Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 22:29
Static task
static1
Behavioral task
behavioral1
Sample
0w1XziesiBaxbYs.exe
Resource
win7-20220414-en
General
-
Target
0w1XziesiBaxbYs.exe
-
Size
520KB
-
MD5
f0cac1110e145d3b260ad6be1566dc10
-
SHA1
f0cf3f3d9ff962752dbf993ac5b75f1d574e0450
-
SHA256
506445199001be9096b17efc9f3e2a8025d0b167b1ce581831366b4d00e875dc
-
SHA512
b93c8925b7bb992debd30a374ad3c0e7a2eecfc5ff7a6972b02753e9e04f0a7886034f40fd20979734c49c1cdb3ff05d41486c4ffbcbfe07141ace3250ae80a2
Malware Config
Extracted
netwire
sepp.myq-see.com:2001
-
activex_autorun
true
-
activex_key
{50L4QLIK-5N0E-1U7P-5W65-RDN0R6N72FF0}
-
copy_executable
true
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
XdWObmml
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
- startup_name
-
use_mutex
true
Signatures
-
NetWire RAT payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/1000-141-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/1000-143-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/1000-144-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/2996-154-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/2996-155-0x0000000000400000-0x0000000000433000-memory.dmp netwire -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Executes dropped EXE 2 IoCs
Processes:
Host.exeHost.exepid process 3468 Host.exe 2996 Host.exe -
Looks for VMWare Tools registry key 2 TTPs
-
Modifies Installed Components in the registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
0w1XziesiBaxbYs.exeHost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 0w1XziesiBaxbYs.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 0w1XziesiBaxbYs.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Host.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Host.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0w1XziesiBaxbYs.exe0w1XziesiBaxbYs.exeHost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 0w1XziesiBaxbYs.exe Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 0w1XziesiBaxbYs.exe Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation Host.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Host.exe0w1XziesiBaxbYs.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 Host.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 0w1XziesiBaxbYs.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 0w1XziesiBaxbYs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Host.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
0w1XziesiBaxbYs.exeHost.exedescription pid process target process PID 2840 set thread context of 1000 2840 0w1XziesiBaxbYs.exe 0w1XziesiBaxbYs.exe PID 3468 set thread context of 2996 3468 Host.exe Host.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4472 schtasks.exe 2476 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
0w1XziesiBaxbYs.exeHost.exepid process 2840 0w1XziesiBaxbYs.exe 2840 0w1XziesiBaxbYs.exe 2840 0w1XziesiBaxbYs.exe 2840 0w1XziesiBaxbYs.exe 2840 0w1XziesiBaxbYs.exe 2840 0w1XziesiBaxbYs.exe 3468 Host.exe 3468 Host.exe 3468 Host.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
0w1XziesiBaxbYs.exeHost.exedescription pid process Token: SeDebugPrivilege 2840 0w1XziesiBaxbYs.exe Token: SeDebugPrivilege 3468 Host.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
0w1XziesiBaxbYs.exe0w1XziesiBaxbYs.exeHost.exedescription pid process target process PID 2840 wrote to memory of 4472 2840 0w1XziesiBaxbYs.exe schtasks.exe PID 2840 wrote to memory of 4472 2840 0w1XziesiBaxbYs.exe schtasks.exe PID 2840 wrote to memory of 4472 2840 0w1XziesiBaxbYs.exe schtasks.exe PID 2840 wrote to memory of 2752 2840 0w1XziesiBaxbYs.exe 0w1XziesiBaxbYs.exe PID 2840 wrote to memory of 2752 2840 0w1XziesiBaxbYs.exe 0w1XziesiBaxbYs.exe PID 2840 wrote to memory of 2752 2840 0w1XziesiBaxbYs.exe 0w1XziesiBaxbYs.exe PID 2840 wrote to memory of 1000 2840 0w1XziesiBaxbYs.exe 0w1XziesiBaxbYs.exe PID 2840 wrote to memory of 1000 2840 0w1XziesiBaxbYs.exe 0w1XziesiBaxbYs.exe PID 2840 wrote to memory of 1000 2840 0w1XziesiBaxbYs.exe 0w1XziesiBaxbYs.exe PID 2840 wrote to memory of 1000 2840 0w1XziesiBaxbYs.exe 0w1XziesiBaxbYs.exe PID 2840 wrote to memory of 1000 2840 0w1XziesiBaxbYs.exe 0w1XziesiBaxbYs.exe PID 2840 wrote to memory of 1000 2840 0w1XziesiBaxbYs.exe 0w1XziesiBaxbYs.exe PID 2840 wrote to memory of 1000 2840 0w1XziesiBaxbYs.exe 0w1XziesiBaxbYs.exe PID 2840 wrote to memory of 1000 2840 0w1XziesiBaxbYs.exe 0w1XziesiBaxbYs.exe PID 2840 wrote to memory of 1000 2840 0w1XziesiBaxbYs.exe 0w1XziesiBaxbYs.exe PID 2840 wrote to memory of 1000 2840 0w1XziesiBaxbYs.exe 0w1XziesiBaxbYs.exe PID 2840 wrote to memory of 1000 2840 0w1XziesiBaxbYs.exe 0w1XziesiBaxbYs.exe PID 1000 wrote to memory of 3468 1000 0w1XziesiBaxbYs.exe Host.exe PID 1000 wrote to memory of 3468 1000 0w1XziesiBaxbYs.exe Host.exe PID 1000 wrote to memory of 3468 1000 0w1XziesiBaxbYs.exe Host.exe PID 3468 wrote to memory of 2476 3468 Host.exe schtasks.exe PID 3468 wrote to memory of 2476 3468 Host.exe schtasks.exe PID 3468 wrote to memory of 2476 3468 Host.exe schtasks.exe PID 3468 wrote to memory of 2996 3468 Host.exe Host.exe PID 3468 wrote to memory of 2996 3468 Host.exe Host.exe PID 3468 wrote to memory of 2996 3468 Host.exe Host.exe PID 3468 wrote to memory of 2996 3468 Host.exe Host.exe PID 3468 wrote to memory of 2996 3468 Host.exe Host.exe PID 3468 wrote to memory of 2996 3468 Host.exe Host.exe PID 3468 wrote to memory of 2996 3468 Host.exe Host.exe PID 3468 wrote to memory of 2996 3468 Host.exe Host.exe PID 3468 wrote to memory of 2996 3468 Host.exe Host.exe PID 3468 wrote to memory of 2996 3468 Host.exe Host.exe PID 3468 wrote to memory of 2996 3468 Host.exe Host.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0w1XziesiBaxbYs.exe"C:\Users\Admin\AppData\Local\Temp\0w1XziesiBaxbYs.exe"1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IKzePvXcZPlcKe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp418D.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\0w1XziesiBaxbYs.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\0w1XziesiBaxbYs.exe"{path}"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IKzePvXcZPlcKe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCC68.tmp"4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"{path}"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp418D.tmpFilesize
1KB
MD5971939f6731738020f0bf0ce1d70b01f
SHA17a167ea6509a95afb06e15efaa45cd3628c58c9f
SHA256a811cb4eb012a9f62b96f782d6edecbac2f79dc2da7226c1817404fa778eb4e8
SHA512c329becba0818a3d5e09d69f023ede6bfaf514ac17036e45e9c22a8991515193fbcf687927a62c488c8ff9bfba2b29bde3159e9df91438d433c760c1225a44db
-
C:\Users\Admin\AppData\Local\Temp\tmpCC68.tmpFilesize
1KB
MD5971939f6731738020f0bf0ce1d70b01f
SHA17a167ea6509a95afb06e15efaa45cd3628c58c9f
SHA256a811cb4eb012a9f62b96f782d6edecbac2f79dc2da7226c1817404fa778eb4e8
SHA512c329becba0818a3d5e09d69f023ede6bfaf514ac17036e45e9c22a8991515193fbcf687927a62c488c8ff9bfba2b29bde3159e9df91438d433c760c1225a44db
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
520KB
MD5f0cac1110e145d3b260ad6be1566dc10
SHA1f0cf3f3d9ff962752dbf993ac5b75f1d574e0450
SHA256506445199001be9096b17efc9f3e2a8025d0b167b1ce581831366b4d00e875dc
SHA512b93c8925b7bb992debd30a374ad3c0e7a2eecfc5ff7a6972b02753e9e04f0a7886034f40fd20979734c49c1cdb3ff05d41486c4ffbcbfe07141ace3250ae80a2
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
520KB
MD5f0cac1110e145d3b260ad6be1566dc10
SHA1f0cf3f3d9ff962752dbf993ac5b75f1d574e0450
SHA256506445199001be9096b17efc9f3e2a8025d0b167b1ce581831366b4d00e875dc
SHA512b93c8925b7bb992debd30a374ad3c0e7a2eecfc5ff7a6972b02753e9e04f0a7886034f40fd20979734c49c1cdb3ff05d41486c4ffbcbfe07141ace3250ae80a2
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
520KB
MD5f0cac1110e145d3b260ad6be1566dc10
SHA1f0cf3f3d9ff962752dbf993ac5b75f1d574e0450
SHA256506445199001be9096b17efc9f3e2a8025d0b167b1ce581831366b4d00e875dc
SHA512b93c8925b7bb992debd30a374ad3c0e7a2eecfc5ff7a6972b02753e9e04f0a7886034f40fd20979734c49c1cdb3ff05d41486c4ffbcbfe07141ace3250ae80a2
-
memory/1000-140-0x0000000000000000-mapping.dmp
-
memory/1000-141-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1000-144-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1000-143-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/2476-148-0x0000000000000000-mapping.dmp
-
memory/2752-139-0x0000000000000000-mapping.dmp
-
memory/2840-132-0x0000000004E10000-0x0000000004EA2000-memory.dmpFilesize
584KB
-
memory/2840-130-0x00000000003A0000-0x0000000000428000-memory.dmpFilesize
544KB
-
memory/2840-135-0x0000000007AF0000-0x0000000007B8C000-memory.dmpFilesize
624KB
-
memory/2840-134-0x0000000005080000-0x00000000050E6000-memory.dmpFilesize
408KB
-
memory/2840-133-0x0000000004DE0000-0x0000000004DEA000-memory.dmpFilesize
40KB
-
memory/2840-136-0x000000000E4D0000-0x000000000E536000-memory.dmpFilesize
408KB
-
memory/2840-131-0x0000000005320000-0x00000000058C4000-memory.dmpFilesize
5.6MB
-
memory/2996-150-0x0000000000000000-mapping.dmp
-
memory/2996-154-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/2996-155-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/3468-145-0x0000000000000000-mapping.dmp
-
memory/4472-137-0x0000000000000000-mapping.dmp