Analysis
-
max time kernel
104s -
max time network
123s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
21-07-2021 08:03
Static task
static1
Behavioral task
behavioral1
Sample
order.exe
Resource
win7v20210410
General
-
Target
order.exe
-
Size
838KB
-
MD5
587f6655380282c9fb7997fa2225438e
-
SHA1
5b45eb58ef1d1cd93df0ecfc7b4124644515e93c
-
SHA256
9add495b9373ca17ea4f158da84a200f3d5a52ce81bc535a575a5eac31bd76bb
-
SHA512
1b97c465d355d8fa6355c7b856ba7eebac8b8c4bdd9c482b1a8fa6c558309356cfb80ac3373737b269c1ca9c4df03294daee918a34500e45874c1b6fc32ce488
Malware Config
Extracted
netwire
84.38.129.130:19891
-
activex_autorun
false
- activex_key
-
copy_executable
true
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
iFwvrEFs
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
- startup_name
-
use_mutex
true
Signatures
-
NetWire RAT payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/4024-126-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/4024-127-0x000000000040242D-mapping.dmp netwire behavioral2/memory/4024-133-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/2116-139-0x0000000004FF0000-0x00000000054EE000-memory.dmp netwire behavioral2/memory/3868-145-0x000000000040242D-mapping.dmp netwire -
Executes dropped EXE 2 IoCs
Processes:
Host.exeHost.exepid process 2116 Host.exe 3868 Host.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
order.exeHost.exedescription pid process target process PID 664 set thread context of 4024 664 order.exe order.exe PID 2116 set thread context of 3868 2116 Host.exe Host.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2940 schtasks.exe 1192 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
order.exeHost.exepid process 664 order.exe 2116 Host.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
order.exeHost.exedescription pid process Token: SeDebugPrivilege 664 order.exe Token: SeDebugPrivilege 2116 Host.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
order.exeorder.exeHost.exedescription pid process target process PID 664 wrote to memory of 2940 664 order.exe schtasks.exe PID 664 wrote to memory of 2940 664 order.exe schtasks.exe PID 664 wrote to memory of 2940 664 order.exe schtasks.exe PID 664 wrote to memory of 4024 664 order.exe order.exe PID 664 wrote to memory of 4024 664 order.exe order.exe PID 664 wrote to memory of 4024 664 order.exe order.exe PID 664 wrote to memory of 4024 664 order.exe order.exe PID 664 wrote to memory of 4024 664 order.exe order.exe PID 664 wrote to memory of 4024 664 order.exe order.exe PID 664 wrote to memory of 4024 664 order.exe order.exe PID 664 wrote to memory of 4024 664 order.exe order.exe PID 664 wrote to memory of 4024 664 order.exe order.exe PID 664 wrote to memory of 4024 664 order.exe order.exe PID 664 wrote to memory of 4024 664 order.exe order.exe PID 4024 wrote to memory of 2116 4024 order.exe Host.exe PID 4024 wrote to memory of 2116 4024 order.exe Host.exe PID 4024 wrote to memory of 2116 4024 order.exe Host.exe PID 2116 wrote to memory of 1192 2116 Host.exe schtasks.exe PID 2116 wrote to memory of 1192 2116 Host.exe schtasks.exe PID 2116 wrote to memory of 1192 2116 Host.exe schtasks.exe PID 2116 wrote to memory of 3868 2116 Host.exe Host.exe PID 2116 wrote to memory of 3868 2116 Host.exe Host.exe PID 2116 wrote to memory of 3868 2116 Host.exe Host.exe PID 2116 wrote to memory of 3868 2116 Host.exe Host.exe PID 2116 wrote to memory of 3868 2116 Host.exe Host.exe PID 2116 wrote to memory of 3868 2116 Host.exe Host.exe PID 2116 wrote to memory of 3868 2116 Host.exe Host.exe PID 2116 wrote to memory of 3868 2116 Host.exe Host.exe PID 2116 wrote to memory of 3868 2116 Host.exe Host.exe PID 2116 wrote to memory of 3868 2116 Host.exe Host.exe PID 2116 wrote to memory of 3868 2116 Host.exe Host.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\order.exe"C:\Users\Admin\AppData\Local\Temp\order.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BFzyfsQWtX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp858C.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\order.exe"{path}"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BFzyfsQWtX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp45BF.tmp"4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"{path}"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp45BF.tmpMD5
8f4b327e97258a599564cd2ad518ac56
SHA13a72b232fce4b3d80ce27175408ae70d5cf6d1e7
SHA256112517429d8cf336b27742478319bf3bfd4cc4ff141a60982bb7fbe09c7667a3
SHA512fc152ba8d86fd274b1fbd117a9efe8971e1e9ebf75a2d3a6fef1adb86b8d12f67d9c6051d02771121bc01daf985cbd3261c53602bbc52791ca5c1ad0f5c42823
-
C:\Users\Admin\AppData\Local\Temp\tmp858C.tmpMD5
8f4b327e97258a599564cd2ad518ac56
SHA13a72b232fce4b3d80ce27175408ae70d5cf6d1e7
SHA256112517429d8cf336b27742478319bf3bfd4cc4ff141a60982bb7fbe09c7667a3
SHA512fc152ba8d86fd274b1fbd117a9efe8971e1e9ebf75a2d3a6fef1adb86b8d12f67d9c6051d02771121bc01daf985cbd3261c53602bbc52791ca5c1ad0f5c42823
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeMD5
587f6655380282c9fb7997fa2225438e
SHA15b45eb58ef1d1cd93df0ecfc7b4124644515e93c
SHA2569add495b9373ca17ea4f158da84a200f3d5a52ce81bc535a575a5eac31bd76bb
SHA5121b97c465d355d8fa6355c7b856ba7eebac8b8c4bdd9c482b1a8fa6c558309356cfb80ac3373737b269c1ca9c4df03294daee918a34500e45874c1b6fc32ce488
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeMD5
587f6655380282c9fb7997fa2225438e
SHA15b45eb58ef1d1cd93df0ecfc7b4124644515e93c
SHA2569add495b9373ca17ea4f158da84a200f3d5a52ce81bc535a575a5eac31bd76bb
SHA5121b97c465d355d8fa6355c7b856ba7eebac8b8c4bdd9c482b1a8fa6c558309356cfb80ac3373737b269c1ca9c4df03294daee918a34500e45874c1b6fc32ce488
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeMD5
587f6655380282c9fb7997fa2225438e
SHA15b45eb58ef1d1cd93df0ecfc7b4124644515e93c
SHA2569add495b9373ca17ea4f158da84a200f3d5a52ce81bc535a575a5eac31bd76bb
SHA5121b97c465d355d8fa6355c7b856ba7eebac8b8c4bdd9c482b1a8fa6c558309356cfb80ac3373737b269c1ca9c4df03294daee918a34500e45874c1b6fc32ce488
-
memory/664-118-0x0000000005100000-0x0000000005192000-memory.dmpFilesize
584KB
-
memory/664-114-0x0000000000850000-0x0000000000851000-memory.dmpFilesize
4KB
-
memory/664-122-0x0000000006D80000-0x0000000006E33000-memory.dmpFilesize
716KB
-
memory/664-123-0x0000000006E80000-0x0000000006EEF000-memory.dmpFilesize
444KB
-
memory/664-121-0x0000000008700000-0x0000000008701000-memory.dmpFilesize
4KB
-
memory/664-116-0x0000000005790000-0x0000000005791000-memory.dmpFilesize
4KB
-
memory/664-120-0x00000000053B0000-0x00000000053B2000-memory.dmpFilesize
8KB
-
memory/664-119-0x0000000005150000-0x0000000005151000-memory.dmpFilesize
4KB
-
memory/664-117-0x00000000051A0000-0x00000000051A1000-memory.dmpFilesize
4KB
-
memory/1192-142-0x0000000000000000-mapping.dmp
-
memory/2116-128-0x0000000000000000-mapping.dmp
-
memory/2116-139-0x0000000004FF0000-0x00000000054EE000-memory.dmpFilesize
5.0MB
-
memory/2940-124-0x0000000000000000-mapping.dmp
-
memory/3868-145-0x000000000040242D-mapping.dmp
-
memory/4024-127-0x000000000040242D-mapping.dmp
-
memory/4024-133-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/4024-126-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB