Analysis
-
max time kernel
145s -
max time network
154s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
27-07-2021 17:59
Static task
static1
General
-
Target
b536b2e629251420a9cd824acd7e955540258c78ae7a14b10a787caee251dd40.exe
-
Size
523KB
-
MD5
ff050a24b54251f10bbe17f6890856d7
-
SHA1
31edaa2a4f2774f172ec9fd928e2e5277cfeaa04
-
SHA256
b536b2e629251420a9cd824acd7e955540258c78ae7a14b10a787caee251dd40
-
SHA512
ebf331b397b4eb643b8aad509b433d41e37dc31f3b4050eddc5c4b003b65b2c04538a280c6fee3d227bed13007aac23b88265fdbb6b8f348b044dc09d41d1e3f
Malware Config
Signatures
-
NetWire RAT payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/4260-119-0x0000000000400000-0x000000000041F000-memory.dmp netwire behavioral1/memory/4260-120-0x00000000004021DA-mapping.dmp netwire behavioral1/memory/4260-121-0x0000000000400000-0x000000000041F000-memory.dmp netwire -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
installutil.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion installutil.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion installutil.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
installutil.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum installutil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 installutil.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
installutil.exedescription pid process target process PID 5076 set thread context of 4260 5076 installutil.exe installutil.exe -
Drops file in Windows directory 2 IoCs
Processes:
installutil.exedescription ioc process File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\.Identifier installutil.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\.Identifier installutil.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
installutil.exepid process 5076 installutil.exe 5076 installutil.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
installutil.exedescription pid process Token: SeDebugPrivilege 5076 installutil.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
b536b2e629251420a9cd824acd7e955540258c78ae7a14b10a787caee251dd40.exeinstallutil.exedescription pid process target process PID 4440 wrote to memory of 5076 4440 b536b2e629251420a9cd824acd7e955540258c78ae7a14b10a787caee251dd40.exe installutil.exe PID 4440 wrote to memory of 5076 4440 b536b2e629251420a9cd824acd7e955540258c78ae7a14b10a787caee251dd40.exe installutil.exe PID 4440 wrote to memory of 5076 4440 b536b2e629251420a9cd824acd7e955540258c78ae7a14b10a787caee251dd40.exe installutil.exe PID 5076 wrote to memory of 4204 5076 installutil.exe schtasks.exe PID 5076 wrote to memory of 4204 5076 installutil.exe schtasks.exe PID 5076 wrote to memory of 4204 5076 installutil.exe schtasks.exe PID 5076 wrote to memory of 4260 5076 installutil.exe installutil.exe PID 5076 wrote to memory of 4260 5076 installutil.exe installutil.exe PID 5076 wrote to memory of 4260 5076 installutil.exe installutil.exe PID 5076 wrote to memory of 4260 5076 installutil.exe installutil.exe PID 5076 wrote to memory of 4260 5076 installutil.exe installutil.exe PID 5076 wrote to memory of 4260 5076 installutil.exe installutil.exe PID 5076 wrote to memory of 4260 5076 installutil.exe installutil.exe PID 5076 wrote to memory of 4260 5076 installutil.exe installutil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b536b2e629251420a9cd824acd7e955540258c78ae7a14b10a787caee251dd40.exe"C:\Users\Admin\AppData\Local\Temp\b536b2e629251420a9cd824acd7e955540258c78ae7a14b10a787caee251dd40.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe" /logtoconsole=false /logfile= /u "C:\Users\Admin\AppData\Local\Temp\b536b2e629251420a9cd824acd7e955540258c78ae7a14b10a787caee251dd40.exe"2⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KlrDZKeUs" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA87A.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe"3⤵
- Drops file in Windows directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpA87A.tmpMD5
ca5c95448ed53ff17568bb87d88409cf
SHA12b5363ab1daaa710c5264884da88473338e7ea4c
SHA25669e3c4db4b91c6d986007b092d4f5ca04f566a24a11bb6c192c7aa75e2ddbd46
SHA5124daf3d1703a9d5e4d06bb3315e479f6d400067fcff7cac5df8b83741bc76a48402f2365c7523d5c1b05732a2b863f3bd4ebc7b4973c0fc95b779b41cffa00a1c
-
memory/4204-117-0x0000000000000000-mapping.dmp
-
memory/4260-119-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/4260-120-0x00000000004021DA-mapping.dmp
-
memory/4260-121-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/4440-114-0x0000000000960000-0x0000000000961000-memory.dmpFilesize
4KB
-
memory/5076-115-0x0000000000000000-mapping.dmp
-
memory/5076-116-0x0000000002E90000-0x0000000002E91000-memory.dmpFilesize
4KB