52f57097172c2babde2021454b
SHA256d15f99dbd30bae6e896c52a810fbcba080ae3ba76f3fc0d9a7761c5736ec7c81
SHA512b879c2bf81017f8f97d4db3b458d6f3ff6eb1acb6e28394d9a292d58e83194857c6c5981378170e81d383340eb3eff42d2d64ce54ebd7a3e7357988428da5d2e
-
memory/456-22-0x0000000074B90000-0x0000000075141000-memory.dmpFilesize
5.7MB
-
memory/456-33-0x0000000001300000-0x0000000001310000-memory.dmpFilesize
64KB
-
memory/456-32-0x0000000074B90000-0x0000000075141000-memory.dmpFilesize
5.7MB
-
memory/456-21-0x0000000074B90000-0x0000000075141000-memory.dmpFilesize
5.7MB
-
memory/456-23-0x0000000001300000-0x0000000001310000-memory.dmpFilesize
64KB
-
memory/1600-1-0x0000000001420000-0x0000000001430000-memory.dmpFilesize
64KB
-
memory/1600-2-0x0000000074B90000-0x0000000075141000-memory.dmpFilesize
5.7MB
-
memory/1600-0-0x0000000074B90000-0x0000000075141000-memory.dmpFilesize
5.7MB
-
memory/1600-19-0x0000000074B90000-0x0000000075141000-memory.dmpFilesize
5.7MB
-
memory/2024-14-0x0000000074B90000-0x0000000075141000-memory.dmpFilesize
5.7MB
-
memory/2024-25-0x0000000074B90000-0x0000000075141000-memory.dmpFilesize
5.7MB
-
memory/2024-30-0x0000000001410000-0x0000000001420000-memory.dmpFilesize
64KB
-
memory/2024-17-0x0000000074B90000-0x0000000075141000-memory.dmpFilesize
5.7MB
-
memory/2024-15-0x0000000001410000-0x0000000001420000-memory.dmpFilesize
64KB
-
memory/2752-24-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2752-27-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2752-31-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2752-34-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB