General
Target

0w1XziesiBaxbYs.exe

Filesize

520KB

Completed

20-05-2022 22:34

Task

behavioral2

Score
10/10
MD5

f0cac1110e145d3b260ad6be1566dc10

SHA1

f0cf3f3d9ff962752dbf993ac5b75f1d574e0450

SHA256

506445199001be9096b17efc9f3e2a8025d0b167b1ce581831366b4d00e875dc

SHA256

b93c8925b7bb992debd30a374ad3c0e7a2eecfc5ff7a6972b02753e9e04f0a7886034f40fd20979734c49c1cdb3ff05d41486c4ffbcbfe07141ace3250ae80a2

Malware Config

Extracted

Family

netwire

C2

sepp.myq-see.com:2001

Attributes
activex_autorun
true
activex_key
{50L4QLIK-5N0E-1U7P-5W65-RDN0R6N72FF0}
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
XdWObmml
offline_keylogger
true
password
Password
registry_autorun
false
startup_name
use_mutex
true
Signatures 15

Filter: none

Defense Evasion
Discovery
Persistence
  • NetWire RAT payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/1000-141-0x0000000000400000-0x0000000000433000-memory.dmpnetwire
    behavioral2/memory/1000-143-0x0000000000400000-0x0000000000433000-memory.dmpnetwire
    behavioral2/memory/1000-144-0x0000000000400000-0x0000000000433000-memory.dmpnetwire
    behavioral2/memory/2996-154-0x0000000000400000-0x0000000000433000-memory.dmpnetwire
    behavioral2/memory/2996-155-0x0000000000400000-0x0000000000433000-memory.dmpnetwire
  • Netwire

    Description

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

  • Looks for VirtualBox Guest Additions in registry

    Tags

    TTPs

    Query RegistryVirtualization/Sandbox Evasion
  • Executes dropped EXE
    Host.exeHost.exe

    Reported IOCs

    pidprocess
    3468Host.exe
    2996Host.exe
  • Looks for VMWare Tools registry key

    Tags

    TTPs

    Query RegistryVirtualization/Sandbox Evasion
  • Modifies Installed Components in the registry

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Checks BIOS information in registry
    0w1XziesiBaxbYs.exeHost.exe

    Description

    BIOS information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion0w1XziesiBaxbYs.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion0w1XziesiBaxbYs.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersionHost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersionHost.exe
  • Checks computer location settings
    0w1XziesiBaxbYs.exe0w1XziesiBaxbYs.exeHost.exe

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation0w1XziesiBaxbYs.exe
    Key value queried\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation0w1XziesiBaxbYs.exe
    Key value queried\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\NationHost.exe
  • Maps connected drives based on registry
    Host.exe0w1XziesiBaxbYs.exe

    Description

    Disk information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0Host.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum0w1XziesiBaxbYs.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\00w1XziesiBaxbYs.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\EnumHost.exe
  • Suspicious use of SetThreadContext
    0w1XziesiBaxbYs.exeHost.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2840 set thread context of 100028400w1XziesiBaxbYs.exe0w1XziesiBaxbYs.exe
    PID 3468 set thread context of 29963468Host.exeHost.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Creates scheduled task(s)
    schtasks.exeschtasks.exe

    Description

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    TTPs

    Scheduled Task

    Reported IOCs

    pidprocess
    4472schtasks.exe
    2476schtasks.exe
  • Suspicious behavior: EnumeratesProcesses
    0w1XziesiBaxbYs.exeHost.exe

    Reported IOCs

    pidprocess
    28400w1XziesiBaxbYs.exe
    28400w1XziesiBaxbYs.exe
    28400w1XziesiBaxbYs.exe
    28400w1XziesiBaxbYs.exe
    28400w1XziesiBaxbYs.exe
    28400w1XziesiBaxbYs.exe
    3468Host.exe
    3468Host.exe
    3468Host.exe
  • Suspicious use of AdjustPrivilegeToken
    0w1XziesiBaxbYs.exeHost.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege28400w1XziesiBaxbYs.exe
    Token: SeDebugPrivilege3468Host.exe
  • Suspicious use of WriteProcessMemory
    0w1XziesiBaxbYs.exe0w1XziesiBaxbYs.exeHost.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2840 wrote to memory of 447228400w1XziesiBaxbYs.exeschtasks.exe
    PID 2840 wrote to memory of 447228400w1XziesiBaxbYs.exeschtasks.exe
    PID 2840 wrote to memory of 447228400w1XziesiBaxbYs.exeschtasks.exe
    PID 2840 wrote to memory of 275228400w1XziesiBaxbYs.exe0w1XziesiBaxbYs.exe
    PID 2840 wrote to memory of 275228400w1XziesiBaxbYs.exe0w1XziesiBaxbYs.exe
    PID 2840 wrote to memory of 275228400w1XziesiBaxbYs.exe0w1XziesiBaxbYs.exe
    PID 2840 wrote to memory of 100028400w1XziesiBaxbYs.exe0w1XziesiBaxbYs.exe
    PID 2840 wrote to memory of 100028400w1XziesiBaxbYs.exe0w1XziesiBaxbYs.exe
    PID 2840 wrote to memory of 100028400w1XziesiBaxbYs.exe0w1XziesiBaxbYs.exe
    PID 2840 wrote to memory of 100028400w1XziesiBaxbYs.exe0w1XziesiBaxbYs.exe
    PID 2840 wrote to memory of 100028400w1XziesiBaxbYs.exe0w1XziesiBaxbYs.exe
    PID 2840 wrote to memory of 100028400w1XziesiBaxbYs.exe0w1XziesiBaxbYs.exe
    PID 2840 wrote to memory of 100028400w1XziesiBaxbYs.exe0w1XziesiBaxbYs.exe
    PID 2840 wrote to memory of 100028400w1XziesiBaxbYs.exe0w1XziesiBaxbYs.exe
    PID 2840 wrote to memory of 100028400w1XziesiBaxbYs.exe0w1XziesiBaxbYs.exe
    PID 2840 wrote to memory of 100028400w1XziesiBaxbYs.exe0w1XziesiBaxbYs.exe
    PID 2840 wrote to memory of 100028400w1XziesiBaxbYs.exe0w1XziesiBaxbYs.exe
    PID 1000 wrote to memory of 346810000w1XziesiBaxbYs.exeHost.exe
    PID 1000 wrote to memory of 346810000w1XziesiBaxbYs.exeHost.exe
    PID 1000 wrote to memory of 346810000w1XziesiBaxbYs.exeHost.exe
    PID 3468 wrote to memory of 24763468Host.exeschtasks.exe
    PID 3468 wrote to memory of 24763468Host.exeschtasks.exe
    PID 3468 wrote to memory of 24763468Host.exeschtasks.exe
    PID 3468 wrote to memory of 29963468Host.exeHost.exe
    PID 3468 wrote to memory of 29963468Host.exeHost.exe
    PID 3468 wrote to memory of 29963468Host.exeHost.exe
    PID 3468 wrote to memory of 29963468Host.exeHost.exe
    PID 3468 wrote to memory of 29963468Host.exeHost.exe
    PID 3468 wrote to memory of 29963468Host.exeHost.exe
    PID 3468 wrote to memory of 29963468Host.exeHost.exe
    PID 3468 wrote to memory of 29963468Host.exeHost.exe
    PID 3468 wrote to memory of 29963468Host.exeHost.exe
    PID 3468 wrote to memory of 29963468Host.exeHost.exe
    PID 3468 wrote to memory of 29963468Host.exeHost.exe
Processes 7
  • C:\Users\Admin\AppData\Local\Temp\0w1XziesiBaxbYs.exe
    "C:\Users\Admin\AppData\Local\Temp\0w1XziesiBaxbYs.exe"
    Checks BIOS information in registry
    Checks computer location settings
    Maps connected drives based on registry
    Suspicious use of SetThreadContext
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:2840
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IKzePvXcZPlcKe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp418D.tmp"
      Creates scheduled task(s)
      PID:4472
    • C:\Users\Admin\AppData\Local\Temp\0w1XziesiBaxbYs.exe
      "{path}"
      PID:2752
    • C:\Users\Admin\AppData\Local\Temp\0w1XziesiBaxbYs.exe
      "{path}"
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:1000
      • C:\Users\Admin\AppData\Roaming\Install\Host.exe
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        Executes dropped EXE
        Checks BIOS information in registry
        Checks computer location settings
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        PID:3468
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IKzePvXcZPlcKe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCC68.tmp"
          Creates scheduled task(s)
          PID:2476
        • C:\Users\Admin\AppData\Roaming\Install\Host.exe
          "{path}"
          Executes dropped EXE
          PID:2996
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Local\Temp\tmp418D.tmp

                      MD5

                      971939f6731738020f0bf0ce1d70b01f

                      SHA1

                      7a167ea6509a95afb06e15efaa45cd3628c58c9f

                      SHA256

                      a811cb4eb012a9f62b96f782d6edecbac2f79dc2da7226c1817404fa778eb4e8

                      SHA512

                      c329becba0818a3d5e09d69f023ede6bfaf514ac17036e45e9c22a8991515193fbcf687927a62c488c8ff9bfba2b29bde3159e9df91438d433c760c1225a44db

                    • C:\Users\Admin\AppData\Local\Temp\tmpCC68.tmp

                      MD5

                      971939f6731738020f0bf0ce1d70b01f

                      SHA1

                      7a167ea6509a95afb06e15efaa45cd3628c58c9f

                      SHA256

                      a811cb4eb012a9f62b96f782d6edecbac2f79dc2da7226c1817404fa778eb4e8

                      SHA512

                      c329becba0818a3d5e09d69f023ede6bfaf514ac17036e45e9c22a8991515193fbcf687927a62c488c8ff9bfba2b29bde3159e9df91438d433c760c1225a44db

                    • C:\Users\Admin\AppData\Roaming\Install\Host.exe

                      MD5

                      f0cac1110e145d3b260ad6be1566dc10

                      SHA1

                      f0cf3f3d9ff962752dbf993ac5b75f1d574e0450

                      SHA256

                      506445199001be9096b17efc9f3e2a8025d0b167b1ce581831366b4d00e875dc

                      SHA512

                      b93c8925b7bb992debd30a374ad3c0e7a2eecfc5ff7a6972b02753e9e04f0a7886034f40fd20979734c49c1cdb3ff05d41486c4ffbcbfe07141ace3250ae80a2

                    • C:\Users\Admin\AppData\Roaming\Install\Host.exe

                      MD5

                      f0cac1110e145d3b260ad6be1566dc10

                      SHA1

                      f0cf3f3d9ff962752dbf993ac5b75f1d574e0450

                      SHA256

                      506445199001be9096b17efc9f3e2a8025d0b167b1ce581831366b4d00e875dc

                      SHA512

                      b93c8925b7bb992debd30a374ad3c0e7a2eecfc5ff7a6972b02753e9e04f0a7886034f40fd20979734c49c1cdb3ff05d41486c4ffbcbfe07141ace3250ae80a2

                    • C:\Users\Admin\AppData\Roaming\Install\Host.exe

                      MD5

                      f0cac1110e145d3b260ad6be1566dc10

                      SHA1

                      f0cf3f3d9ff962752dbf993ac5b75f1d574e0450

                      SHA256

                      506445199001be9096b17efc9f3e2a8025d0b167b1ce581831366b4d00e875dc

                      SHA512

                      b93c8925b7bb992debd30a374ad3c0e7a2eecfc5ff7a6972b02753e9e04f0a7886034f40fd20979734c49c1cdb3ff05d41486c4ffbcbfe07141ace3250ae80a2

                    • memory/1000-140-0x0000000000000000-mapping.dmp

                    • memory/1000-144-0x0000000000400000-0x0000000000433000-memory.dmp

                    • memory/1000-143-0x0000000000400000-0x0000000000433000-memory.dmp

                    • memory/1000-141-0x0000000000400000-0x0000000000433000-memory.dmp

                    • memory/2476-148-0x0000000000000000-mapping.dmp

                    • memory/2752-139-0x0000000000000000-mapping.dmp

                    • memory/2840-133-0x0000000004DE0000-0x0000000004DEA000-memory.dmp

                    • memory/2840-136-0x000000000E4D0000-0x000000000E536000-memory.dmp

                    • memory/2840-135-0x0000000007AF0000-0x0000000007B8C000-memory.dmp

                    • memory/2840-132-0x0000000004E10000-0x0000000004EA2000-memory.dmp

                    • memory/2840-131-0x0000000005320000-0x00000000058C4000-memory.dmp

                    • memory/2840-134-0x0000000005080000-0x00000000050E6000-memory.dmp

                    • memory/2840-130-0x00000000003A0000-0x0000000000428000-memory.dmp

                    • memory/2996-150-0x0000000000000000-mapping.dmp

                    • memory/2996-154-0x0000000000400000-0x0000000000433000-memory.dmp

                    • memory/2996-155-0x0000000000400000-0x0000000000433000-memory.dmp

                    • memory/3468-145-0x0000000000000000-mapping.dmp

                    • memory/4472-137-0x0000000000000000-mapping.dmp