Analysis
-
max time kernel
103s -
max time network
121s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
21-07-2021 07:33
Static task
static1
Behavioral task
behavioral1
Sample
order.exe
Resource
win7v20210410
General
-
Target
order.exe
-
Size
838KB
-
MD5
587f6655380282c9fb7997fa2225438e
-
SHA1
5b45eb58ef1d1cd93df0ecfc7b4124644515e93c
-
SHA256
9add495b9373ca17ea4f158da84a200f3d5a52ce81bc535a575a5eac31bd76bb
-
SHA512
1b97c465d355d8fa6355c7b856ba7eebac8b8c4bdd9c482b1a8fa6c558309356cfb80ac3373737b269c1ca9c4df03294daee918a34500e45874c1b6fc32ce488
Malware Config
Extracted
netwire
84.38.129.130:19891
-
activex_autorun
false
- activex_key
-
copy_executable
true
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
iFwvrEFs
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
- startup_name
-
use_mutex
true
Signatures
-
NetWire RAT payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/3148-126-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/3148-127-0x000000000040242D-mapping.dmp netwire behavioral2/memory/3148-138-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/3576-145-0x000000000040242D-mapping.dmp netwire -
Executes dropped EXE 2 IoCs
Processes:
Host.exeHost.exepid process 3176 Host.exe 3576 Host.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
order.exeHost.exedescription pid process target process PID 3728 set thread context of 3148 3728 order.exe order.exe PID 3176 set thread context of 3576 3176 Host.exe Host.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2984 schtasks.exe 1724 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
order.exeHost.exepid process 3728 order.exe 3176 Host.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
order.exeHost.exedescription pid process Token: SeDebugPrivilege 3728 order.exe Token: SeDebugPrivilege 3176 Host.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
order.exeorder.exeHost.exedescription pid process target process PID 3728 wrote to memory of 2984 3728 order.exe schtasks.exe PID 3728 wrote to memory of 2984 3728 order.exe schtasks.exe PID 3728 wrote to memory of 2984 3728 order.exe schtasks.exe PID 3728 wrote to memory of 3148 3728 order.exe order.exe PID 3728 wrote to memory of 3148 3728 order.exe order.exe PID 3728 wrote to memory of 3148 3728 order.exe order.exe PID 3728 wrote to memory of 3148 3728 order.exe order.exe PID 3728 wrote to memory of 3148 3728 order.exe order.exe PID 3728 wrote to memory of 3148 3728 order.exe order.exe PID 3728 wrote to memory of 3148 3728 order.exe order.exe PID 3728 wrote to memory of 3148 3728 order.exe order.exe PID 3728 wrote to memory of 3148 3728 order.exe order.exe PID 3728 wrote to memory of 3148 3728 order.exe order.exe PID 3728 wrote to memory of 3148 3728 order.exe order.exe PID 3148 wrote to memory of 3176 3148 order.exe Host.exe PID 3148 wrote to memory of 3176 3148 order.exe Host.exe PID 3148 wrote to memory of 3176 3148 order.exe Host.exe PID 3176 wrote to memory of 1724 3176 Host.exe schtasks.exe PID 3176 wrote to memory of 1724 3176 Host.exe schtasks.exe PID 3176 wrote to memory of 1724 3176 Host.exe schtasks.exe PID 3176 wrote to memory of 3576 3176 Host.exe Host.exe PID 3176 wrote to memory of 3576 3176 Host.exe Host.exe PID 3176 wrote to memory of 3576 3176 Host.exe Host.exe PID 3176 wrote to memory of 3576 3176 Host.exe Host.exe PID 3176 wrote to memory of 3576 3176 Host.exe Host.exe PID 3176 wrote to memory of 3576 3176 Host.exe Host.exe PID 3176 wrote to memory of 3576 3176 Host.exe Host.exe PID 3176 wrote to memory of 3576 3176 Host.exe Host.exe PID 3176 wrote to memory of 3576 3176 Host.exe Host.exe PID 3176 wrote to memory of 3576 3176 Host.exe Host.exe PID 3176 wrote to memory of 3576 3176 Host.exe Host.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\order.exe"C:\Users\Admin\AppData\Local\Temp\order.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BFzyfsQWtX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2C7F.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\order.exe"{path}"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BFzyfsQWtX" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEA41.tmp"4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"{path}"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp2C7F.tmpMD5
8f4b327e97258a599564cd2ad518ac56
SHA13a72b232fce4b3d80ce27175408ae70d5cf6d1e7
SHA256112517429d8cf336b27742478319bf3bfd4cc4ff141a60982bb7fbe09c7667a3
SHA512fc152ba8d86fd274b1fbd117a9efe8971e1e9ebf75a2d3a6fef1adb86b8d12f67d9c6051d02771121bc01daf985cbd3261c53602bbc52791ca5c1ad0f5c42823
-
C:\Users\Admin\AppData\Local\Temp\tmpEA41.tmpMD5
8f4b327e97258a599564cd2ad518ac56
SHA13a72b232fce4b3d80ce27175408ae70d5cf6d1e7
SHA256112517429d8cf336b27742478319bf3bfd4cc4ff141a60982bb7fbe09c7667a3
SHA512fc152ba8d86fd274b1fbd117a9efe8971e1e9ebf75a2d3a6fef1adb86b8d12f67d9c6051d02771121bc01daf985cbd3261c53602bbc52791ca5c1ad0f5c42823
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeMD5
587f6655380282c9fb7997fa2225438e
SHA15b45eb58ef1d1cd93df0ecfc7b4124644515e93c
SHA2569add495b9373ca17ea4f158da84a200f3d5a52ce81bc535a575a5eac31bd76bb
SHA5121b97c465d355d8fa6355c7b856ba7eebac8b8c4bdd9c482b1a8fa6c558309356cfb80ac3373737b269c1ca9c4df03294daee918a34500e45874c1b6fc32ce488
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeMD5
587f6655380282c9fb7997fa2225438e
SHA15b45eb58ef1d1cd93df0ecfc7b4124644515e93c
SHA2569add495b9373ca17ea4f158da84a200f3d5a52ce81bc535a575a5eac31bd76bb
SHA5121b97c465d355d8fa6355c7b856ba7eebac8b8c4bdd9c482b1a8fa6c558309356cfb80ac3373737b269c1ca9c4df03294daee918a34500e45874c1b6fc32ce488
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeMD5
587f6655380282c9fb7997fa2225438e
SHA15b45eb58ef1d1cd93df0ecfc7b4124644515e93c
SHA2569add495b9373ca17ea4f158da84a200f3d5a52ce81bc535a575a5eac31bd76bb
SHA5121b97c465d355d8fa6355c7b856ba7eebac8b8c4bdd9c482b1a8fa6c558309356cfb80ac3373737b269c1ca9c4df03294daee918a34500e45874c1b6fc32ce488
-
memory/1724-142-0x0000000000000000-mapping.dmp
-
memory/2984-124-0x0000000000000000-mapping.dmp
-
memory/3148-126-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/3148-138-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/3148-127-0x000000000040242D-mapping.dmp
-
memory/3176-139-0x0000000005790000-0x0000000005C8E000-memory.dmpFilesize
5.0MB
-
memory/3176-128-0x0000000000000000-mapping.dmp
-
memory/3576-145-0x000000000040242D-mapping.dmp
-
memory/3728-118-0x0000000004DA0000-0x0000000004DA1000-memory.dmpFilesize
4KB
-
memory/3728-123-0x00000000069C0000-0x0000000006A2F000-memory.dmpFilesize
444KB
-
memory/3728-117-0x0000000004DD0000-0x0000000004DD1000-memory.dmpFilesize
4KB
-
memory/3728-114-0x0000000000430000-0x0000000000431000-memory.dmpFilesize
4KB
-
memory/3728-119-0x0000000004EB0000-0x0000000004EB1000-memory.dmpFilesize
4KB
-
memory/3728-122-0x00000000068C0000-0x0000000006973000-memory.dmpFilesize
716KB
-
memory/3728-121-0x0000000008270000-0x0000000008271000-memory.dmpFilesize
4KB
-
memory/3728-116-0x00000000052D0000-0x00000000052D1000-memory.dmpFilesize
4KB
-
memory/3728-120-0x00000000050A0000-0x00000000050A2000-memory.dmpFilesize
8KB