Analysis Overview
SHA256
4bc227156273b500f6aa709f0c412fac5cc797aef3edbc8a1ed6c0e6b6a65444
Threat Level: Known bad
The file 89088633f3855626d861016cbfbde070N.exe was found to be: Known bad.
Malicious Activity Summary
Netwire
NetWire RAT payload
Executes dropped EXE
Drops startup file
Loads dropped DLL
Suspicious use of SetThreadContext
AutoIT Executable
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-03 07:50
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-03 07:50
Reported
2024-09-03 07:52
Platform
win7-20240903-en
Max time kernel
119s
Max time network
21s
Command Line
Signatures
NetWire RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Netwire
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AdaptiveCards.url | C:\Users\Admin\AppData\Local\Temp\89088633f3855626d861016cbfbde070N.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AdaptiveCards.url | C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\89088633f3855626d861016cbfbde070N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1960 set thread context of 2920 | N/A | C:\Users\Admin\AppData\Local\Temp\89088633f3855626d861016cbfbde070N.exe | C:\Users\Admin\AppData\Local\Temp\89088633f3855626d861016cbfbde070N.exe |
| PID 2128 set thread context of 2168 | N/A | C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe | C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe |
| PID 1960 set thread context of 2760 | N/A | C:\Users\Admin\AppData\Local\Temp\89088633f3855626d861016cbfbde070N.exe | C:\Users\Admin\AppData\Local\Temp\89088633f3855626d861016cbfbde070N.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\89088633f3855626d861016cbfbde070N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\89088633f3855626d861016cbfbde070N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\89088633f3855626d861016cbfbde070N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\89088633f3855626d861016cbfbde070N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\89088633f3855626d861016cbfbde070N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\89088633f3855626d861016cbfbde070N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\89088633f3855626d861016cbfbde070N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\89088633f3855626d861016cbfbde070N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\89088633f3855626d861016cbfbde070N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\89088633f3855626d861016cbfbde070N.exe
"C:\Users\Admin\AppData\Local\Temp\89088633f3855626d861016cbfbde070N.exe"
C:\Users\Admin\AppData\Local\Temp\89088633f3855626d861016cbfbde070N.exe
"C:\Users\Admin\AppData\Local\Temp\89088633f3855626d861016cbfbde070N.exe"
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"
C:\Users\Admin\AppData\Local\Temp\89088633f3855626d861016cbfbde070N.exe
"C:\Users\Admin\AppData\Local\Temp\89088633f3855626d861016cbfbde070N.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | billions.ddns.net | udp |
| US | 8.8.8.8:53 | makebillionaires.warzonedns.com | udp |
Files
memory/1960-3-0x0000000000270000-0x0000000000271000-memory.dmp
memory/2920-4-0x00000000000C0000-0x00000000000EC000-memory.dmp
memory/2920-13-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2920-17-0x00000000000C0000-0x00000000000EC000-memory.dmp
memory/2920-6-0x00000000000C0000-0x00000000000EC000-memory.dmp
\Users\Admin\AppData\Roaming\Imgburn\Host.exe
| MD5 | 89088633f3855626d861016cbfbde070 |
| SHA1 | 9f7125cd883dcb02b09cc0b4600f94df394ea29a |
| SHA256 | 4bc227156273b500f6aa709f0c412fac5cc797aef3edbc8a1ed6c0e6b6a65444 |
| SHA512 | 7db5fc691805f06b89312a34323e6ea581fcc94214236e673643708a5a5cb540a958e98abad00ef7c9ca288427b116bc1d4e78ce162bbbb51fa8bd401128b9d2 |
C:\Users\Admin\AppData\Roaming\AdaptiveCards.vbs
| MD5 | 1a30f7e64f76757801d6e0743b872ebf |
| SHA1 | ec073012ffb93c2afba93d6685ba88e4b53641f9 |
| SHA256 | 2d79aa349400eb07cae4f308f995d63f6ce3324f891bbf0ceadbbf38169111ea |
| SHA512 | 31364e7799014007c4f4e38de595e76bf1ea1ce79ff99ff1f3507851e6de68965a375525537b4badc2be9791b571a5ea7b4b933dbcc065414e31de35878d719f |
C:\Users\Admin\AppData\Roaming\onedrive
| MD5 | 78a73a1e7a58e11da337e04295cf7dfb |
| SHA1 | c6fd3ea13ae2d890f23e6d7faef76a8502345270 |
| SHA256 | eabd70aa808d45fb0ca4d761f5b4be9cfce3f215deec38d9bd322f6e6e484898 |
| SHA512 | 21aa7b6aa4af943a1bb4269fb0d4e93a33740e4802d7ee7780b066e52ae49cc2192a91fe49a0fd0a3d3a9c8ec226b1b38cd629a2fecac9fdcae22edfcfa8026a |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AdaptiveCards.url
| MD5 | 1b9bff5c698f8c6cc127bbc89050cbc8 |
| SHA1 | dd5b1b066b49108de36f2899d598b8de9bb906c9 |
| SHA256 | 48de24b95d45475d19ec853376a002498ca380dd2e31f5be4b497eb24a88ea00 |
| SHA512 | 76de2715113498f889ca451c057d951764234d8ebe65ce5878dc63574fc15c34f8641496eabc9e9a4536be20e78a251523910f9c6bb89503c7481c085554f36e |
memory/2168-43-0x0000000000080000-0x00000000000AC000-memory.dmp
memory/2168-38-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2168-31-0x0000000000080000-0x00000000000AC000-memory.dmp
memory/2760-53-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-03 07:50
Reported
2024-09-03 07:52
Platform
win10v2004-20240802-en
Max time kernel
117s
Max time network
117s
Command Line
Signatures
NetWire RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Netwire
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AdaptiveCards.url | C:\Users\Admin\AppData\Local\Temp\89088633f3855626d861016cbfbde070N.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AdaptiveCards.url | C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 956 set thread context of 1560 | N/A | C:\Users\Admin\AppData\Local\Temp\89088633f3855626d861016cbfbde070N.exe | C:\Users\Admin\AppData\Local\Temp\89088633f3855626d861016cbfbde070N.exe |
| PID 3340 set thread context of 1352 | N/A | C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe | C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe |
| PID 956 set thread context of 3684 | N/A | C:\Users\Admin\AppData\Local\Temp\89088633f3855626d861016cbfbde070N.exe | C:\Users\Admin\AppData\Local\Temp\89088633f3855626d861016cbfbde070N.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\89088633f3855626d861016cbfbde070N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\89088633f3855626d861016cbfbde070N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\89088633f3855626d861016cbfbde070N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\89088633f3855626d861016cbfbde070N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\89088633f3855626d861016cbfbde070N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\89088633f3855626d861016cbfbde070N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\89088633f3855626d861016cbfbde070N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\89088633f3855626d861016cbfbde070N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\89088633f3855626d861016cbfbde070N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\89088633f3855626d861016cbfbde070N.exe
"C:\Users\Admin\AppData\Local\Temp\89088633f3855626d861016cbfbde070N.exe"
C:\Users\Admin\AppData\Local\Temp\89088633f3855626d861016cbfbde070N.exe
"C:\Users\Admin\AppData\Local\Temp\89088633f3855626d861016cbfbde070N.exe"
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"
C:\Users\Admin\AppData\Local\Temp\89088633f3855626d861016cbfbde070N.exe
"C:\Users\Admin\AppData\Local\Temp\89088633f3855626d861016cbfbde070N.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | billions.ddns.net | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | makebillionaires.warzonedns.com | udp |
| US | 8.8.8.8:53 | makebillionaires.warzonedns.com | udp |
| US | 8.8.8.8:53 | makebillionaires.warzonedns.com | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | makebillionaires.warzonedns.com | udp |
| US | 8.8.8.8:53 | 24.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | makebillionaires.warzonedns.com | udp |
| US | 8.8.8.8:53 | makebillionaires.warzonedns.com | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | makebillionaires.warzonedns.com | udp |
| US | 8.8.8.8:53 | makebillionaires.warzonedns.com | udp |
| US | 8.8.8.8:53 | makebillionaires.warzonedns.com | udp |
| US | 8.8.8.8:53 | makebillionaires.warzonedns.com | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | makebillionaires.warzonedns.com | udp |
| US | 8.8.8.8:53 | makebillionaires.warzonedns.com | udp |
Files
memory/956-3-0x0000000002950000-0x0000000002951000-memory.dmp
memory/1560-5-0x0000000000400000-0x000000000042C000-memory.dmp
memory/1560-13-0x0000000000400000-0x000000000042C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
| MD5 | 89088633f3855626d861016cbfbde070 |
| SHA1 | 9f7125cd883dcb02b09cc0b4600f94df394ea29a |
| SHA256 | 4bc227156273b500f6aa709f0c412fac5cc797aef3edbc8a1ed6c0e6b6a65444 |
| SHA512 | 7db5fc691805f06b89312a34323e6ea581fcc94214236e673643708a5a5cb540a958e98abad00ef7c9ca288427b116bc1d4e78ce162bbbb51fa8bd401128b9d2 |
C:\Users\Admin\AppData\Roaming\AdaptiveCards.vbs
| MD5 | 1a30f7e64f76757801d6e0743b872ebf |
| SHA1 | ec073012ffb93c2afba93d6685ba88e4b53641f9 |
| SHA256 | 2d79aa349400eb07cae4f308f995d63f6ce3324f891bbf0ceadbbf38169111ea |
| SHA512 | 31364e7799014007c4f4e38de595e76bf1ea1ce79ff99ff1f3507851e6de68965a375525537b4badc2be9791b571a5ea7b4b933dbcc065414e31de35878d719f |
C:\Users\Admin\AppData\Roaming\onedrive
| MD5 | 78a73a1e7a58e11da337e04295cf7dfb |
| SHA1 | c6fd3ea13ae2d890f23e6d7faef76a8502345270 |
| SHA256 | eabd70aa808d45fb0ca4d761f5b4be9cfce3f215deec38d9bd322f6e6e484898 |
| SHA512 | 21aa7b6aa4af943a1bb4269fb0d4e93a33740e4802d7ee7780b066e52ae49cc2192a91fe49a0fd0a3d3a9c8ec226b1b38cd629a2fecac9fdcae22edfcfa8026a |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AdaptiveCards.url
| MD5 | 1b9bff5c698f8c6cc127bbc89050cbc8 |
| SHA1 | dd5b1b066b49108de36f2899d598b8de9bb906c9 |
| SHA256 | 48de24b95d45475d19ec853376a002498ca380dd2e31f5be4b497eb24a88ea00 |
| SHA512 | 76de2715113498f889ca451c057d951764234d8ebe65ce5878dc63574fc15c34f8641496eabc9e9a4536be20e78a251523910f9c6bb89503c7481c085554f36e |