Analysis
-
max time kernel
98s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
21-07-2021 07:09
Static task
static1
Behavioral task
behavioral1
Sample
Order.exe
Resource
win7v20210410
General
-
Target
Order.exe
-
Size
853KB
-
MD5
103362e59d9fd456e9ce47da23e14e4f
-
SHA1
5f557d79f1085f1e05da881204d341f2c82b20b9
-
SHA256
f1079cf4bfcc93d98a75ee56bac5fc02f9e8bbb2bf255f7c3d0b25504c539e40
-
SHA512
b20e271dfebd76f3353374026eb5b9633f75c3fe359d7c2e17af40b8470b91ff059b757148c11f0287e3d833db3523695035c3313230d8e6662456f928eead6e
Malware Config
Extracted
netwire
37.120.234.120:19792
-
activex_autorun
false
- activex_key
-
copy_executable
true
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
FvEKqKqS
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
- startup_name
-
use_mutex
true
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral2/memory/3908-139-0x00000000057C0000-0x0000000005CBE000-memory.dmp disable_win_def -
NetWire RAT payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/1092-126-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/1092-127-0x000000000040242D-mapping.dmp netwire behavioral2/memory/1092-138-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/2176-145-0x000000000040242D-mapping.dmp netwire -
Executes dropped EXE 2 IoCs
Processes:
Host.exeHost.exepid process 3908 Host.exe 2176 Host.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Order.exeHost.exedescription pid process target process PID 3948 set thread context of 1092 3948 Order.exe Order.exe PID 3908 set thread context of 2176 3908 Host.exe Host.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2684 schtasks.exe 1908 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Order.exeHost.exepid process 3948 Order.exe 3908 Host.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Order.exeHost.exedescription pid process Token: SeDebugPrivilege 3948 Order.exe Token: SeDebugPrivilege 3908 Host.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
Order.exeOrder.exeHost.exedescription pid process target process PID 3948 wrote to memory of 1908 3948 Order.exe schtasks.exe PID 3948 wrote to memory of 1908 3948 Order.exe schtasks.exe PID 3948 wrote to memory of 1908 3948 Order.exe schtasks.exe PID 3948 wrote to memory of 1092 3948 Order.exe Order.exe PID 3948 wrote to memory of 1092 3948 Order.exe Order.exe PID 3948 wrote to memory of 1092 3948 Order.exe Order.exe PID 3948 wrote to memory of 1092 3948 Order.exe Order.exe PID 3948 wrote to memory of 1092 3948 Order.exe Order.exe PID 3948 wrote to memory of 1092 3948 Order.exe Order.exe PID 3948 wrote to memory of 1092 3948 Order.exe Order.exe PID 3948 wrote to memory of 1092 3948 Order.exe Order.exe PID 3948 wrote to memory of 1092 3948 Order.exe Order.exe PID 3948 wrote to memory of 1092 3948 Order.exe Order.exe PID 3948 wrote to memory of 1092 3948 Order.exe Order.exe PID 1092 wrote to memory of 3908 1092 Order.exe Host.exe PID 1092 wrote to memory of 3908 1092 Order.exe Host.exe PID 1092 wrote to memory of 3908 1092 Order.exe Host.exe PID 3908 wrote to memory of 2684 3908 Host.exe schtasks.exe PID 3908 wrote to memory of 2684 3908 Host.exe schtasks.exe PID 3908 wrote to memory of 2684 3908 Host.exe schtasks.exe PID 3908 wrote to memory of 2176 3908 Host.exe Host.exe PID 3908 wrote to memory of 2176 3908 Host.exe Host.exe PID 3908 wrote to memory of 2176 3908 Host.exe Host.exe PID 3908 wrote to memory of 2176 3908 Host.exe Host.exe PID 3908 wrote to memory of 2176 3908 Host.exe Host.exe PID 3908 wrote to memory of 2176 3908 Host.exe Host.exe PID 3908 wrote to memory of 2176 3908 Host.exe Host.exe PID 3908 wrote to memory of 2176 3908 Host.exe Host.exe PID 3908 wrote to memory of 2176 3908 Host.exe Host.exe PID 3908 wrote to memory of 2176 3908 Host.exe Host.exe PID 3908 wrote to memory of 2176 3908 Host.exe Host.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Order.exe"C:\Users\Admin\AppData\Local\Temp\Order.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vabtzuyh" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD7C8.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Order.exe"{path}"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vabtzuyh" /XML "C:\Users\Admin\AppData\Local\Temp\tmp93D4.tmp"4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"{path}"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp93D4.tmpMD5
67180dc7300556e57f7896c0706b426b
SHA195291f6b8b7e7b0658259e304111847b4b355344
SHA256b4909a6679d9ead1ac51fbc7fff2ac8fef67eaf31057091645c08fdd51cff596
SHA5126b70ad1f2d8b270ce1a85c948b05b9fa73351c7ed260b374a8aa82e9ba77f8d729f4470c1c91c648756e351f2c9d0afff84e66ac8f063f6f09d4a648f3dfcfa9
-
C:\Users\Admin\AppData\Local\Temp\tmpD7C8.tmpMD5
67180dc7300556e57f7896c0706b426b
SHA195291f6b8b7e7b0658259e304111847b4b355344
SHA256b4909a6679d9ead1ac51fbc7fff2ac8fef67eaf31057091645c08fdd51cff596
SHA5126b70ad1f2d8b270ce1a85c948b05b9fa73351c7ed260b374a8aa82e9ba77f8d729f4470c1c91c648756e351f2c9d0afff84e66ac8f063f6f09d4a648f3dfcfa9
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeMD5
103362e59d9fd456e9ce47da23e14e4f
SHA15f557d79f1085f1e05da881204d341f2c82b20b9
SHA256f1079cf4bfcc93d98a75ee56bac5fc02f9e8bbb2bf255f7c3d0b25504c539e40
SHA512b20e271dfebd76f3353374026eb5b9633f75c3fe359d7c2e17af40b8470b91ff059b757148c11f0287e3d833db3523695035c3313230d8e6662456f928eead6e
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeMD5
103362e59d9fd456e9ce47da23e14e4f
SHA15f557d79f1085f1e05da881204d341f2c82b20b9
SHA256f1079cf4bfcc93d98a75ee56bac5fc02f9e8bbb2bf255f7c3d0b25504c539e40
SHA512b20e271dfebd76f3353374026eb5b9633f75c3fe359d7c2e17af40b8470b91ff059b757148c11f0287e3d833db3523695035c3313230d8e6662456f928eead6e
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeMD5
103362e59d9fd456e9ce47da23e14e4f
SHA15f557d79f1085f1e05da881204d341f2c82b20b9
SHA256f1079cf4bfcc93d98a75ee56bac5fc02f9e8bbb2bf255f7c3d0b25504c539e40
SHA512b20e271dfebd76f3353374026eb5b9633f75c3fe359d7c2e17af40b8470b91ff059b757148c11f0287e3d833db3523695035c3313230d8e6662456f928eead6e
-
memory/1092-126-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1092-138-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1092-127-0x000000000040242D-mapping.dmp
-
memory/1908-124-0x0000000000000000-mapping.dmp
-
memory/2176-145-0x000000000040242D-mapping.dmp
-
memory/2684-142-0x0000000000000000-mapping.dmp
-
memory/3908-139-0x00000000057C0000-0x0000000005CBE000-memory.dmpFilesize
5.0MB
-
memory/3908-128-0x0000000000000000-mapping.dmp
-
memory/3948-118-0x00000000052A0000-0x00000000052A1000-memory.dmpFilesize
4KB
-
memory/3948-117-0x0000000005200000-0x0000000005201000-memory.dmpFilesize
4KB
-
memory/3948-114-0x0000000000900000-0x0000000000901000-memory.dmpFilesize
4KB
-
memory/3948-119-0x0000000005310000-0x000000000580E000-memory.dmpFilesize
5.0MB
-
memory/3948-123-0x00000000089B0000-0x0000000008A1B000-memory.dmpFilesize
428KB
-
memory/3948-122-0x00000000088B0000-0x0000000008967000-memory.dmpFilesize
732KB
-
memory/3948-116-0x0000000005810000-0x0000000005811000-memory.dmpFilesize
4KB
-
memory/3948-121-0x0000000007380000-0x0000000007381000-memory.dmpFilesize
4KB
-
memory/3948-120-0x0000000005390000-0x0000000005392000-memory.dmpFilesize
8KB