Analysis
-
max time kernel
133s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
17/02/2022, 00:10
Behavioral task
behavioral1
Sample
8077ab4eb763f47987ff28098272fc86a364cca3acf5831d0a3aac450dcba1f8.exe
Resource
win7-en-20211208
General
-
Target
8077ab4eb763f47987ff28098272fc86a364cca3acf5831d0a3aac450dcba1f8.exe
-
Size
160KB
-
MD5
63ac5ce1a0da946394ef90e06492927c
-
SHA1
9553cddd84dd3e9db5b22594ec9f50bb18cb14b0
-
SHA256
8077ab4eb763f47987ff28098272fc86a364cca3acf5831d0a3aac450dcba1f8
-
SHA512
16cc8fb53e8a23dcca49187c847b90b5fc8a63958d83337a1ce45e30da448935405c456b3390003322d389bea6022d762650cb5083f348df7556dc0e9b8548d6
Malware Config
Extracted
netwire
uploadp2p.publicvm.com:3362
-
activex_autorun
false
- activex_key
-
copy_executable
true
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Hostes.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
ViERmjPT
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
- startup_name
-
use_mutex
true
Signatures
-
NetWire RAT payload 2 IoCs
resource yara_rule behavioral2/files/0x000400000001e7b6-130.dat netwire behavioral2/files/0x000400000001e7b6-131.dat netwire -
Executes dropped EXE 1 IoCs
pid Process 2336 Hostes.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 8077ab4eb763f47987ff28098272fc86a364cca3acf5831d0a3aac450dcba1f8.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3124 svchost.exe Token: SeCreatePagefilePrivilege 3124 svchost.exe Token: SeShutdownPrivilege 3124 svchost.exe Token: SeCreatePagefilePrivilege 3124 svchost.exe Token: SeShutdownPrivilege 3124 svchost.exe Token: SeCreatePagefilePrivilege 3124 svchost.exe Token: SeSecurityPrivilege 3488 TiWorker.exe Token: SeRestorePrivilege 3488 TiWorker.exe Token: SeBackupPrivilege 3488 TiWorker.exe Token: SeBackupPrivilege 3488 TiWorker.exe Token: SeRestorePrivilege 3488 TiWorker.exe Token: SeSecurityPrivilege 3488 TiWorker.exe Token: SeBackupPrivilege 3488 TiWorker.exe Token: SeRestorePrivilege 3488 TiWorker.exe Token: SeSecurityPrivilege 3488 TiWorker.exe Token: SeBackupPrivilege 3488 TiWorker.exe Token: SeRestorePrivilege 3488 TiWorker.exe Token: SeSecurityPrivilege 3488 TiWorker.exe Token: SeBackupPrivilege 3488 TiWorker.exe Token: SeRestorePrivilege 3488 TiWorker.exe Token: SeSecurityPrivilege 3488 TiWorker.exe Token: SeBackupPrivilege 3488 TiWorker.exe Token: SeRestorePrivilege 3488 TiWorker.exe Token: SeSecurityPrivilege 3488 TiWorker.exe Token: SeBackupPrivilege 3488 TiWorker.exe Token: SeRestorePrivilege 3488 TiWorker.exe Token: SeSecurityPrivilege 3488 TiWorker.exe Token: SeBackupPrivilege 3488 TiWorker.exe Token: SeRestorePrivilege 3488 TiWorker.exe Token: SeSecurityPrivilege 3488 TiWorker.exe Token: SeBackupPrivilege 3488 TiWorker.exe Token: SeRestorePrivilege 3488 TiWorker.exe Token: SeSecurityPrivilege 3488 TiWorker.exe Token: SeBackupPrivilege 3488 TiWorker.exe Token: SeRestorePrivilege 3488 TiWorker.exe Token: SeSecurityPrivilege 3488 TiWorker.exe Token: SeBackupPrivilege 3488 TiWorker.exe Token: SeRestorePrivilege 3488 TiWorker.exe Token: SeSecurityPrivilege 3488 TiWorker.exe Token: SeBackupPrivilege 3488 TiWorker.exe Token: SeRestorePrivilege 3488 TiWorker.exe Token: SeSecurityPrivilege 3488 TiWorker.exe Token: SeBackupPrivilege 3488 TiWorker.exe Token: SeRestorePrivilege 3488 TiWorker.exe Token: SeSecurityPrivilege 3488 TiWorker.exe Token: SeBackupPrivilege 3488 TiWorker.exe Token: SeRestorePrivilege 3488 TiWorker.exe Token: SeSecurityPrivilege 3488 TiWorker.exe Token: SeBackupPrivilege 3488 TiWorker.exe Token: SeRestorePrivilege 3488 TiWorker.exe Token: SeSecurityPrivilege 3488 TiWorker.exe Token: SeBackupPrivilege 3488 TiWorker.exe Token: SeRestorePrivilege 3488 TiWorker.exe Token: SeSecurityPrivilege 3488 TiWorker.exe Token: SeBackupPrivilege 3488 TiWorker.exe Token: SeRestorePrivilege 3488 TiWorker.exe Token: SeSecurityPrivilege 3488 TiWorker.exe Token: SeBackupPrivilege 3488 TiWorker.exe Token: SeRestorePrivilege 3488 TiWorker.exe Token: SeSecurityPrivilege 3488 TiWorker.exe Token: SeBackupPrivilege 3488 TiWorker.exe Token: SeRestorePrivilege 3488 TiWorker.exe Token: SeSecurityPrivilege 3488 TiWorker.exe Token: SeBackupPrivilege 3488 TiWorker.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4852 wrote to memory of 2336 4852 8077ab4eb763f47987ff28098272fc86a364cca3acf5831d0a3aac450dcba1f8.exe 82 PID 4852 wrote to memory of 2336 4852 8077ab4eb763f47987ff28098272fc86a364cca3acf5831d0a3aac450dcba1f8.exe 82 PID 4852 wrote to memory of 2336 4852 8077ab4eb763f47987ff28098272fc86a364cca3acf5831d0a3aac450dcba1f8.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\8077ab4eb763f47987ff28098272fc86a364cca3acf5831d0a3aac450dcba1f8.exe"C:\Users\Admin\AppData\Local\Temp\8077ab4eb763f47987ff28098272fc86a364cca3acf5831d0a3aac450dcba1f8.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Users\Admin\AppData\Roaming\Install\Hostes.exe"C:\Users\Admin\AppData\Roaming\Install\Hostes.exe"2⤵
- Executes dropped EXE
PID:2336
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3124
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3488