Analysis
-
max time kernel
78s -
max time network
124s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
12-07-2021 15:03
Static task
static1
Behavioral task
behavioral1
Sample
P_Order.scr
Resource
win7v20210410
General
-
Target
P_Order.scr
-
Size
950KB
-
MD5
b26006b1b87f94cae399ace4ed2881a5
-
SHA1
6326aa07419cec008653284ca9aabe158edb9ce7
-
SHA256
a163607a059886c8fb885f9054c9afa3103c25cca976ea7ac082e1baf02fcd7c
-
SHA512
ae92c14038ecb323b97e70e4474881fdb804262dee8f63c8e6c353560d4c8ca3ae69ca3d2dcdd3122171e2223f5e49a56d3621695fb9dd6762da733e47a8c685
Malware Config
Extracted
netwire
harold.ns01.info:3606
-
activex_autorun
false
- activex_key
-
copy_executable
true
-
delete_original
false
-
host_id
Ojoko
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
enbSUNvD
-
offline_keylogger
true
-
password
master12
-
registry_autorun
false
- startup_name
-
use_mutex
true
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral2/memory/2100-139-0x0000000005250000-0x000000000574E000-memory.dmp disable_win_def -
NetWire RAT payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/4060-126-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/4060-127-0x000000000040242D-mapping.dmp netwire behavioral2/memory/4060-131-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/2100-139-0x0000000005250000-0x000000000574E000-memory.dmp netwire behavioral2/memory/1928-145-0x000000000040242D-mapping.dmp netwire -
Executes dropped EXE 2 IoCs
Processes:
Host.exeHost.exepid process 2100 Host.exe 1928 Host.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
P_Order.scrHost.exedescription pid process target process PID 1852 set thread context of 4060 1852 P_Order.scr P_Order.scr PID 2100 set thread context of 1928 2100 Host.exe Host.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1272 schtasks.exe 3800 schtasks.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
P_Order.scrP_Order.scrHost.exedescription pid process target process PID 1852 wrote to memory of 1272 1852 P_Order.scr schtasks.exe PID 1852 wrote to memory of 1272 1852 P_Order.scr schtasks.exe PID 1852 wrote to memory of 1272 1852 P_Order.scr schtasks.exe PID 1852 wrote to memory of 4060 1852 P_Order.scr P_Order.scr PID 1852 wrote to memory of 4060 1852 P_Order.scr P_Order.scr PID 1852 wrote to memory of 4060 1852 P_Order.scr P_Order.scr PID 1852 wrote to memory of 4060 1852 P_Order.scr P_Order.scr PID 1852 wrote to memory of 4060 1852 P_Order.scr P_Order.scr PID 1852 wrote to memory of 4060 1852 P_Order.scr P_Order.scr PID 1852 wrote to memory of 4060 1852 P_Order.scr P_Order.scr PID 1852 wrote to memory of 4060 1852 P_Order.scr P_Order.scr PID 1852 wrote to memory of 4060 1852 P_Order.scr P_Order.scr PID 1852 wrote to memory of 4060 1852 P_Order.scr P_Order.scr PID 1852 wrote to memory of 4060 1852 P_Order.scr P_Order.scr PID 4060 wrote to memory of 2100 4060 P_Order.scr Host.exe PID 4060 wrote to memory of 2100 4060 P_Order.scr Host.exe PID 4060 wrote to memory of 2100 4060 P_Order.scr Host.exe PID 2100 wrote to memory of 3800 2100 Host.exe schtasks.exe PID 2100 wrote to memory of 3800 2100 Host.exe schtasks.exe PID 2100 wrote to memory of 3800 2100 Host.exe schtasks.exe PID 2100 wrote to memory of 1928 2100 Host.exe Host.exe PID 2100 wrote to memory of 1928 2100 Host.exe Host.exe PID 2100 wrote to memory of 1928 2100 Host.exe Host.exe PID 2100 wrote to memory of 1928 2100 Host.exe Host.exe PID 2100 wrote to memory of 1928 2100 Host.exe Host.exe PID 2100 wrote to memory of 1928 2100 Host.exe Host.exe PID 2100 wrote to memory of 1928 2100 Host.exe Host.exe PID 2100 wrote to memory of 1928 2100 Host.exe Host.exe PID 2100 wrote to memory of 1928 2100 Host.exe Host.exe PID 2100 wrote to memory of 1928 2100 Host.exe Host.exe PID 2100 wrote to memory of 1928 2100 Host.exe Host.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\P_Order.scr"C:\Users\Admin\AppData\Local\Temp\P_Order.scr" /S1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DqhNCJcG" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDC1D.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\P_Order.scr"{path}"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DqhNCJcG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5D92.tmp"4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"{path}"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp5D92.tmpMD5
917a68b7fa35efa017b48258e944ab07
SHA1edefd3c85d8d5b2503af03c60ec357e5d3431fb0
SHA256b081fe9fd074a6d26a3117ceff5483615615d405c66b024576788b2eb8004e7b
SHA512360b3da4cb0f17b771117ce31e969b3eb622aaeb834f082eecdc8b02a6cf704c411881aaa1fb125000e51772e5f4c1cb39be8bdd1632eefada4dc0f55dc49f54
-
C:\Users\Admin\AppData\Local\Temp\tmpDC1D.tmpMD5
917a68b7fa35efa017b48258e944ab07
SHA1edefd3c85d8d5b2503af03c60ec357e5d3431fb0
SHA256b081fe9fd074a6d26a3117ceff5483615615d405c66b024576788b2eb8004e7b
SHA512360b3da4cb0f17b771117ce31e969b3eb622aaeb834f082eecdc8b02a6cf704c411881aaa1fb125000e51772e5f4c1cb39be8bdd1632eefada4dc0f55dc49f54
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeMD5
b26006b1b87f94cae399ace4ed2881a5
SHA16326aa07419cec008653284ca9aabe158edb9ce7
SHA256a163607a059886c8fb885f9054c9afa3103c25cca976ea7ac082e1baf02fcd7c
SHA512ae92c14038ecb323b97e70e4474881fdb804262dee8f63c8e6c353560d4c8ca3ae69ca3d2dcdd3122171e2223f5e49a56d3621695fb9dd6762da733e47a8c685
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeMD5
b26006b1b87f94cae399ace4ed2881a5
SHA16326aa07419cec008653284ca9aabe158edb9ce7
SHA256a163607a059886c8fb885f9054c9afa3103c25cca976ea7ac082e1baf02fcd7c
SHA512ae92c14038ecb323b97e70e4474881fdb804262dee8f63c8e6c353560d4c8ca3ae69ca3d2dcdd3122171e2223f5e49a56d3621695fb9dd6762da733e47a8c685
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeMD5
b26006b1b87f94cae399ace4ed2881a5
SHA16326aa07419cec008653284ca9aabe158edb9ce7
SHA256a163607a059886c8fb885f9054c9afa3103c25cca976ea7ac082e1baf02fcd7c
SHA512ae92c14038ecb323b97e70e4474881fdb804262dee8f63c8e6c353560d4c8ca3ae69ca3d2dcdd3122171e2223f5e49a56d3621695fb9dd6762da733e47a8c685
-
memory/1272-124-0x0000000000000000-mapping.dmp
-
memory/1852-118-0x00000000054D0000-0x0000000005562000-memory.dmpFilesize
584KB
-
memory/1852-122-0x0000000008D80000-0x0000000008E2D000-memory.dmpFilesize
692KB
-
memory/1852-123-0x0000000008E70000-0x0000000008ED9000-memory.dmpFilesize
420KB
-
memory/1852-121-0x0000000005B50000-0x0000000005B52000-memory.dmpFilesize
8KB
-
memory/1852-116-0x0000000005B70000-0x0000000005B71000-memory.dmpFilesize
4KB
-
memory/1852-120-0x0000000007110000-0x0000000007111000-memory.dmpFilesize
4KB
-
memory/1852-119-0x0000000002FB0000-0x0000000002FB1000-memory.dmpFilesize
4KB
-
memory/1852-117-0x0000000005570000-0x0000000005571000-memory.dmpFilesize
4KB
-
memory/1852-114-0x0000000000B80000-0x0000000000B81000-memory.dmpFilesize
4KB
-
memory/1928-145-0x000000000040242D-mapping.dmp
-
memory/2100-128-0x0000000000000000-mapping.dmp
-
memory/2100-139-0x0000000005250000-0x000000000574E000-memory.dmpFilesize
5.0MB
-
memory/3800-142-0x0000000000000000-mapping.dmp
-
memory/4060-127-0x000000000040242D-mapping.dmp
-
memory/4060-131-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/4060-126-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB