Analysis
-
max time kernel
126s -
max time network
152s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
17/02/2022, 02:45
Behavioral task
behavioral1
Sample
5f88b8a047553a717d2674304233b5f3fce063f46b22b33b272a4296af2b6f20.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
5f88b8a047553a717d2674304233b5f3fce063f46b22b33b272a4296af2b6f20.exe
Resource
win10v2004-en-20220113
General
-
Target
5f88b8a047553a717d2674304233b5f3fce063f46b22b33b272a4296af2b6f20.exe
-
Size
160KB
-
MD5
ea930dacbcdccf4d29416392cdab6a36
-
SHA1
b9f7505a3b100d524edae9488e3818080d338dfa
-
SHA256
5f88b8a047553a717d2674304233b5f3fce063f46b22b33b272a4296af2b6f20
-
SHA512
fea4ff24f3090be851113a98915d418d489184c1b421a38ebe8252f4905be2edf77018a4062351c0cbf27404feb1d25bc72fdc0478e09336e6c244b7d146094f
Malware Config
Extracted
netwire
kingshakes.linkpc.net:2017
-
activex_autorun
false
- activex_key
-
copy_executable
true
-
delete_original
false
-
host_id
Anjolaoluwa
-
install_path
%AppData%\Windows\windowsupdate.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
true
-
mutex
CSeLVtDF
-
offline_keylogger
true
-
password
Password
-
registry_autorun
true
-
startup_name
NetWire
-
use_mutex
true
Signatures
-
NetWire RAT payload 6 IoCs
resource yara_rule behavioral1/files/0x0007000000013327-55.dat netwire behavioral1/files/0x0007000000013327-56.dat netwire behavioral1/files/0x0007000000013327-58.dat netwire behavioral1/files/0x0007000000013327-59.dat netwire behavioral1/files/0x0007000000013327-60.dat netwire behavioral1/files/0x0007000000013327-61.dat netwire -
Executes dropped EXE 1 IoCs
pid Process 1472 windowsupdate.exe -
Loads dropped DLL 4 IoCs
pid Process 1588 5f88b8a047553a717d2674304233b5f3fce063f46b22b33b272a4296af2b6f20.exe 1472 windowsupdate.exe 1472 windowsupdate.exe 1472 windowsupdate.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ windowsupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\windowsupdate.exe" windowsupdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1588 wrote to memory of 1472 1588 5f88b8a047553a717d2674304233b5f3fce063f46b22b33b272a4296af2b6f20.exe 27 PID 1588 wrote to memory of 1472 1588 5f88b8a047553a717d2674304233b5f3fce063f46b22b33b272a4296af2b6f20.exe 27 PID 1588 wrote to memory of 1472 1588 5f88b8a047553a717d2674304233b5f3fce063f46b22b33b272a4296af2b6f20.exe 27 PID 1588 wrote to memory of 1472 1588 5f88b8a047553a717d2674304233b5f3fce063f46b22b33b272a4296af2b6f20.exe 27 PID 1588 wrote to memory of 1472 1588 5f88b8a047553a717d2674304233b5f3fce063f46b22b33b272a4296af2b6f20.exe 27 PID 1588 wrote to memory of 1472 1588 5f88b8a047553a717d2674304233b5f3fce063f46b22b33b272a4296af2b6f20.exe 27 PID 1588 wrote to memory of 1472 1588 5f88b8a047553a717d2674304233b5f3fce063f46b22b33b272a4296af2b6f20.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f88b8a047553a717d2674304233b5f3fce063f46b22b33b272a4296af2b6f20.exe"C:\Users\Admin\AppData\Local\Temp\5f88b8a047553a717d2674304233b5f3fce063f46b22b33b272a4296af2b6f20.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Users\Admin\AppData\Roaming\Windows\windowsupdate.exe"C:\Users\Admin\AppData\Roaming\Windows\windowsupdate.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1472
-