Analysis
-
max time kernel
171s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
17-02-2022 05:49
Behavioral task
behavioral1
Sample
2a73e8f413acfcd05a38ac515320430dbb7c99aaa7d4fdf8ae3dd1f59050074c.exe
Resource
win7-en-20211208
General
-
Target
2a73e8f413acfcd05a38ac515320430dbb7c99aaa7d4fdf8ae3dd1f59050074c.exe
-
Size
202KB
-
MD5
af0a1ec77e72432f8bf74ecb21a384a8
-
SHA1
c0831ccc145a8c3e7a361faf9a573b9773ca5354
-
SHA256
2a73e8f413acfcd05a38ac515320430dbb7c99aaa7d4fdf8ae3dd1f59050074c
-
SHA512
29ef37b7e7332eb7536f346c88a602bd71fae382914710886e85d496f33ad6466be0bc9b7a71b5215cd51a3cefdfea17592fe8bb5eadc103bc7c43ad676724ab
Malware Config
Extracted
netwire
23.105.131.142:3368
-
activex_autorun
false
- activex_key
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
- install_path
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
- mutex
-
offline_keylogger
true
-
password
Love1234
-
registry_autorun
false
- startup_name
-
use_mutex
false
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
2a73e8f413acfcd05a38ac515320430dbb7c99aaa7d4fdf8ae3dd1f59050074c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 2a73e8f413acfcd05a38ac515320430dbb7c99aaa7d4fdf8ae3dd1f59050074c.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
NetWire RAT payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\3582-490\2a73e8f413acfcd05a38ac515320430dbb7c99aaa7d4fdf8ae3dd1f59050074c.exe netwire C:\Users\Admin\AppData\Local\Temp\3582-490\2a73e8f413acfcd05a38ac515320430dbb7c99aaa7d4fdf8ae3dd1f59050074c.exe netwire -
Executes dropped EXE 1 IoCs
Processes:
2a73e8f413acfcd05a38ac515320430dbb7c99aaa7d4fdf8ae3dd1f59050074c.exepid process 3796 2a73e8f413acfcd05a38ac515320430dbb7c99aaa7d4fdf8ae3dd1f59050074c.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2a73e8f413acfcd05a38ac515320430dbb7c99aaa7d4fdf8ae3dd1f59050074c.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 2a73e8f413acfcd05a38ac515320430dbb7c99aaa7d4fdf8ae3dd1f59050074c.exe -
Drops file in Program Files directory 4 IoCs
Processes:
2a73e8f413acfcd05a38ac515320430dbb7c99aaa7d4fdf8ae3dd1f59050074c.exedescription ioc process File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE 2a73e8f413acfcd05a38ac515320430dbb7c99aaa7d4fdf8ae3dd1f59050074c.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe 2a73e8f413acfcd05a38ac515320430dbb7c99aaa7d4fdf8ae3dd1f59050074c.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe 2a73e8f413acfcd05a38ac515320430dbb7c99aaa7d4fdf8ae3dd1f59050074c.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE 2a73e8f413acfcd05a38ac515320430dbb7c99aaa7d4fdf8ae3dd1f59050074c.exe -
Drops file in Windows directory 1 IoCs
Processes:
2a73e8f413acfcd05a38ac515320430dbb7c99aaa7d4fdf8ae3dd1f59050074c.exedescription ioc process File opened for modification C:\Windows\svchost.com 2a73e8f413acfcd05a38ac515320430dbb7c99aaa7d4fdf8ae3dd1f59050074c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe -
Modifies registry class 1 IoCs
Processes:
2a73e8f413acfcd05a38ac515320430dbb7c99aaa7d4fdf8ae3dd1f59050074c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 2a73e8f413acfcd05a38ac515320430dbb7c99aaa7d4fdf8ae3dd1f59050074c.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
2a73e8f413acfcd05a38ac515320430dbb7c99aaa7d4fdf8ae3dd1f59050074c.exedescription pid process target process PID 3720 wrote to memory of 3796 3720 2a73e8f413acfcd05a38ac515320430dbb7c99aaa7d4fdf8ae3dd1f59050074c.exe 2a73e8f413acfcd05a38ac515320430dbb7c99aaa7d4fdf8ae3dd1f59050074c.exe PID 3720 wrote to memory of 3796 3720 2a73e8f413acfcd05a38ac515320430dbb7c99aaa7d4fdf8ae3dd1f59050074c.exe 2a73e8f413acfcd05a38ac515320430dbb7c99aaa7d4fdf8ae3dd1f59050074c.exe PID 3720 wrote to memory of 3796 3720 2a73e8f413acfcd05a38ac515320430dbb7c99aaa7d4fdf8ae3dd1f59050074c.exe 2a73e8f413acfcd05a38ac515320430dbb7c99aaa7d4fdf8ae3dd1f59050074c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a73e8f413acfcd05a38ac515320430dbb7c99aaa7d4fdf8ae3dd1f59050074c.exe"C:\Users\Admin\AppData\Local\Temp\2a73e8f413acfcd05a38ac515320430dbb7c99aaa7d4fdf8ae3dd1f59050074c.exe"1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2a73e8f413acfcd05a38ac515320430dbb7c99aaa7d4fdf8ae3dd1f59050074c.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\2a73e8f413acfcd05a38ac515320430dbb7c99aaa7d4fdf8ae3dd1f59050074c.exe"2⤵
- Executes dropped EXE
PID:3796
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:3500
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2a73e8f413acfcd05a38ac515320430dbb7c99aaa7d4fdf8ae3dd1f59050074c.exeMD5
555961790f886ccf3ca7e5cc0e5e272e
SHA1ec83807bef3c759f0b5a54e417a2d1c236557fdc
SHA2569e13d17fd5367f2168efd8c0c95773ba91509a3ae503242566c8f0a73c74285d
SHA512079e6e3d6f63c209a01c3cc457745e973e1ec80224d7e41fef9069ce5566052d99b81328b1d77be5fee3cb99c0d8206cf4953acfbfa569e2ec87a826f2f0fff7
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2a73e8f413acfcd05a38ac515320430dbb7c99aaa7d4fdf8ae3dd1f59050074c.exeMD5
555961790f886ccf3ca7e5cc0e5e272e
SHA1ec83807bef3c759f0b5a54e417a2d1c236557fdc
SHA2569e13d17fd5367f2168efd8c0c95773ba91509a3ae503242566c8f0a73c74285d
SHA512079e6e3d6f63c209a01c3cc457745e973e1ec80224d7e41fef9069ce5566052d99b81328b1d77be5fee3cb99c0d8206cf4953acfbfa569e2ec87a826f2f0fff7