Analysis Overview
SHA256
e6ccbe41f2855cb0789c917f7faaf132d8d2a9ecd103f3c2aaf0f87fca1f8f96
Threat Level: Known bad
The file e6ccbe41f2855cb0789c917f7faaf132d8d2a9ecd103f3c2aaf0f87fca1f8f96 was found to be: Known bad.
Malicious Activity Summary
Netwire
NetWire RAT payload
Netwire family
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-03-12 06:49
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-12 06:49
Reported
2025-03-12 06:52
Platform
win7-20240903-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Netwire
Netwire family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\aliyunssl\run.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e6ccbe41f2855cb0789c917f7faaf132d8d2a9ecd103f3c2aaf0f87fca1f8f96.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\aliyunssl\run.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e6ccbe41f2855cb0789c917f7faaf132d8d2a9ecd103f3c2aaf0f87fca1f8f96.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\aliyunssl\run.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e6ccbe41f2855cb0789c917f7faaf132d8d2a9ecd103f3c2aaf0f87fca1f8f96.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2720 wrote to memory of 2592 | N/A | C:\Users\Admin\AppData\Local\Temp\e6ccbe41f2855cb0789c917f7faaf132d8d2a9ecd103f3c2aaf0f87fca1f8f96.exe | C:\Users\Admin\AppData\Local\aliyunssl\run.exe |
| PID 2720 wrote to memory of 2592 | N/A | C:\Users\Admin\AppData\Local\Temp\e6ccbe41f2855cb0789c917f7faaf132d8d2a9ecd103f3c2aaf0f87fca1f8f96.exe | C:\Users\Admin\AppData\Local\aliyunssl\run.exe |
| PID 2720 wrote to memory of 2592 | N/A | C:\Users\Admin\AppData\Local\Temp\e6ccbe41f2855cb0789c917f7faaf132d8d2a9ecd103f3c2aaf0f87fca1f8f96.exe | C:\Users\Admin\AppData\Local\aliyunssl\run.exe |
| PID 2720 wrote to memory of 2592 | N/A | C:\Users\Admin\AppData\Local\Temp\e6ccbe41f2855cb0789c917f7faaf132d8d2a9ecd103f3c2aaf0f87fca1f8f96.exe | C:\Users\Admin\AppData\Local\aliyunssl\run.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e6ccbe41f2855cb0789c917f7faaf132d8d2a9ecd103f3c2aaf0f87fca1f8f96.exe
"C:\Users\Admin\AppData\Local\Temp\e6ccbe41f2855cb0789c917f7faaf132d8d2a9ecd103f3c2aaf0f87fca1f8f96.exe"
C:\Users\Admin\AppData\Local\aliyunssl\run.exe
"C:\Users\Admin\AppData\Local\\aliyunssl\run.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | s3awscloud.com | udp |
Files
\Users\Admin\AppData\Local\aliyunssl\run.exe
| MD5 | 3aaf53b44ff6dff13d94890c821bb11d |
| SHA1 | 86555030855bb4aa5a92bcc1887b60943f430457 |
| SHA256 | 09c47ba1ad13aa82404753ef69fb573a1804be31dca825acfc9ad25de2bc4274 |
| SHA512 | 5027ec4960d4b5d7f599a1001b1471dfb24f1a644c244ee91db6a54f5c1a63c5faf64b7a217c9757da9a9adea204a27707aed15ad60bb39819ff54ebd8053282 |
C:\Users\Admin\AppData\Local\aliyunssl\qasgh.enc
| MD5 | ee78aded588b826f57366b4b2923189a |
| SHA1 | 25d77080b22e6f05a5b77c5cf723dde6e03f7066 |
| SHA256 | d6a6b99ec598d04f5e70aad4f31cce80f6ebea4e2877fe4a84c4f382a4f135a9 |
| SHA512 | 189e971061cbe73c3f0ab3e8ff8ca4a38c1274f280a3c889d72f986c982d7270ed50a034d30f7577500631cd4f22e89a39c648a19b4655148d746eb57853144f |
\Users\Admin\AppData\Local\aliyunssl\artists.dll
| MD5 | 83b9716b1680484d224f2f20150670bd |
| SHA1 | f993e8bfb9a68c7c227b223c37427ab11ebb7155 |
| SHA256 | 091cf05e363b1e0621e50b20797bf816742dc07f422d23ab5443be223d1d2581 |
| SHA512 | 4ab0a94a3decc8ade7921cb85b80ab3b44655fa2de56df17a20bdbfa0bc88c24d80b35397d4c6c191bffd4938cacc36107c1049f862940b88f36280f70ddf192 |
Analysis: behavioral2
Detonation Overview
Submitted
2025-03-12 06:49
Reported
2025-03-12 06:52
Platform
win10v2004-20250217-en
Max time kernel
133s
Max time network
138s
Command Line
Signatures
NetWire RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Netwire
Netwire family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\aliyunssl\run.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\aliyunssl\run.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\aliyunssl\run.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e6ccbe41f2855cb0789c917f7faaf132d8d2a9ecd103f3c2aaf0f87fca1f8f96.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e6ccbe41f2855cb0789c917f7faaf132d8d2a9ecd103f3c2aaf0f87fca1f8f96.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3612 wrote to memory of 1276 | N/A | C:\Users\Admin\AppData\Local\Temp\e6ccbe41f2855cb0789c917f7faaf132d8d2a9ecd103f3c2aaf0f87fca1f8f96.exe | C:\Users\Admin\AppData\Local\aliyunssl\run.exe |
| PID 3612 wrote to memory of 1276 | N/A | C:\Users\Admin\AppData\Local\Temp\e6ccbe41f2855cb0789c917f7faaf132d8d2a9ecd103f3c2aaf0f87fca1f8f96.exe | C:\Users\Admin\AppData\Local\aliyunssl\run.exe |
| PID 3612 wrote to memory of 1276 | N/A | C:\Users\Admin\AppData\Local\Temp\e6ccbe41f2855cb0789c917f7faaf132d8d2a9ecd103f3c2aaf0f87fca1f8f96.exe | C:\Users\Admin\AppData\Local\aliyunssl\run.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e6ccbe41f2855cb0789c917f7faaf132d8d2a9ecd103f3c2aaf0f87fca1f8f96.exe
"C:\Users\Admin\AppData\Local\Temp\e6ccbe41f2855cb0789c917f7faaf132d8d2a9ecd103f3c2aaf0f87fca1f8f96.exe"
C:\Users\Admin\AppData\Local\aliyunssl\run.exe
"C:\Users\Admin\AppData\Local\\aliyunssl\run.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| GB | 88.221.135.18:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | s3awscloud.com | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | s3awscloud.com | udp |
Files
C:\Users\Admin\AppData\Local\aliyunssl\run.exe
| MD5 | 3aaf53b44ff6dff13d94890c821bb11d |
| SHA1 | 86555030855bb4aa5a92bcc1887b60943f430457 |
| SHA256 | 09c47ba1ad13aa82404753ef69fb573a1804be31dca825acfc9ad25de2bc4274 |
| SHA512 | 5027ec4960d4b5d7f599a1001b1471dfb24f1a644c244ee91db6a54f5c1a63c5faf64b7a217c9757da9a9adea204a27707aed15ad60bb39819ff54ebd8053282 |
C:\Users\Admin\AppData\Local\aliyunssl\artists.dll
| MD5 | 83b9716b1680484d224f2f20150670bd |
| SHA1 | f993e8bfb9a68c7c227b223c37427ab11ebb7155 |
| SHA256 | 091cf05e363b1e0621e50b20797bf816742dc07f422d23ab5443be223d1d2581 |
| SHA512 | 4ab0a94a3decc8ade7921cb85b80ab3b44655fa2de56df17a20bdbfa0bc88c24d80b35397d4c6c191bffd4938cacc36107c1049f862940b88f36280f70ddf192 |
C:\Users\Admin\AppData\Local\aliyunssl\qasgh.enc
| MD5 | ee78aded588b826f57366b4b2923189a |
| SHA1 | 25d77080b22e6f05a5b77c5cf723dde6e03f7066 |
| SHA256 | d6a6b99ec598d04f5e70aad4f31cce80f6ebea4e2877fe4a84c4f382a4f135a9 |
| SHA512 | 189e971061cbe73c3f0ab3e8ff8ca4a38c1274f280a3c889d72f986c982d7270ed50a034d30f7577500631cd4f22e89a39c648a19b4655148d746eb57853144f |
memory/1276-24-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1276-39-0x0000000000400000-0x0000000000433000-memory.dmp