Analysis
-
max time kernel
79s -
max time network
86s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 22:29
Static task
static1
Behavioral task
behavioral1
Sample
0w1XziesiBaxbYs.exe
Resource
win7-20220414-en
General
-
Target
0w1XziesiBaxbYs.exe
-
Size
520KB
-
MD5
f0cac1110e145d3b260ad6be1566dc10
-
SHA1
f0cf3f3d9ff962752dbf993ac5b75f1d574e0450
-
SHA256
506445199001be9096b17efc9f3e2a8025d0b167b1ce581831366b4d00e875dc
-
SHA512
b93c8925b7bb992debd30a374ad3c0e7a2eecfc5ff7a6972b02753e9e04f0a7886034f40fd20979734c49c1cdb3ff05d41486c4ffbcbfe07141ace3250ae80a2
Malware Config
Extracted
netwire
sepp.myq-see.com:2001
-
activex_autorun
true
-
activex_key
{50L4QLIK-5N0E-1U7P-5W65-RDN0R6N72FF0}
-
copy_executable
true
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
XdWObmml
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
- startup_name
-
use_mutex
true
Signatures
-
NetWire RAT payload 11 IoCs
Processes:
resource yara_rule behavioral1/memory/1748-67-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1748-68-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1748-66-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1748-70-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1748-71-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1748-72-0x000000000040242D-mapping.dmp netwire behavioral1/memory/1748-75-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1748-79-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1072-96-0x000000000040242D-mapping.dmp netwire behavioral1/memory/1072-100-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1072-101-0x0000000000400000-0x0000000000433000-memory.dmp netwire -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Executes dropped EXE 2 IoCs
Processes:
Host.exeHost.exepid process 1720 Host.exe 1072 Host.exe -
Looks for VMWare Tools registry key 2 TTPs
-
Modifies Installed Components in the registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
0w1XziesiBaxbYs.exeHost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 0w1XziesiBaxbYs.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 0w1XziesiBaxbYs.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Host.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Host.exe -
Loads dropped DLL 1 IoCs
Processes:
0w1XziesiBaxbYs.exepid process 1748 0w1XziesiBaxbYs.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
0w1XziesiBaxbYs.exeHost.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 0w1XziesiBaxbYs.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 0w1XziesiBaxbYs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Host.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 Host.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
0w1XziesiBaxbYs.exeHost.exedescription pid process target process PID 1836 set thread context of 1748 1836 0w1XziesiBaxbYs.exe 0w1XziesiBaxbYs.exe PID 1720 set thread context of 1072 1720 Host.exe Host.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
0w1XziesiBaxbYs.exeHost.exepid process 1836 0w1XziesiBaxbYs.exe 1836 0w1XziesiBaxbYs.exe 1836 0w1XziesiBaxbYs.exe 1720 Host.exe 1720 Host.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
0w1XziesiBaxbYs.exeHost.exedescription pid process Token: SeDebugPrivilege 1836 0w1XziesiBaxbYs.exe Token: SeDebugPrivilege 1720 Host.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
0w1XziesiBaxbYs.exe0w1XziesiBaxbYs.exeHost.exedescription pid process target process PID 1836 wrote to memory of 1776 1836 0w1XziesiBaxbYs.exe schtasks.exe PID 1836 wrote to memory of 1776 1836 0w1XziesiBaxbYs.exe schtasks.exe PID 1836 wrote to memory of 1776 1836 0w1XziesiBaxbYs.exe schtasks.exe PID 1836 wrote to memory of 1776 1836 0w1XziesiBaxbYs.exe schtasks.exe PID 1836 wrote to memory of 1748 1836 0w1XziesiBaxbYs.exe 0w1XziesiBaxbYs.exe PID 1836 wrote to memory of 1748 1836 0w1XziesiBaxbYs.exe 0w1XziesiBaxbYs.exe PID 1836 wrote to memory of 1748 1836 0w1XziesiBaxbYs.exe 0w1XziesiBaxbYs.exe PID 1836 wrote to memory of 1748 1836 0w1XziesiBaxbYs.exe 0w1XziesiBaxbYs.exe PID 1836 wrote to memory of 1748 1836 0w1XziesiBaxbYs.exe 0w1XziesiBaxbYs.exe PID 1836 wrote to memory of 1748 1836 0w1XziesiBaxbYs.exe 0w1XziesiBaxbYs.exe PID 1836 wrote to memory of 1748 1836 0w1XziesiBaxbYs.exe 0w1XziesiBaxbYs.exe PID 1836 wrote to memory of 1748 1836 0w1XziesiBaxbYs.exe 0w1XziesiBaxbYs.exe PID 1836 wrote to memory of 1748 1836 0w1XziesiBaxbYs.exe 0w1XziesiBaxbYs.exe PID 1836 wrote to memory of 1748 1836 0w1XziesiBaxbYs.exe 0w1XziesiBaxbYs.exe PID 1836 wrote to memory of 1748 1836 0w1XziesiBaxbYs.exe 0w1XziesiBaxbYs.exe PID 1836 wrote to memory of 1748 1836 0w1XziesiBaxbYs.exe 0w1XziesiBaxbYs.exe PID 1748 wrote to memory of 1720 1748 0w1XziesiBaxbYs.exe Host.exe PID 1748 wrote to memory of 1720 1748 0w1XziesiBaxbYs.exe Host.exe PID 1748 wrote to memory of 1720 1748 0w1XziesiBaxbYs.exe Host.exe PID 1748 wrote to memory of 1720 1748 0w1XziesiBaxbYs.exe Host.exe PID 1720 wrote to memory of 952 1720 Host.exe schtasks.exe PID 1720 wrote to memory of 952 1720 Host.exe schtasks.exe PID 1720 wrote to memory of 952 1720 Host.exe schtasks.exe PID 1720 wrote to memory of 952 1720 Host.exe schtasks.exe PID 1720 wrote to memory of 1072 1720 Host.exe Host.exe PID 1720 wrote to memory of 1072 1720 Host.exe Host.exe PID 1720 wrote to memory of 1072 1720 Host.exe Host.exe PID 1720 wrote to memory of 1072 1720 Host.exe Host.exe PID 1720 wrote to memory of 1072 1720 Host.exe Host.exe PID 1720 wrote to memory of 1072 1720 Host.exe Host.exe PID 1720 wrote to memory of 1072 1720 Host.exe Host.exe PID 1720 wrote to memory of 1072 1720 Host.exe Host.exe PID 1720 wrote to memory of 1072 1720 Host.exe Host.exe PID 1720 wrote to memory of 1072 1720 Host.exe Host.exe PID 1720 wrote to memory of 1072 1720 Host.exe Host.exe PID 1720 wrote to memory of 1072 1720 Host.exe Host.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0w1XziesiBaxbYs.exe"C:\Users\Admin\AppData\Local\Temp\0w1XziesiBaxbYs.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IKzePvXcZPlcKe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC7F2.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\0w1XziesiBaxbYs.exe"{path}"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IKzePvXcZPlcKe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5590.tmp"4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"{path}"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp5590.tmpFilesize
1KB
MD59591b88c972bde3b944a76086daa332f
SHA1b51193523166482343f8929f45466c1950cbb4db
SHA256efbcd98173aff5ae302acb80f3c3e3b0874bc3c5720949ad32701ffdb2215c4d
SHA512f8ce873b1cadbf0133fa31e5b0198ef063031a561c18152d9867ae4f825474be0cf11ec3262705b8561df174f90231e5694232ed6d8412f892b54deccf0b1f72
-
C:\Users\Admin\AppData\Local\Temp\tmpC7F2.tmpFilesize
1KB
MD59591b88c972bde3b944a76086daa332f
SHA1b51193523166482343f8929f45466c1950cbb4db
SHA256efbcd98173aff5ae302acb80f3c3e3b0874bc3c5720949ad32701ffdb2215c4d
SHA512f8ce873b1cadbf0133fa31e5b0198ef063031a561c18152d9867ae4f825474be0cf11ec3262705b8561df174f90231e5694232ed6d8412f892b54deccf0b1f72
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
520KB
MD5f0cac1110e145d3b260ad6be1566dc10
SHA1f0cf3f3d9ff962752dbf993ac5b75f1d574e0450
SHA256506445199001be9096b17efc9f3e2a8025d0b167b1ce581831366b4d00e875dc
SHA512b93c8925b7bb992debd30a374ad3c0e7a2eecfc5ff7a6972b02753e9e04f0a7886034f40fd20979734c49c1cdb3ff05d41486c4ffbcbfe07141ace3250ae80a2
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
520KB
MD5f0cac1110e145d3b260ad6be1566dc10
SHA1f0cf3f3d9ff962752dbf993ac5b75f1d574e0450
SHA256506445199001be9096b17efc9f3e2a8025d0b167b1ce581831366b4d00e875dc
SHA512b93c8925b7bb992debd30a374ad3c0e7a2eecfc5ff7a6972b02753e9e04f0a7886034f40fd20979734c49c1cdb3ff05d41486c4ffbcbfe07141ace3250ae80a2
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
520KB
MD5f0cac1110e145d3b260ad6be1566dc10
SHA1f0cf3f3d9ff962752dbf993ac5b75f1d574e0450
SHA256506445199001be9096b17efc9f3e2a8025d0b167b1ce581831366b4d00e875dc
SHA512b93c8925b7bb992debd30a374ad3c0e7a2eecfc5ff7a6972b02753e9e04f0a7886034f40fd20979734c49c1cdb3ff05d41486c4ffbcbfe07141ace3250ae80a2
-
\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
520KB
MD5f0cac1110e145d3b260ad6be1566dc10
SHA1f0cf3f3d9ff962752dbf993ac5b75f1d574e0450
SHA256506445199001be9096b17efc9f3e2a8025d0b167b1ce581831366b4d00e875dc
SHA512b93c8925b7bb992debd30a374ad3c0e7a2eecfc5ff7a6972b02753e9e04f0a7886034f40fd20979734c49c1cdb3ff05d41486c4ffbcbfe07141ace3250ae80a2
-
memory/952-83-0x0000000000000000-mapping.dmp
-
memory/1072-101-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1072-100-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1072-96-0x000000000040242D-mapping.dmp
-
memory/1720-81-0x00000000012B0000-0x0000000001338000-memory.dmpFilesize
544KB
-
memory/1720-77-0x0000000000000000-mapping.dmp
-
memory/1748-62-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1748-67-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1748-71-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1748-72-0x000000000040242D-mapping.dmp
-
memory/1748-75-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1748-70-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1748-64-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1748-66-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1748-68-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1748-61-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1748-79-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1776-59-0x0000000000000000-mapping.dmp
-
memory/1836-54-0x0000000000BD0000-0x0000000000C58000-memory.dmpFilesize
544KB
-
memory/1836-58-0x0000000000600000-0x000000000065E000-memory.dmpFilesize
376KB
-
memory/1836-57-0x0000000004FF0000-0x000000000506E000-memory.dmpFilesize
504KB
-
memory/1836-56-0x00000000002D0000-0x00000000002DA000-memory.dmpFilesize
40KB
-
memory/1836-55-0x0000000075741000-0x0000000075743000-memory.dmpFilesize
8KB