Analysis
-
max time kernel
166s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
17/02/2022, 02:54
Behavioral task
behavioral1
Sample
5e3bdf77c3b1b40c7e2219aa82fe6b0f30989bd58a27978a8a352a7ba5934860.exe
Resource
win7-en-20211208
0 signatures
0 seconds
General
-
Target
5e3bdf77c3b1b40c7e2219aa82fe6b0f30989bd58a27978a8a352a7ba5934860.exe
-
Size
89KB
-
MD5
3c5b1f0eb1444a37bf8a7f21d9d7f985
-
SHA1
b3f5ba2fc4e02f6ab79fb2fa719901eec29ee7bc
-
SHA256
5e3bdf77c3b1b40c7e2219aa82fe6b0f30989bd58a27978a8a352a7ba5934860
-
SHA512
06b8b05d7e5dcc4d44a10fd56a2c1280390b0c646bd550baad901499cb675cbf17b2d340c02954057c422059642f9447ac2cce72a52cd31afc1d5971278382bb
Malware Config
Extracted
Family
netwire
C2
sgteyor.ddns.net:39888
Attributes
-
activex_autorun
false
- activex_key
-
copy_executable
true
-
delete_original
false
-
host_id
Eyor
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
- mutex
-
offline_keylogger
true
-
password
Master0147
-
registry_autorun
false
- startup_name
-
use_mutex
false
Signatures
-
NetWire RAT payload 2 IoCs
resource yara_rule behavioral2/files/0x000300000001ed13-130.dat netwire behavioral2/files/0x000300000001ed13-131.dat netwire -
Executes dropped EXE 1 IoCs
pid Process 1204 Host.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 50 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "2.215144" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "2.040982" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132897173148193999" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4200" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4068" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4368" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "6.250430" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeSecurityPrivilege 2596 TiWorker.exe Token: SeRestorePrivilege 2596 TiWorker.exe Token: SeBackupPrivilege 2596 TiWorker.exe Token: SeBackupPrivilege 2596 TiWorker.exe Token: SeRestorePrivilege 2596 TiWorker.exe Token: SeSecurityPrivilege 2596 TiWorker.exe Token: SeBackupPrivilege 2596 TiWorker.exe Token: SeRestorePrivilege 2596 TiWorker.exe Token: SeSecurityPrivilege 2596 TiWorker.exe Token: SeBackupPrivilege 2596 TiWorker.exe Token: SeRestorePrivilege 2596 TiWorker.exe Token: SeSecurityPrivilege 2596 TiWorker.exe Token: SeBackupPrivilege 2596 TiWorker.exe Token: SeRestorePrivilege 2596 TiWorker.exe Token: SeSecurityPrivilege 2596 TiWorker.exe Token: SeBackupPrivilege 2596 TiWorker.exe Token: SeRestorePrivilege 2596 TiWorker.exe Token: SeSecurityPrivilege 2596 TiWorker.exe Token: SeBackupPrivilege 2596 TiWorker.exe Token: SeRestorePrivilege 2596 TiWorker.exe Token: SeSecurityPrivilege 2596 TiWorker.exe Token: SeBackupPrivilege 2596 TiWorker.exe Token: SeRestorePrivilege 2596 TiWorker.exe Token: SeSecurityPrivilege 2596 TiWorker.exe Token: SeBackupPrivilege 2596 TiWorker.exe Token: SeRestorePrivilege 2596 TiWorker.exe Token: SeSecurityPrivilege 2596 TiWorker.exe Token: SeBackupPrivilege 2596 TiWorker.exe Token: SeRestorePrivilege 2596 TiWorker.exe Token: SeSecurityPrivilege 2596 TiWorker.exe Token: SeBackupPrivilege 2596 TiWorker.exe Token: SeRestorePrivilege 2596 TiWorker.exe Token: SeSecurityPrivilege 2596 TiWorker.exe Token: SeBackupPrivilege 2596 TiWorker.exe Token: SeRestorePrivilege 2596 TiWorker.exe Token: SeSecurityPrivilege 2596 TiWorker.exe Token: SeBackupPrivilege 2596 TiWorker.exe Token: SeRestorePrivilege 2596 TiWorker.exe Token: SeSecurityPrivilege 2596 TiWorker.exe Token: SeBackupPrivilege 2596 TiWorker.exe Token: SeRestorePrivilege 2596 TiWorker.exe Token: SeSecurityPrivilege 2596 TiWorker.exe Token: SeBackupPrivilege 2596 TiWorker.exe Token: SeRestorePrivilege 2596 TiWorker.exe Token: SeSecurityPrivilege 2596 TiWorker.exe Token: SeBackupPrivilege 2596 TiWorker.exe Token: SeRestorePrivilege 2596 TiWorker.exe Token: SeSecurityPrivilege 2596 TiWorker.exe Token: SeBackupPrivilege 2596 TiWorker.exe Token: SeRestorePrivilege 2596 TiWorker.exe Token: SeSecurityPrivilege 2596 TiWorker.exe Token: SeBackupPrivilege 2596 TiWorker.exe Token: SeRestorePrivilege 2596 TiWorker.exe Token: SeSecurityPrivilege 2596 TiWorker.exe Token: SeBackupPrivilege 2596 TiWorker.exe Token: SeRestorePrivilege 2596 TiWorker.exe Token: SeSecurityPrivilege 2596 TiWorker.exe Token: SeBackupPrivilege 2596 TiWorker.exe Token: SeRestorePrivilege 2596 TiWorker.exe Token: SeSecurityPrivilege 2596 TiWorker.exe Token: SeBackupPrivilege 2596 TiWorker.exe Token: SeRestorePrivilege 2596 TiWorker.exe Token: SeSecurityPrivilege 2596 TiWorker.exe Token: SeBackupPrivilege 2596 TiWorker.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1676 wrote to memory of 1204 1676 5e3bdf77c3b1b40c7e2219aa82fe6b0f30989bd58a27978a8a352a7ba5934860.exe 59 PID 1676 wrote to memory of 1204 1676 5e3bdf77c3b1b40c7e2219aa82fe6b0f30989bd58a27978a8a352a7ba5934860.exe 59 PID 1676 wrote to memory of 1204 1676 5e3bdf77c3b1b40c7e2219aa82fe6b0f30989bd58a27978a8a352a7ba5934860.exe 59
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e3bdf77c3b1b40c7e2219aa82fe6b0f30989bd58a27978a8a352a7ba5934860.exe"C:\Users\Admin\AppData\Local\Temp\5e3bdf77c3b1b40c7e2219aa82fe6b0f30989bd58a27978a8a352a7ba5934860.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"2⤵
- Executes dropped EXE
PID:1204
-
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:3260
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1676
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2596