Analysis
-
max time kernel
139s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
17/02/2022, 02:45
Behavioral task
behavioral1
Sample
5f88b8a047553a717d2674304233b5f3fce063f46b22b33b272a4296af2b6f20.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
5f88b8a047553a717d2674304233b5f3fce063f46b22b33b272a4296af2b6f20.exe
Resource
win10v2004-en-20220113
General
-
Target
5f88b8a047553a717d2674304233b5f3fce063f46b22b33b272a4296af2b6f20.exe
-
Size
160KB
-
MD5
ea930dacbcdccf4d29416392cdab6a36
-
SHA1
b9f7505a3b100d524edae9488e3818080d338dfa
-
SHA256
5f88b8a047553a717d2674304233b5f3fce063f46b22b33b272a4296af2b6f20
-
SHA512
fea4ff24f3090be851113a98915d418d489184c1b421a38ebe8252f4905be2edf77018a4062351c0cbf27404feb1d25bc72fdc0478e09336e6c244b7d146094f
Malware Config
Extracted
netwire
kingshakes.linkpc.net:2017
-
activex_autorun
false
- activex_key
-
copy_executable
true
-
delete_original
false
-
host_id
Anjolaoluwa
-
install_path
%AppData%\Windows\windowsupdate.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
true
-
mutex
CSeLVtDF
-
offline_keylogger
true
-
password
Password
-
registry_autorun
true
-
startup_name
NetWire
-
use_mutex
true
Signatures
-
NetWire RAT payload 2 IoCs
resource yara_rule behavioral2/files/0x000400000001e7b5-130.dat netwire behavioral2/files/0x000400000001e7b5-131.dat netwire -
Executes dropped EXE 1 IoCs
pid Process 2068 windowsupdate.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 5f88b8a047553a717d2674304233b5f3fce063f46b22b33b272a4296af2b6f20.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ windowsupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\windowsupdate.exe" windowsupdate.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2008 svchost.exe Token: SeCreatePagefilePrivilege 2008 svchost.exe Token: SeShutdownPrivilege 2008 svchost.exe Token: SeCreatePagefilePrivilege 2008 svchost.exe Token: SeShutdownPrivilege 2008 svchost.exe Token: SeCreatePagefilePrivilege 2008 svchost.exe Token: SeSecurityPrivilege 1840 TiWorker.exe Token: SeRestorePrivilege 1840 TiWorker.exe Token: SeBackupPrivilege 1840 TiWorker.exe Token: SeBackupPrivilege 1840 TiWorker.exe Token: SeRestorePrivilege 1840 TiWorker.exe Token: SeSecurityPrivilege 1840 TiWorker.exe Token: SeBackupPrivilege 1840 TiWorker.exe Token: SeRestorePrivilege 1840 TiWorker.exe Token: SeSecurityPrivilege 1840 TiWorker.exe Token: SeBackupPrivilege 1840 TiWorker.exe Token: SeRestorePrivilege 1840 TiWorker.exe Token: SeSecurityPrivilege 1840 TiWorker.exe Token: SeBackupPrivilege 1840 TiWorker.exe Token: SeRestorePrivilege 1840 TiWorker.exe Token: SeSecurityPrivilege 1840 TiWorker.exe Token: SeBackupPrivilege 1840 TiWorker.exe Token: SeRestorePrivilege 1840 TiWorker.exe Token: SeSecurityPrivilege 1840 TiWorker.exe Token: SeBackupPrivilege 1840 TiWorker.exe Token: SeRestorePrivilege 1840 TiWorker.exe Token: SeSecurityPrivilege 1840 TiWorker.exe Token: SeBackupPrivilege 1840 TiWorker.exe Token: SeRestorePrivilege 1840 TiWorker.exe Token: SeSecurityPrivilege 1840 TiWorker.exe Token: SeBackupPrivilege 1840 TiWorker.exe Token: SeRestorePrivilege 1840 TiWorker.exe Token: SeSecurityPrivilege 1840 TiWorker.exe Token: SeBackupPrivilege 1840 TiWorker.exe Token: SeRestorePrivilege 1840 TiWorker.exe Token: SeSecurityPrivilege 1840 TiWorker.exe Token: SeBackupPrivilege 1840 TiWorker.exe Token: SeRestorePrivilege 1840 TiWorker.exe Token: SeSecurityPrivilege 1840 TiWorker.exe Token: SeBackupPrivilege 1840 TiWorker.exe Token: SeRestorePrivilege 1840 TiWorker.exe Token: SeSecurityPrivilege 1840 TiWorker.exe Token: SeBackupPrivilege 1840 TiWorker.exe Token: SeRestorePrivilege 1840 TiWorker.exe Token: SeSecurityPrivilege 1840 TiWorker.exe Token: SeBackupPrivilege 1840 TiWorker.exe Token: SeRestorePrivilege 1840 TiWorker.exe Token: SeSecurityPrivilege 1840 TiWorker.exe Token: SeBackupPrivilege 1840 TiWorker.exe Token: SeRestorePrivilege 1840 TiWorker.exe Token: SeSecurityPrivilege 1840 TiWorker.exe Token: SeBackupPrivilege 1840 TiWorker.exe Token: SeRestorePrivilege 1840 TiWorker.exe Token: SeSecurityPrivilege 1840 TiWorker.exe Token: SeBackupPrivilege 1840 TiWorker.exe Token: SeRestorePrivilege 1840 TiWorker.exe Token: SeSecurityPrivilege 1840 TiWorker.exe Token: SeBackupPrivilege 1840 TiWorker.exe Token: SeRestorePrivilege 1840 TiWorker.exe Token: SeSecurityPrivilege 1840 TiWorker.exe Token: SeBackupPrivilege 1840 TiWorker.exe Token: SeRestorePrivilege 1840 TiWorker.exe Token: SeSecurityPrivilege 1840 TiWorker.exe Token: SeBackupPrivilege 1840 TiWorker.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2696 wrote to memory of 2068 2696 5f88b8a047553a717d2674304233b5f3fce063f46b22b33b272a4296af2b6f20.exe 82 PID 2696 wrote to memory of 2068 2696 5f88b8a047553a717d2674304233b5f3fce063f46b22b33b272a4296af2b6f20.exe 82 PID 2696 wrote to memory of 2068 2696 5f88b8a047553a717d2674304233b5f3fce063f46b22b33b272a4296af2b6f20.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f88b8a047553a717d2674304233b5f3fce063f46b22b33b272a4296af2b6f20.exe"C:\Users\Admin\AppData\Local\Temp\5f88b8a047553a717d2674304233b5f3fce063f46b22b33b272a4296af2b6f20.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Users\Admin\AppData\Roaming\Windows\windowsupdate.exe"C:\Users\Admin\AppData\Roaming\Windows\windowsupdate.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2068
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2008
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1840