Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
15/06/2024, 15:56
Static task
static1
Behavioral task
behavioral1
Sample
أمر الشراء 90037-2020.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
أمر الشراء 90037-2020.exe
Resource
win10v2004-20240508-en
General
-
Target
أمر الشراء 90037-2020.exe
-
Size
762KB
-
MD5
598b0e23c0eb2baffc02fd05ce1b41e9
-
SHA1
4129fe98ba4e3580b3b05b61a06e301ae9c4b958
-
SHA256
a9a8374950d68997b782dca8ae2464aa81709c2f51bcc8fdb1abdcfb5b40c521
-
SHA512
e0b9a407e34ec24dbb76b84899f2d8665a87e02f1d278007357f1cb9680a712cd91d222e57340caed8337be1c7e66cf91d9586f7403ca31412920b1b8633c619
-
SSDEEP
12288:1CbpcLhilrm7G8oclWEAroCo3DQmTccdAAo3ZNytUAV:auLhi80Jro7JATZ0
Malware Config
Extracted
netwire
43.226.229.43:2030
-
activex_autorun
false
-
copy_executable
true
-
delete_original
false
-
host_id
ALPHA
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
Password
-
registry_autorun
true
-
startup_name
NetWire
-
use_mutex
false
Signatures
-
NetWire RAT payload 6 IoCs
resource yara_rule behavioral1/memory/2192-3-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/2192-6-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/2192-8-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/2600-28-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/2600-33-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/2632-34-0x0000000000400000-0x0000000000433000-memory.dmp netwire -
Executes dropped EXE 3 IoCs
pid Process 2024 Host.exe 2632 Host.exe 2588 Host.exe -
Loads dropped DLL 4 IoCs
pid Process 2192 أمر الشراء 90037-2020.exe 2192 أمر الشراء 90037-2020.exe 2024 Host.exe 2024 Host.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe" Host.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Local\\Temp\\أمر الشراء 90037-2020.exe" أمر الشراء 90037-2020.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2360 set thread context of 2192 2360 أمر الشراء 90037-2020.exe 28 PID 2548 set thread context of 2600 2548 أمر الشراء 90037-2020.exe 32 PID 2024 set thread context of 2632 2024 Host.exe 33 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2360 أمر الشراء 90037-2020.exe 2936 أمر الشراء 90037-2020.exe 2936 أمر الشراء 90037-2020.exe 2936 أمر الشراء 90037-2020.exe 2936 أمر الشراء 90037-2020.exe 2548 أمر الشراء 90037-2020.exe 2024 Host.exe 2720 أمر الشراء 90037-2020.exe 2720 أمر الشراء 90037-2020.exe 2720 أمر الشراء 90037-2020.exe 2588 Host.exe 2588 Host.exe 2720 أمر الشراء 90037-2020.exe 2588 Host.exe 2720 أمر الشراء 90037-2020.exe 2588 Host.exe 2720 أمر الشراء 90037-2020.exe 2588 Host.exe 2720 أمر الشراء 90037-2020.exe 2588 Host.exe 2720 أمر الشراء 90037-2020.exe 2588 Host.exe 2720 أمر الشراء 90037-2020.exe 2588 Host.exe 2720 أمر الشراء 90037-2020.exe 2588 Host.exe 2720 أمر الشراء 90037-2020.exe 2588 Host.exe 2720 أمر الشراء 90037-2020.exe 2588 Host.exe 2720 أمر الشراء 90037-2020.exe 2588 Host.exe 2720 أمر الشراء 90037-2020.exe 2588 Host.exe 2720 أمر الشراء 90037-2020.exe 2588 Host.exe 2720 أمر الشراء 90037-2020.exe 2588 Host.exe 2720 أمر الشراء 90037-2020.exe 2588 Host.exe 2720 أمر الشراء 90037-2020.exe 2588 Host.exe 2720 أمر الشراء 90037-2020.exe 2588 Host.exe 2720 أمر الشراء 90037-2020.exe 2588 Host.exe 2720 أمر الشراء 90037-2020.exe 2588 Host.exe 2720 أمر الشراء 90037-2020.exe 2588 Host.exe 2720 أمر الشراء 90037-2020.exe 2588 Host.exe 2720 أمر الشراء 90037-2020.exe 2588 Host.exe 2720 أمر الشراء 90037-2020.exe 2588 Host.exe 2720 أمر الشراء 90037-2020.exe 2588 Host.exe 2720 أمر الشراء 90037-2020.exe 2588 Host.exe 2720 أمر الشراء 90037-2020.exe 2588 Host.exe 2720 أمر الشراء 90037-2020.exe 2588 Host.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 2360 أمر الشراء 90037-2020.exe 2548 أمر الشراء 90037-2020.exe 2024 Host.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2360 wrote to memory of 2192 2360 أمر الشراء 90037-2020.exe 28 PID 2360 wrote to memory of 2192 2360 أمر الشراء 90037-2020.exe 28 PID 2360 wrote to memory of 2192 2360 أمر الشراء 90037-2020.exe 28 PID 2360 wrote to memory of 2192 2360 أمر الشراء 90037-2020.exe 28 PID 2360 wrote to memory of 2936 2360 أمر الشراء 90037-2020.exe 29 PID 2360 wrote to memory of 2936 2360 أمر الشراء 90037-2020.exe 29 PID 2360 wrote to memory of 2936 2360 أمر الشراء 90037-2020.exe 29 PID 2360 wrote to memory of 2936 2360 أمر الشراء 90037-2020.exe 29 PID 2192 wrote to memory of 2024 2192 أمر الشراء 90037-2020.exe 30 PID 2192 wrote to memory of 2024 2192 أمر الشراء 90037-2020.exe 30 PID 2192 wrote to memory of 2024 2192 أمر الشراء 90037-2020.exe 30 PID 2192 wrote to memory of 2024 2192 أمر الشراء 90037-2020.exe 30 PID 2936 wrote to memory of 2548 2936 أمر الشراء 90037-2020.exe 31 PID 2936 wrote to memory of 2548 2936 أمر الشراء 90037-2020.exe 31 PID 2936 wrote to memory of 2548 2936 أمر الشراء 90037-2020.exe 31 PID 2936 wrote to memory of 2548 2936 أمر الشراء 90037-2020.exe 31 PID 2548 wrote to memory of 2600 2548 أمر الشراء 90037-2020.exe 32 PID 2548 wrote to memory of 2600 2548 أمر الشراء 90037-2020.exe 32 PID 2548 wrote to memory of 2600 2548 أمر الشراء 90037-2020.exe 32 PID 2548 wrote to memory of 2600 2548 أمر الشراء 90037-2020.exe 32 PID 2024 wrote to memory of 2632 2024 Host.exe 33 PID 2024 wrote to memory of 2632 2024 Host.exe 33 PID 2024 wrote to memory of 2632 2024 Host.exe 33 PID 2024 wrote to memory of 2632 2024 Host.exe 33 PID 2548 wrote to memory of 2720 2548 أمر الشراء 90037-2020.exe 34 PID 2548 wrote to memory of 2720 2548 أمر الشراء 90037-2020.exe 34 PID 2548 wrote to memory of 2720 2548 أمر الشراء 90037-2020.exe 34 PID 2548 wrote to memory of 2720 2548 أمر الشراء 90037-2020.exe 34 PID 2024 wrote to memory of 2588 2024 Host.exe 35 PID 2024 wrote to memory of 2588 2024 Host.exe 35 PID 2024 wrote to memory of 2588 2024 Host.exe 35 PID 2024 wrote to memory of 2588 2024 Host.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\أمر الشراء 90037-2020.exe"C:\Users\Admin\AppData\Local\Temp\أمر الشراء 90037-2020.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Users\Admin\AppData\Local\Temp\أمر الشراء 90037-2020.exe"C:\Users\Admin\AppData\Local\Temp\أمر الشراء 90037-2020.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2632
-
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe" 2 2632 2593937984⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2588
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\أمر الشراء 90037-2020.exe"C:\Users\Admin\AppData\Local\Temp\أمر الشراء 90037-2020.exe" 2 2192 2593934862⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Users\Admin\AppData\Local\Temp\أمر الشراء 90037-2020.exe"C:\Users\Admin\AppData\Local\Temp\أمر الشراء 90037-2020.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Users\Admin\AppData\Local\Temp\أمر الشراء 90037-2020.exe"C:\Users\Admin\AppData\Local\Temp\أمر الشراء 90037-2020.exe"4⤵
- Adds Run key to start application
PID:2600
-
-
C:\Users\Admin\AppData\Local\Temp\أمر الشراء 90037-2020.exe"C:\Users\Admin\AppData\Local\Temp\أمر الشراء 90037-2020.exe" 2 2600 2593937984⤵
- Suspicious behavior: EnumeratesProcesses
PID:2720
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
762KB
MD5598b0e23c0eb2baffc02fd05ce1b41e9
SHA14129fe98ba4e3580b3b05b61a06e301ae9c4b958
SHA256a9a8374950d68997b782dca8ae2464aa81709c2f51bcc8fdb1abdcfb5b40c521
SHA512e0b9a407e34ec24dbb76b84899f2d8665a87e02f1d278007357f1cb9680a712cd91d222e57340caed8337be1c7e66cf91d9586f7403ca31412920b1b8633c619