General
Target

0w1XziesiBaxbYs.exe

Filesize

520KB

Completed

20-05-2022 22:34

Task

behavioral1

Score
10/10
MD5

f0cac1110e145d3b260ad6be1566dc10

SHA1

f0cf3f3d9ff962752dbf993ac5b75f1d574e0450

SHA256

506445199001be9096b17efc9f3e2a8025d0b167b1ce581831366b4d00e875dc

SHA256

b93c8925b7bb992debd30a374ad3c0e7a2eecfc5ff7a6972b02753e9e04f0a7886034f40fd20979734c49c1cdb3ff05d41486c4ffbcbfe07141ace3250ae80a2

Malware Config

Extracted

Family

netwire

C2

sepp.myq-see.com:2001

Attributes
activex_autorun
true
activex_key
{50L4QLIK-5N0E-1U7P-5W65-RDN0R6N72FF0}
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
XdWObmml
offline_keylogger
true
password
Password
registry_autorun
false
startup_name
use_mutex
true
Signatures 15

Filter: none

Defense Evasion
Discovery
Persistence
  • NetWire RAT payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1748-67-0x0000000000400000-0x0000000000433000-memory.dmpnetwire
    behavioral1/memory/1748-68-0x0000000000400000-0x0000000000433000-memory.dmpnetwire
    behavioral1/memory/1748-66-0x0000000000400000-0x0000000000433000-memory.dmpnetwire
    behavioral1/memory/1748-70-0x0000000000400000-0x0000000000433000-memory.dmpnetwire
    behavioral1/memory/1748-71-0x0000000000400000-0x0000000000433000-memory.dmpnetwire
    behavioral1/memory/1748-72-0x000000000040242D-mapping.dmpnetwire
    behavioral1/memory/1748-75-0x0000000000400000-0x0000000000433000-memory.dmpnetwire
    behavioral1/memory/1748-79-0x0000000000400000-0x0000000000433000-memory.dmpnetwire
    behavioral1/memory/1072-96-0x000000000040242D-mapping.dmpnetwire
    behavioral1/memory/1072-100-0x0000000000400000-0x0000000000433000-memory.dmpnetwire
    behavioral1/memory/1072-101-0x0000000000400000-0x0000000000433000-memory.dmpnetwire
  • Netwire

    Description

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

  • Looks for VirtualBox Guest Additions in registry

    Tags

    TTPs

    Query RegistryVirtualization/Sandbox Evasion
  • Executes dropped EXE
    Host.exeHost.exe

    Reported IOCs

    pidprocess
    1720Host.exe
    1072Host.exe
  • Looks for VMWare Tools registry key

    Tags

    TTPs

    Query RegistryVirtualization/Sandbox Evasion
  • Modifies Installed Components in the registry

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Checks BIOS information in registry
    0w1XziesiBaxbYs.exeHost.exe

    Description

    BIOS information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion0w1XziesiBaxbYs.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion0w1XziesiBaxbYs.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersionHost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersionHost.exe
  • Loads dropped DLL
    0w1XziesiBaxbYs.exe

    Reported IOCs

    pidprocess
    17480w1XziesiBaxbYs.exe
  • Maps connected drives based on registry
    0w1XziesiBaxbYs.exeHost.exe

    Description

    Disk information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum0w1XziesiBaxbYs.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\00w1XziesiBaxbYs.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\EnumHost.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0Host.exe
  • Suspicious use of SetThreadContext
    0w1XziesiBaxbYs.exeHost.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1836 set thread context of 174818360w1XziesiBaxbYs.exe0w1XziesiBaxbYs.exe
    PID 1720 set thread context of 10721720Host.exeHost.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Creates scheduled task(s)
    schtasks.exeschtasks.exe

    Description

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    TTPs

    Scheduled Task

    Reported IOCs

    pidprocess
    1776schtasks.exe
    952schtasks.exe
  • Suspicious behavior: EnumeratesProcesses
    0w1XziesiBaxbYs.exeHost.exe

    Reported IOCs

    pidprocess
    18360w1XziesiBaxbYs.exe
    18360w1XziesiBaxbYs.exe
    18360w1XziesiBaxbYs.exe
    1720Host.exe
    1720Host.exe
  • Suspicious use of AdjustPrivilegeToken
    0w1XziesiBaxbYs.exeHost.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege18360w1XziesiBaxbYs.exe
    Token: SeDebugPrivilege1720Host.exe
  • Suspicious use of WriteProcessMemory
    0w1XziesiBaxbYs.exe0w1XziesiBaxbYs.exeHost.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1836 wrote to memory of 177618360w1XziesiBaxbYs.exeschtasks.exe
    PID 1836 wrote to memory of 177618360w1XziesiBaxbYs.exeschtasks.exe
    PID 1836 wrote to memory of 177618360w1XziesiBaxbYs.exeschtasks.exe
    PID 1836 wrote to memory of 177618360w1XziesiBaxbYs.exeschtasks.exe
    PID 1836 wrote to memory of 174818360w1XziesiBaxbYs.exe0w1XziesiBaxbYs.exe
    PID 1836 wrote to memory of 174818360w1XziesiBaxbYs.exe0w1XziesiBaxbYs.exe
    PID 1836 wrote to memory of 174818360w1XziesiBaxbYs.exe0w1XziesiBaxbYs.exe
    PID 1836 wrote to memory of 174818360w1XziesiBaxbYs.exe0w1XziesiBaxbYs.exe
    PID 1836 wrote to memory of 174818360w1XziesiBaxbYs.exe0w1XziesiBaxbYs.exe
    PID 1836 wrote to memory of 174818360w1XziesiBaxbYs.exe0w1XziesiBaxbYs.exe
    PID 1836 wrote to memory of 174818360w1XziesiBaxbYs.exe0w1XziesiBaxbYs.exe
    PID 1836 wrote to memory of 174818360w1XziesiBaxbYs.exe0w1XziesiBaxbYs.exe
    PID 1836 wrote to memory of 174818360w1XziesiBaxbYs.exe0w1XziesiBaxbYs.exe
    PID 1836 wrote to memory of 174818360w1XziesiBaxbYs.exe0w1XziesiBaxbYs.exe
    PID 1836 wrote to memory of 174818360w1XziesiBaxbYs.exe0w1XziesiBaxbYs.exe
    PID 1836 wrote to memory of 174818360w1XziesiBaxbYs.exe0w1XziesiBaxbYs.exe
    PID 1748 wrote to memory of 172017480w1XziesiBaxbYs.exeHost.exe
    PID 1748 wrote to memory of 172017480w1XziesiBaxbYs.exeHost.exe
    PID 1748 wrote to memory of 172017480w1XziesiBaxbYs.exeHost.exe
    PID 1748 wrote to memory of 172017480w1XziesiBaxbYs.exeHost.exe
    PID 1720 wrote to memory of 9521720Host.exeschtasks.exe
    PID 1720 wrote to memory of 9521720Host.exeschtasks.exe
    PID 1720 wrote to memory of 9521720Host.exeschtasks.exe
    PID 1720 wrote to memory of 9521720Host.exeschtasks.exe
    PID 1720 wrote to memory of 10721720Host.exeHost.exe
    PID 1720 wrote to memory of 10721720Host.exeHost.exe
    PID 1720 wrote to memory of 10721720Host.exeHost.exe
    PID 1720 wrote to memory of 10721720Host.exeHost.exe
    PID 1720 wrote to memory of 10721720Host.exeHost.exe
    PID 1720 wrote to memory of 10721720Host.exeHost.exe
    PID 1720 wrote to memory of 10721720Host.exeHost.exe
    PID 1720 wrote to memory of 10721720Host.exeHost.exe
    PID 1720 wrote to memory of 10721720Host.exeHost.exe
    PID 1720 wrote to memory of 10721720Host.exeHost.exe
    PID 1720 wrote to memory of 10721720Host.exeHost.exe
    PID 1720 wrote to memory of 10721720Host.exeHost.exe
Processes 6
  • C:\Users\Admin\AppData\Local\Temp\0w1XziesiBaxbYs.exe
    "C:\Users\Admin\AppData\Local\Temp\0w1XziesiBaxbYs.exe"
    Checks BIOS information in registry
    Maps connected drives based on registry
    Suspicious use of SetThreadContext
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:1836
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IKzePvXcZPlcKe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC7F2.tmp"
      Creates scheduled task(s)
      PID:1776
    • C:\Users\Admin\AppData\Local\Temp\0w1XziesiBaxbYs.exe
      "{path}"
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1748
      • C:\Users\Admin\AppData\Roaming\Install\Host.exe
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        Executes dropped EXE
        Checks BIOS information in registry
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        PID:1720
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IKzePvXcZPlcKe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5590.tmp"
          Creates scheduled task(s)
          PID:952
        • C:\Users\Admin\AppData\Roaming\Install\Host.exe
          "{path}"
          Executes dropped EXE
          PID:1072
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Local\Temp\tmp5590.tmp

                      MD5

                      9591b88c972bde3b944a76086daa332f

                      SHA1

                      b51193523166482343f8929f45466c1950cbb4db

                      SHA256

                      efbcd98173aff5ae302acb80f3c3e3b0874bc3c5720949ad32701ffdb2215c4d

                      SHA512

                      f8ce873b1cadbf0133fa31e5b0198ef063031a561c18152d9867ae4f825474be0cf11ec3262705b8561df174f90231e5694232ed6d8412f892b54deccf0b1f72

                    • C:\Users\Admin\AppData\Local\Temp\tmpC7F2.tmp

                      MD5

                      9591b88c972bde3b944a76086daa332f

                      SHA1

                      b51193523166482343f8929f45466c1950cbb4db

                      SHA256

                      efbcd98173aff5ae302acb80f3c3e3b0874bc3c5720949ad32701ffdb2215c4d

                      SHA512

                      f8ce873b1cadbf0133fa31e5b0198ef063031a561c18152d9867ae4f825474be0cf11ec3262705b8561df174f90231e5694232ed6d8412f892b54deccf0b1f72

                    • C:\Users\Admin\AppData\Roaming\Install\Host.exe

                      MD5

                      f0cac1110e145d3b260ad6be1566dc10

                      SHA1

                      f0cf3f3d9ff962752dbf993ac5b75f1d574e0450

                      SHA256

                      506445199001be9096b17efc9f3e2a8025d0b167b1ce581831366b4d00e875dc

                      SHA512

                      b93c8925b7bb992debd30a374ad3c0e7a2eecfc5ff7a6972b02753e9e04f0a7886034f40fd20979734c49c1cdb3ff05d41486c4ffbcbfe07141ace3250ae80a2

                    • C:\Users\Admin\AppData\Roaming\Install\Host.exe

                      MD5

                      f0cac1110e145d3b260ad6be1566dc10

                      SHA1

                      f0cf3f3d9ff962752dbf993ac5b75f1d574e0450

                      SHA256

                      506445199001be9096b17efc9f3e2a8025d0b167b1ce581831366b4d00e875dc

                      SHA512

                      b93c8925b7bb992debd30a374ad3c0e7a2eecfc5ff7a6972b02753e9e04f0a7886034f40fd20979734c49c1cdb3ff05d41486c4ffbcbfe07141ace3250ae80a2

                    • C:\Users\Admin\AppData\Roaming\Install\Host.exe

                      MD5

                      f0cac1110e145d3b260ad6be1566dc10

                      SHA1

                      f0cf3f3d9ff962752dbf993ac5b75f1d574e0450

                      SHA256

                      506445199001be9096b17efc9f3e2a8025d0b167b1ce581831366b4d00e875dc

                      SHA512

                      b93c8925b7bb992debd30a374ad3c0e7a2eecfc5ff7a6972b02753e9e04f0a7886034f40fd20979734c49c1cdb3ff05d41486c4ffbcbfe07141ace3250ae80a2

                    • \Users\Admin\AppData\Roaming\Install\Host.exe

                      MD5

                      f0cac1110e145d3b260ad6be1566dc10

                      SHA1

                      f0cf3f3d9ff962752dbf993ac5b75f1d574e0450

                      SHA256

                      506445199001be9096b17efc9f3e2a8025d0b167b1ce581831366b4d00e875dc

                      SHA512

                      b93c8925b7bb992debd30a374ad3c0e7a2eecfc5ff7a6972b02753e9e04f0a7886034f40fd20979734c49c1cdb3ff05d41486c4ffbcbfe07141ace3250ae80a2

                    • memory/952-83-0x0000000000000000-mapping.dmp

                    • memory/1072-100-0x0000000000400000-0x0000000000433000-memory.dmp

                    • memory/1072-101-0x0000000000400000-0x0000000000433000-memory.dmp

                    • memory/1072-96-0x000000000040242D-mapping.dmp

                    • memory/1720-77-0x0000000000000000-mapping.dmp

                    • memory/1720-81-0x00000000012B0000-0x0000000001338000-memory.dmp

                    • memory/1748-70-0x0000000000400000-0x0000000000433000-memory.dmp

                    • memory/1748-61-0x0000000000400000-0x0000000000433000-memory.dmp

                    • memory/1748-64-0x0000000000400000-0x0000000000433000-memory.dmp

                    • memory/1748-72-0x000000000040242D-mapping.dmp

                    • memory/1748-75-0x0000000000400000-0x0000000000433000-memory.dmp

                    • memory/1748-68-0x0000000000400000-0x0000000000433000-memory.dmp

                    • memory/1748-67-0x0000000000400000-0x0000000000433000-memory.dmp

                    • memory/1748-62-0x0000000000400000-0x0000000000433000-memory.dmp

                    • memory/1748-66-0x0000000000400000-0x0000000000433000-memory.dmp

                    • memory/1748-71-0x0000000000400000-0x0000000000433000-memory.dmp

                    • memory/1748-79-0x0000000000400000-0x0000000000433000-memory.dmp

                    • memory/1776-59-0x0000000000000000-mapping.dmp

                    • memory/1836-58-0x0000000000600000-0x000000000065E000-memory.dmp

                    • memory/1836-57-0x0000000004FF0000-0x000000000506E000-memory.dmp

                    • memory/1836-56-0x00000000002D0000-0x00000000002DA000-memory.dmp

                    • memory/1836-55-0x0000000075741000-0x0000000075743000-memory.dmp

                    • memory/1836-54-0x0000000000BD0000-0x0000000000C58000-memory.dmp