Analysis
-
max time kernel
88s -
max time network
136s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
12-07-2021 16:06
Static task
static1
Behavioral task
behavioral1
Sample
P_Order.scr
Resource
win7v20210410
General
-
Target
P_Order.scr
-
Size
950KB
-
MD5
b26006b1b87f94cae399ace4ed2881a5
-
SHA1
6326aa07419cec008653284ca9aabe158edb9ce7
-
SHA256
a163607a059886c8fb885f9054c9afa3103c25cca976ea7ac082e1baf02fcd7c
-
SHA512
ae92c14038ecb323b97e70e4474881fdb804262dee8f63c8e6c353560d4c8ca3ae69ca3d2dcdd3122171e2223f5e49a56d3621695fb9dd6762da733e47a8c685
Malware Config
Extracted
netwire
harold.ns01.info:3606
-
activex_autorun
false
- activex_key
-
copy_executable
true
-
delete_original
false
-
host_id
Ojoko
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
enbSUNvD
-
offline_keylogger
true
-
password
master12
-
registry_autorun
false
- startup_name
-
use_mutex
true
Signatures
-
NetWire RAT payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/2920-126-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/2920-127-0x000000000040242D-mapping.dmp netwire behavioral2/memory/2920-135-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/1300-137-0x0000000004C10000-0x000000000510E000-memory.dmp netwire behavioral2/memory/2892-146-0x000000000040242D-mapping.dmp netwire -
Executes dropped EXE 3 IoCs
Processes:
Host.exeHost.exeHost.exepid process 1300 Host.exe 2420 Host.exe 2892 Host.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
P_Order.scrHost.exedescription pid process target process PID 4060 set thread context of 2920 4060 P_Order.scr P_Order.scr PID 1300 set thread context of 2892 1300 Host.exe Host.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1320 schtasks.exe 4008 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
P_Order.scrHost.exepid process 4060 P_Order.scr 4060 P_Order.scr 1300 Host.exe 1300 Host.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
P_Order.scrHost.exedescription pid process Token: SeDebugPrivilege 4060 P_Order.scr Token: SeDebugPrivilege 1300 Host.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
P_Order.scrP_Order.scrHost.exedescription pid process target process PID 4060 wrote to memory of 1320 4060 P_Order.scr schtasks.exe PID 4060 wrote to memory of 1320 4060 P_Order.scr schtasks.exe PID 4060 wrote to memory of 1320 4060 P_Order.scr schtasks.exe PID 4060 wrote to memory of 3084 4060 P_Order.scr P_Order.scr PID 4060 wrote to memory of 3084 4060 P_Order.scr P_Order.scr PID 4060 wrote to memory of 3084 4060 P_Order.scr P_Order.scr PID 4060 wrote to memory of 2920 4060 P_Order.scr P_Order.scr PID 4060 wrote to memory of 2920 4060 P_Order.scr P_Order.scr PID 4060 wrote to memory of 2920 4060 P_Order.scr P_Order.scr PID 4060 wrote to memory of 2920 4060 P_Order.scr P_Order.scr PID 4060 wrote to memory of 2920 4060 P_Order.scr P_Order.scr PID 4060 wrote to memory of 2920 4060 P_Order.scr P_Order.scr PID 4060 wrote to memory of 2920 4060 P_Order.scr P_Order.scr PID 4060 wrote to memory of 2920 4060 P_Order.scr P_Order.scr PID 4060 wrote to memory of 2920 4060 P_Order.scr P_Order.scr PID 4060 wrote to memory of 2920 4060 P_Order.scr P_Order.scr PID 4060 wrote to memory of 2920 4060 P_Order.scr P_Order.scr PID 2920 wrote to memory of 1300 2920 P_Order.scr Host.exe PID 2920 wrote to memory of 1300 2920 P_Order.scr Host.exe PID 2920 wrote to memory of 1300 2920 P_Order.scr Host.exe PID 1300 wrote to memory of 4008 1300 Host.exe schtasks.exe PID 1300 wrote to memory of 4008 1300 Host.exe schtasks.exe PID 1300 wrote to memory of 4008 1300 Host.exe schtasks.exe PID 1300 wrote to memory of 2420 1300 Host.exe Host.exe PID 1300 wrote to memory of 2420 1300 Host.exe Host.exe PID 1300 wrote to memory of 2420 1300 Host.exe Host.exe PID 1300 wrote to memory of 2892 1300 Host.exe Host.exe PID 1300 wrote to memory of 2892 1300 Host.exe Host.exe PID 1300 wrote to memory of 2892 1300 Host.exe Host.exe PID 1300 wrote to memory of 2892 1300 Host.exe Host.exe PID 1300 wrote to memory of 2892 1300 Host.exe Host.exe PID 1300 wrote to memory of 2892 1300 Host.exe Host.exe PID 1300 wrote to memory of 2892 1300 Host.exe Host.exe PID 1300 wrote to memory of 2892 1300 Host.exe Host.exe PID 1300 wrote to memory of 2892 1300 Host.exe Host.exe PID 1300 wrote to memory of 2892 1300 Host.exe Host.exe PID 1300 wrote to memory of 2892 1300 Host.exe Host.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\P_Order.scr"C:\Users\Admin\AppData\Local\Temp\P_Order.scr" /S1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DqhNCJcG" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA30C.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\P_Order.scr"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\P_Order.scr"{path}"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DqhNCJcG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2684.tmp"4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"{path}"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"{path}"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp2684.tmpMD5
917a68b7fa35efa017b48258e944ab07
SHA1edefd3c85d8d5b2503af03c60ec357e5d3431fb0
SHA256b081fe9fd074a6d26a3117ceff5483615615d405c66b024576788b2eb8004e7b
SHA512360b3da4cb0f17b771117ce31e969b3eb622aaeb834f082eecdc8b02a6cf704c411881aaa1fb125000e51772e5f4c1cb39be8bdd1632eefada4dc0f55dc49f54
-
C:\Users\Admin\AppData\Local\Temp\tmpA30C.tmpMD5
917a68b7fa35efa017b48258e944ab07
SHA1edefd3c85d8d5b2503af03c60ec357e5d3431fb0
SHA256b081fe9fd074a6d26a3117ceff5483615615d405c66b024576788b2eb8004e7b
SHA512360b3da4cb0f17b771117ce31e969b3eb622aaeb834f082eecdc8b02a6cf704c411881aaa1fb125000e51772e5f4c1cb39be8bdd1632eefada4dc0f55dc49f54
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeMD5
b26006b1b87f94cae399ace4ed2881a5
SHA16326aa07419cec008653284ca9aabe158edb9ce7
SHA256a163607a059886c8fb885f9054c9afa3103c25cca976ea7ac082e1baf02fcd7c
SHA512ae92c14038ecb323b97e70e4474881fdb804262dee8f63c8e6c353560d4c8ca3ae69ca3d2dcdd3122171e2223f5e49a56d3621695fb9dd6762da733e47a8c685
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeMD5
b26006b1b87f94cae399ace4ed2881a5
SHA16326aa07419cec008653284ca9aabe158edb9ce7
SHA256a163607a059886c8fb885f9054c9afa3103c25cca976ea7ac082e1baf02fcd7c
SHA512ae92c14038ecb323b97e70e4474881fdb804262dee8f63c8e6c353560d4c8ca3ae69ca3d2dcdd3122171e2223f5e49a56d3621695fb9dd6762da733e47a8c685
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeMD5
b26006b1b87f94cae399ace4ed2881a5
SHA16326aa07419cec008653284ca9aabe158edb9ce7
SHA256a163607a059886c8fb885f9054c9afa3103c25cca976ea7ac082e1baf02fcd7c
SHA512ae92c14038ecb323b97e70e4474881fdb804262dee8f63c8e6c353560d4c8ca3ae69ca3d2dcdd3122171e2223f5e49a56d3621695fb9dd6762da733e47a8c685
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeMD5
b26006b1b87f94cae399ace4ed2881a5
SHA16326aa07419cec008653284ca9aabe158edb9ce7
SHA256a163607a059886c8fb885f9054c9afa3103c25cca976ea7ac082e1baf02fcd7c
SHA512ae92c14038ecb323b97e70e4474881fdb804262dee8f63c8e6c353560d4c8ca3ae69ca3d2dcdd3122171e2223f5e49a56d3621695fb9dd6762da733e47a8c685
-
memory/1300-128-0x0000000000000000-mapping.dmp
-
memory/1300-137-0x0000000004C10000-0x000000000510E000-memory.dmpFilesize
5.0MB
-
memory/1320-124-0x0000000000000000-mapping.dmp
-
memory/2892-146-0x000000000040242D-mapping.dmp
-
memory/2920-135-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/2920-126-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/2920-127-0x000000000040242D-mapping.dmp
-
memory/4008-142-0x0000000000000000-mapping.dmp
-
memory/4060-117-0x0000000004D20000-0x0000000004D21000-memory.dmpFilesize
4KB
-
memory/4060-118-0x0000000004CA0000-0x0000000004CA1000-memory.dmpFilesize
4KB
-
memory/4060-114-0x0000000000370000-0x0000000000371000-memory.dmpFilesize
4KB
-
memory/4060-119-0x0000000004D20000-0x000000000521E000-memory.dmpFilesize
5.0MB
-
memory/4060-123-0x000000000ADD0000-0x000000000AE39000-memory.dmpFilesize
420KB
-
memory/4060-116-0x0000000005220000-0x0000000005221000-memory.dmpFilesize
4KB
-
memory/4060-122-0x0000000006830000-0x00000000068DD000-memory.dmpFilesize
692KB
-
memory/4060-121-0x0000000008360000-0x0000000008362000-memory.dmpFilesize
8KB
-
memory/4060-120-0x00000000083F0000-0x00000000083F1000-memory.dmpFilesize
4KB