Analysis
-
max time kernel
47s -
max time network
98s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
21/04/2021, 06:02
Static task
static1
Behavioral task
behavioral1
Sample
KR033172A562700243.PDF.exe
Resource
win7v20210408
0 signatures
0 seconds
General
-
Target
KR033172A562700243.PDF.exe
-
Size
789KB
-
MD5
5ca9ea11f89e982fc93ad12e656648a8
-
SHA1
0d0bd9cb9549638218db8c3442a3047e25ffc9a9
-
SHA256
9a0550bcf1c770a3febe17adb59aa91717654e4d660fca29bd7ccff14da6256f
-
SHA512
cd4f2d1ba153dea1d28a12d9566fdf5bb183ba795584b7e6dc049cb5e4fb1c007fa6581c1cec77f0c0917b9050300dc54213fdc877ab5c69905237dd8dff8262
Malware Config
Extracted
Family
netwire
C2
194.156.90.31:5008
Attributes
-
activex_autorun
false
- activex_key
-
copy_executable
false
-
delete_original
false
-
host_id
APRL-WORK
- install_path
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
- mutex
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
- startup_name
-
use_mutex
false
Signatures
-
NetWire RAT payload 3 IoCs
resource yara_rule behavioral1/memory/1840-68-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1840-69-0x000000000040242D-mapping.dmp netwire behavioral1/memory/1840-71-0x0000000000400000-0x0000000000433000-memory.dmp netwire -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1684 set thread context of 1840 1684 KR033172A562700243.PDF.exe 35 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 852 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 1684 KR033172A562700243.PDF.exe 1684 KR033172A562700243.PDF.exe 1684 KR033172A562700243.PDF.exe 1684 KR033172A562700243.PDF.exe 1684 KR033172A562700243.PDF.exe 1684 KR033172A562700243.PDF.exe 1684 KR033172A562700243.PDF.exe 1684 KR033172A562700243.PDF.exe 1684 KR033172A562700243.PDF.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1684 KR033172A562700243.PDF.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 1684 wrote to memory of 852 1684 KR033172A562700243.PDF.exe 29 PID 1684 wrote to memory of 852 1684 KR033172A562700243.PDF.exe 29 PID 1684 wrote to memory of 852 1684 KR033172A562700243.PDF.exe 29 PID 1684 wrote to memory of 852 1684 KR033172A562700243.PDF.exe 29 PID 1684 wrote to memory of 1504 1684 KR033172A562700243.PDF.exe 31 PID 1684 wrote to memory of 1504 1684 KR033172A562700243.PDF.exe 31 PID 1684 wrote to memory of 1504 1684 KR033172A562700243.PDF.exe 31 PID 1684 wrote to memory of 1504 1684 KR033172A562700243.PDF.exe 31 PID 1684 wrote to memory of 1564 1684 KR033172A562700243.PDF.exe 32 PID 1684 wrote to memory of 1564 1684 KR033172A562700243.PDF.exe 32 PID 1684 wrote to memory of 1564 1684 KR033172A562700243.PDF.exe 32 PID 1684 wrote to memory of 1564 1684 KR033172A562700243.PDF.exe 32 PID 1684 wrote to memory of 1708 1684 KR033172A562700243.PDF.exe 33 PID 1684 wrote to memory of 1708 1684 KR033172A562700243.PDF.exe 33 PID 1684 wrote to memory of 1708 1684 KR033172A562700243.PDF.exe 33 PID 1684 wrote to memory of 1708 1684 KR033172A562700243.PDF.exe 33 PID 1684 wrote to memory of 1616 1684 KR033172A562700243.PDF.exe 34 PID 1684 wrote to memory of 1616 1684 KR033172A562700243.PDF.exe 34 PID 1684 wrote to memory of 1616 1684 KR033172A562700243.PDF.exe 34 PID 1684 wrote to memory of 1616 1684 KR033172A562700243.PDF.exe 34 PID 1684 wrote to memory of 1840 1684 KR033172A562700243.PDF.exe 35 PID 1684 wrote to memory of 1840 1684 KR033172A562700243.PDF.exe 35 PID 1684 wrote to memory of 1840 1684 KR033172A562700243.PDF.exe 35 PID 1684 wrote to memory of 1840 1684 KR033172A562700243.PDF.exe 35 PID 1684 wrote to memory of 1840 1684 KR033172A562700243.PDF.exe 35 PID 1684 wrote to memory of 1840 1684 KR033172A562700243.PDF.exe 35 PID 1684 wrote to memory of 1840 1684 KR033172A562700243.PDF.exe 35 PID 1684 wrote to memory of 1840 1684 KR033172A562700243.PDF.exe 35 PID 1684 wrote to memory of 1840 1684 KR033172A562700243.PDF.exe 35 PID 1684 wrote to memory of 1840 1684 KR033172A562700243.PDF.exe 35 PID 1684 wrote to memory of 1840 1684 KR033172A562700243.PDF.exe 35 PID 1684 wrote to memory of 1840 1684 KR033172A562700243.PDF.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\KR033172A562700243.PDF.exe"C:\Users\Admin\AppData\Local\Temp\KR033172A562700243.PDF.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qZYahesl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp25F8.tmp"2⤵
- Creates scheduled task(s)
PID:852
-
-
C:\Users\Admin\AppData\Local\Temp\KR033172A562700243.PDF.exe"{path}"2⤵PID:1504
-
-
C:\Users\Admin\AppData\Local\Temp\KR033172A562700243.PDF.exe"{path}"2⤵PID:1564
-
-
C:\Users\Admin\AppData\Local\Temp\KR033172A562700243.PDF.exe"{path}"2⤵PID:1708
-
-
C:\Users\Admin\AppData\Local\Temp\KR033172A562700243.PDF.exe"{path}"2⤵PID:1616
-
-
C:\Users\Admin\AppData\Local\Temp\KR033172A562700243.PDF.exe"{path}"2⤵PID:1840
-