Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 22:29
General
-
Target
0w1XziesiBaxbYs.exe
-
Size
520KB
-
MD5
f0cac1110e145d3b260ad6be1566dc10
-
SHA1
f0cf3f3d9ff962752dbf993ac5b75f1d574e0450
-
SHA256
506445199001be9096b17efc9f3e2a8025d0b167b1ce581831366b4d00e875dc
-
SHA512
b93c8925b7bb992debd30a374ad3c0e7a2eecfc5ff7a6972b02753e9e04f0a7886034f40fd20979734c49c1cdb3ff05d41486c4ffbcbfe07141ace3250ae80a2
Malware Config
Extracted
netwire
sepp.myq-see.com:2001
-
activex_autorun
true
-
activex_key
{50L4QLIK-5N0E-1U7P-5W65-RDN0R6N72FF0}
-
copy_executable
true
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
XdWObmml
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
- startup_name
-
use_mutex
true
Signatures
-
NetWire RAT payload 5 IoCs
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Executes dropped EXE 2 IoCs
-
Looks for VMWare Tools registry key 2 TTPs
-
Modifies Installed Components in the registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 34 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0w1XziesiBaxbYs.exe"C:\Users\Admin\AppData\Local\Temp\0w1XziesiBaxbYs.exe"1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IKzePvXcZPlcKe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp418D.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\0w1XziesiBaxbYs.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\0w1XziesiBaxbYs.exe"{path}"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IKzePvXcZPlcKe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCC68.tmp"4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"{path}"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp418D.tmpFilesize
1KB
MD5971939f6731738020f0bf0ce1d70b01f
SHA17a167ea6509a95afb06e15efaa45cd3628c58c9f
SHA256a811cb4eb012a9f62b96f782d6edecbac2f79dc2da7226c1817404fa778eb4e8
SHA512c329becba0818a3d5e09d69f023ede6bfaf514ac17036e45e9c22a8991515193fbcf687927a62c488c8ff9bfba2b29bde3159e9df91438d433c760c1225a44db
-
C:\Users\Admin\AppData\Local\Temp\tmpCC68.tmpFilesize
1KB
MD5971939f6731738020f0bf0ce1d70b01f
SHA17a167ea6509a95afb06e15efaa45cd3628c58c9f
SHA256a811cb4eb012a9f62b96f782d6edecbac2f79dc2da7226c1817404fa778eb4e8
SHA512c329becba0818a3d5e09d69f023ede6bfaf514ac17036e45e9c22a8991515193fbcf687927a62c488c8ff9bfba2b29bde3159e9df91438d433c760c1225a44db
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
520KB
MD5f0cac1110e145d3b260ad6be1566dc10
SHA1f0cf3f3d9ff962752dbf993ac5b75f1d574e0450
SHA256506445199001be9096b17efc9f3e2a8025d0b167b1ce581831366b4d00e875dc
SHA512b93c8925b7bb992debd30a374ad3c0e7a2eecfc5ff7a6972b02753e9e04f0a7886034f40fd20979734c49c1cdb3ff05d41486c4ffbcbfe07141ace3250ae80a2
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
520KB
MD5f0cac1110e145d3b260ad6be1566dc10
SHA1f0cf3f3d9ff962752dbf993ac5b75f1d574e0450
SHA256506445199001be9096b17efc9f3e2a8025d0b167b1ce581831366b4d00e875dc
SHA512b93c8925b7bb992debd30a374ad3c0e7a2eecfc5ff7a6972b02753e9e04f0a7886034f40fd20979734c49c1cdb3ff05d41486c4ffbcbfe07141ace3250ae80a2
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
520KB
MD5f0cac1110e145d3b260ad6be1566dc10
SHA1f0cf3f3d9ff962752dbf993ac5b75f1d574e0450
SHA256506445199001be9096b17efc9f3e2a8025d0b167b1ce581831366b4d00e875dc
SHA512b93c8925b7bb992debd30a374ad3c0e7a2eecfc5ff7a6972b02753e9e04f0a7886034f40fd20979734c49c1cdb3ff05d41486c4ffbcbfe07141ace3250ae80a2
-
memory/1000-140-0x0000000000000000-mapping.dmp
-
memory/1000-141-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1000-144-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1000-143-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/2476-148-0x0000000000000000-mapping.dmp
-
memory/2752-139-0x0000000000000000-mapping.dmp
-
memory/2840-132-0x0000000004E10000-0x0000000004EA2000-memory.dmpFilesize
584KB
-
memory/2840-130-0x00000000003A0000-0x0000000000428000-memory.dmpFilesize
544KB
-
memory/2840-135-0x0000000007AF0000-0x0000000007B8C000-memory.dmpFilesize
624KB
-
memory/2840-134-0x0000000005080000-0x00000000050E6000-memory.dmpFilesize
408KB
-
memory/2840-133-0x0000000004DE0000-0x0000000004DEA000-memory.dmpFilesize
40KB
-
memory/2840-136-0x000000000E4D0000-0x000000000E536000-memory.dmpFilesize
408KB
-
memory/2840-131-0x0000000005320000-0x00000000058C4000-memory.dmpFilesize
5.6MB
-
memory/2996-150-0x0000000000000000-mapping.dmp
-
memory/2996-154-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/2996-155-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/3468-145-0x0000000000000000-mapping.dmp
-
memory/4472-137-0x0000000000000000-mapping.dmp