Analysis
-
max time kernel
69s -
max time network
129s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
24-06-2021 12:17
Static task
static1
Behavioral task
behavioral1
Sample
Nizi International S.A. #New Order.exe
Resource
win7v20210410
General
-
Target
Nizi International S.A. #New Order.exe
-
Size
468KB
-
MD5
4697f45d7a2c5e60372f8d9548d4b75a
-
SHA1
ee7ba79d497b776b301a7a233e1b84a325ba07b9
-
SHA256
42949a2f912c87695ebffdd714eae9ae470935a2323f75a937fa3521155b3701
-
SHA512
78b32bf01891c31307221223ad91f3a57c99766d80ba39b1d53fd454ff029542d5d094650e31fe7e440e5b99474e778730d131877cd8e8131c25ecbff922cb42
Malware Config
Extracted
netwire
sipex2021.ddns.net:8753
-
activex_autorun
false
- activex_key
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
- install_path
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
- mutex
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
- startup_name
-
use_mutex
false
Signatures
-
NetWire RAT payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2176-128-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/2176-129-0x000000000040242D-mapping.dmp netwire behavioral2/memory/2176-132-0x0000000000400000-0x0000000000433000-memory.dmp netwire -
Executes dropped EXE 2 IoCs
Processes:
MSBuild.exeMSBuild.exepid process 3620 MSBuild.exe 2176 MSBuild.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Nizi International S.A. #New Order.exedescription pid process target process PID 800 set thread context of 2176 800 Nizi International S.A. #New Order.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
Nizi International S.A. #New Order.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings Nizi International S.A. #New Order.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
Nizi International S.A. #New Order.exepowershell.exepid process 800 Nizi International S.A. #New Order.exe 800 Nizi International S.A. #New Order.exe 800 Nizi International S.A. #New Order.exe 800 Nizi International S.A. #New Order.exe 800 Nizi International S.A. #New Order.exe 800 Nizi International S.A. #New Order.exe 1112 powershell.exe 1112 powershell.exe 1112 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Nizi International S.A. #New Order.exepowershell.exedescription pid process Token: SeDebugPrivilege 800 Nizi International S.A. #New Order.exe Token: SeDebugPrivilege 1112 powershell.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
Nizi International S.A. #New Order.exeWScript.exedescription pid process target process PID 800 wrote to memory of 2640 800 Nizi International S.A. #New Order.exe WScript.exe PID 800 wrote to memory of 2640 800 Nizi International S.A. #New Order.exe WScript.exe PID 800 wrote to memory of 2640 800 Nizi International S.A. #New Order.exe WScript.exe PID 800 wrote to memory of 3620 800 Nizi International S.A. #New Order.exe MSBuild.exe PID 800 wrote to memory of 3620 800 Nizi International S.A. #New Order.exe MSBuild.exe PID 800 wrote to memory of 3620 800 Nizi International S.A. #New Order.exe MSBuild.exe PID 800 wrote to memory of 2176 800 Nizi International S.A. #New Order.exe MSBuild.exe PID 800 wrote to memory of 2176 800 Nizi International S.A. #New Order.exe MSBuild.exe PID 800 wrote to memory of 2176 800 Nizi International S.A. #New Order.exe MSBuild.exe PID 800 wrote to memory of 2176 800 Nizi International S.A. #New Order.exe MSBuild.exe PID 800 wrote to memory of 2176 800 Nizi International S.A. #New Order.exe MSBuild.exe PID 800 wrote to memory of 2176 800 Nizi International S.A. #New Order.exe MSBuild.exe PID 800 wrote to memory of 2176 800 Nizi International S.A. #New Order.exe MSBuild.exe PID 800 wrote to memory of 2176 800 Nizi International S.A. #New Order.exe MSBuild.exe PID 800 wrote to memory of 2176 800 Nizi International S.A. #New Order.exe MSBuild.exe PID 800 wrote to memory of 2176 800 Nizi International S.A. #New Order.exe MSBuild.exe PID 800 wrote to memory of 2176 800 Nizi International S.A. #New Order.exe MSBuild.exe PID 2640 wrote to memory of 1112 2640 WScript.exe powershell.exe PID 2640 wrote to memory of 1112 2640 WScript.exe powershell.exe PID 2640 wrote to memory of 1112 2640 WScript.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Nizi International S.A. #New Order.exe"C:\Users\Admin\AppData\Local\Temp\Nizi International S.A. #New Order.exe"1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Xpivccxvyw.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chrome\Google\chrome.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\MSBuild.exeC:\Users\Admin\AppData\Local\Temp\MSBuild.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\MSBuild.exeC:\Users\Admin\AppData\Local\Temp\MSBuild.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MSBuild.exeMD5
9af17c8393f0970ee5136bd3ffa27001
SHA14b285b72c1a11285a25f31f2597e090da6bbc049
SHA25671d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019
SHA512b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3
-
C:\Users\Admin\AppData\Local\Temp\MSBuild.exeMD5
9af17c8393f0970ee5136bd3ffa27001
SHA14b285b72c1a11285a25f31f2597e090da6bbc049
SHA25671d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019
SHA512b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3
-
C:\Users\Admin\AppData\Local\Temp\_Xpivccxvyw.vbsMD5
dd324fe7f7eb1af18e2f0c011669c28d
SHA1f1c148fe260963d257eaba866de68ffc09b5ef32
SHA256192db1efb34c22fc3e03aab1f7c74bcfb263d57a75b25d90e1ea5e078207bb6f
SHA51257bc4417a7b458833b1a08c9e949102f336725669b970758bc23720257cb33decd95e42b65bcf259997b5c53ab60912433ac91cd9df674bf52a85e9b6cb3ad59
-
memory/800-116-0x0000000005470000-0x0000000005471000-memory.dmpFilesize
4KB
-
memory/800-117-0x0000000005010000-0x0000000005011000-memory.dmpFilesize
4KB
-
memory/800-118-0x0000000004FA0000-0x0000000004FA1000-memory.dmpFilesize
4KB
-
memory/800-119-0x0000000004F70000-0x000000000546E000-memory.dmpFilesize
5.0MB
-
memory/800-120-0x0000000007340000-0x0000000007393000-memory.dmpFilesize
332KB
-
memory/800-125-0x0000000007620000-0x0000000007681000-memory.dmpFilesize
388KB
-
memory/800-114-0x00000000006F0000-0x00000000006F1000-memory.dmpFilesize
4KB
-
memory/1112-137-0x0000000007730000-0x0000000007731000-memory.dmpFilesize
4KB
-
memory/1112-154-0x0000000009490000-0x00000000094C3000-memory.dmpFilesize
204KB
-
memory/1112-169-0x0000000004C93000-0x0000000004C94000-memory.dmpFilesize
4KB
-
memory/1112-133-0x0000000000000000-mapping.dmp
-
memory/1112-168-0x000000007EEF0000-0x000000007EEF1000-memory.dmpFilesize
4KB
-
memory/1112-136-0x0000000004C00000-0x0000000004C01000-memory.dmpFilesize
4KB
-
memory/1112-167-0x00000000099F0000-0x00000000099F1000-memory.dmpFilesize
4KB
-
memory/1112-138-0x0000000007630000-0x0000000007631000-memory.dmpFilesize
4KB
-
memory/1112-139-0x0000000007E40000-0x0000000007E41000-memory.dmpFilesize
4KB
-
memory/1112-140-0x0000000007D60000-0x0000000007D61000-memory.dmpFilesize
4KB
-
memory/1112-142-0x0000000007FE0000-0x0000000007FE1000-memory.dmpFilesize
4KB
-
memory/1112-141-0x0000000004C90000-0x0000000004C91000-memory.dmpFilesize
4KB
-
memory/1112-143-0x0000000004C92000-0x0000000004C93000-memory.dmpFilesize
4KB
-
memory/1112-144-0x0000000007DF0000-0x0000000007DF1000-memory.dmpFilesize
4KB
-
memory/1112-145-0x0000000008430000-0x0000000008431000-memory.dmpFilesize
4KB
-
memory/1112-146-0x0000000008710000-0x0000000008711000-memory.dmpFilesize
4KB
-
memory/1112-166-0x00000000097D0000-0x00000000097D1000-memory.dmpFilesize
4KB
-
memory/1112-161-0x0000000009470000-0x0000000009471000-memory.dmpFilesize
4KB
-
memory/2176-129-0x000000000040242D-mapping.dmp
-
memory/2176-132-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/2176-128-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/2640-126-0x0000000000000000-mapping.dmp