Analysis
-
max time kernel
97s -
max time network
104s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 22:43
Static task
static1
Behavioral task
behavioral1
Sample
lAKdWjhOYMA6YfG.exe
Resource
win7-20220414-en
General
-
Target
lAKdWjhOYMA6YfG.exe
-
Size
419KB
-
MD5
fd175da54494e88a5777471577927264
-
SHA1
60398520b817355b5644f4b3dfbb147638122dd2
-
SHA256
73b0fb36b1b8763ebb06328273016c4c4c65b20d2abc3b5bb0566a6f13aa086d
-
SHA512
ceb0f4aa2a962f5e5da4a7d5f1f50ebfb59918eb1ecaded728ae0266f1ae03e37a44f3e9dc06d1ebd5c46fc4bd1098191d5598090b3769a64ec8e369019ae7c3
Malware Config
Extracted
netwire
sepp.myq-see.com:2001
-
activex_autorun
true
-
activex_key
{50L4QLIK-5N0E-1U7P-5W65-RDN0R6N72FF0}
-
copy_executable
true
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
XdWObmml
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
- startup_name
-
use_mutex
true
Signatures
-
NetWire RAT payload 11 IoCs
Processes:
resource yara_rule behavioral1/memory/1624-66-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1624-67-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1624-65-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1624-69-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1624-70-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1624-71-0x000000000040242D-mapping.dmp netwire behavioral1/memory/1624-74-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1624-79-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/380-94-0x000000000040242D-mapping.dmp netwire behavioral1/memory/380-98-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/380-99-0x0000000000400000-0x0000000000433000-memory.dmp netwire -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Executes dropped EXE 2 IoCs
Processes:
Host.exeHost.exepid process 1356 Host.exe 380 Host.exe -
Looks for VMWare Tools registry key 2 TTPs
-
Modifies Installed Components in the registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
lAKdWjhOYMA6YfG.exeHost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion lAKdWjhOYMA6YfG.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion lAKdWjhOYMA6YfG.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Host.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Host.exe -
Loads dropped DLL 1 IoCs
Processes:
lAKdWjhOYMA6YfG.exepid process 1624 lAKdWjhOYMA6YfG.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Host.exelAKdWjhOYMA6YfG.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Host.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 Host.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum lAKdWjhOYMA6YfG.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 lAKdWjhOYMA6YfG.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
lAKdWjhOYMA6YfG.exeHost.exedescription pid process target process PID 1704 set thread context of 1624 1704 lAKdWjhOYMA6YfG.exe lAKdWjhOYMA6YfG.exe PID 1356 set thread context of 380 1356 Host.exe Host.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1176 schtasks.exe 1876 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
lAKdWjhOYMA6YfG.exeHost.exepid process 1704 lAKdWjhOYMA6YfG.exe 1704 lAKdWjhOYMA6YfG.exe 1704 lAKdWjhOYMA6YfG.exe 1356 Host.exe 1356 Host.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
lAKdWjhOYMA6YfG.exeHost.exedescription pid process Token: SeDebugPrivilege 1704 lAKdWjhOYMA6YfG.exe Token: SeDebugPrivilege 1356 Host.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
lAKdWjhOYMA6YfG.exelAKdWjhOYMA6YfG.exeHost.exedescription pid process target process PID 1704 wrote to memory of 1176 1704 lAKdWjhOYMA6YfG.exe schtasks.exe PID 1704 wrote to memory of 1176 1704 lAKdWjhOYMA6YfG.exe schtasks.exe PID 1704 wrote to memory of 1176 1704 lAKdWjhOYMA6YfG.exe schtasks.exe PID 1704 wrote to memory of 1176 1704 lAKdWjhOYMA6YfG.exe schtasks.exe PID 1704 wrote to memory of 1624 1704 lAKdWjhOYMA6YfG.exe lAKdWjhOYMA6YfG.exe PID 1704 wrote to memory of 1624 1704 lAKdWjhOYMA6YfG.exe lAKdWjhOYMA6YfG.exe PID 1704 wrote to memory of 1624 1704 lAKdWjhOYMA6YfG.exe lAKdWjhOYMA6YfG.exe PID 1704 wrote to memory of 1624 1704 lAKdWjhOYMA6YfG.exe lAKdWjhOYMA6YfG.exe PID 1704 wrote to memory of 1624 1704 lAKdWjhOYMA6YfG.exe lAKdWjhOYMA6YfG.exe PID 1704 wrote to memory of 1624 1704 lAKdWjhOYMA6YfG.exe lAKdWjhOYMA6YfG.exe PID 1704 wrote to memory of 1624 1704 lAKdWjhOYMA6YfG.exe lAKdWjhOYMA6YfG.exe PID 1704 wrote to memory of 1624 1704 lAKdWjhOYMA6YfG.exe lAKdWjhOYMA6YfG.exe PID 1704 wrote to memory of 1624 1704 lAKdWjhOYMA6YfG.exe lAKdWjhOYMA6YfG.exe PID 1704 wrote to memory of 1624 1704 lAKdWjhOYMA6YfG.exe lAKdWjhOYMA6YfG.exe PID 1704 wrote to memory of 1624 1704 lAKdWjhOYMA6YfG.exe lAKdWjhOYMA6YfG.exe PID 1704 wrote to memory of 1624 1704 lAKdWjhOYMA6YfG.exe lAKdWjhOYMA6YfG.exe PID 1624 wrote to memory of 1356 1624 lAKdWjhOYMA6YfG.exe Host.exe PID 1624 wrote to memory of 1356 1624 lAKdWjhOYMA6YfG.exe Host.exe PID 1624 wrote to memory of 1356 1624 lAKdWjhOYMA6YfG.exe Host.exe PID 1624 wrote to memory of 1356 1624 lAKdWjhOYMA6YfG.exe Host.exe PID 1356 wrote to memory of 1876 1356 Host.exe schtasks.exe PID 1356 wrote to memory of 1876 1356 Host.exe schtasks.exe PID 1356 wrote to memory of 1876 1356 Host.exe schtasks.exe PID 1356 wrote to memory of 1876 1356 Host.exe schtasks.exe PID 1356 wrote to memory of 380 1356 Host.exe Host.exe PID 1356 wrote to memory of 380 1356 Host.exe Host.exe PID 1356 wrote to memory of 380 1356 Host.exe Host.exe PID 1356 wrote to memory of 380 1356 Host.exe Host.exe PID 1356 wrote to memory of 380 1356 Host.exe Host.exe PID 1356 wrote to memory of 380 1356 Host.exe Host.exe PID 1356 wrote to memory of 380 1356 Host.exe Host.exe PID 1356 wrote to memory of 380 1356 Host.exe Host.exe PID 1356 wrote to memory of 380 1356 Host.exe Host.exe PID 1356 wrote to memory of 380 1356 Host.exe Host.exe PID 1356 wrote to memory of 380 1356 Host.exe Host.exe PID 1356 wrote to memory of 380 1356 Host.exe Host.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\lAKdWjhOYMA6YfG.exe"C:\Users\Admin\AppData\Local\Temp\lAKdWjhOYMA6YfG.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fukEDc" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF4AC.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\lAKdWjhOYMA6YfG.exe"{path}"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fukEDc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9906.tmp"4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"{path}"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp9906.tmpFilesize
1KB
MD5783c1c8c02a6345330e5dcdf0ef1ee82
SHA14a4677dacb81ffac42ee69df9543af772dc44463
SHA25642bfd5f48fe26260c3b757b67d1cf08d491da0f8f05ec7b6bff33e2d04182682
SHA5129db748339d80ccb6390c86169f076c4f1fc046df0a74101253aa5342a8e57a958372d9594e4c1871696ac44c0173c3169f47ab14174b479b23ab40d80e8f2cd0
-
C:\Users\Admin\AppData\Local\Temp\tmpF4AC.tmpFilesize
1KB
MD5783c1c8c02a6345330e5dcdf0ef1ee82
SHA14a4677dacb81ffac42ee69df9543af772dc44463
SHA25642bfd5f48fe26260c3b757b67d1cf08d491da0f8f05ec7b6bff33e2d04182682
SHA5129db748339d80ccb6390c86169f076c4f1fc046df0a74101253aa5342a8e57a958372d9594e4c1871696ac44c0173c3169f47ab14174b479b23ab40d80e8f2cd0
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
419KB
MD5fd175da54494e88a5777471577927264
SHA160398520b817355b5644f4b3dfbb147638122dd2
SHA25673b0fb36b1b8763ebb06328273016c4c4c65b20d2abc3b5bb0566a6f13aa086d
SHA512ceb0f4aa2a962f5e5da4a7d5f1f50ebfb59918eb1ecaded728ae0266f1ae03e37a44f3e9dc06d1ebd5c46fc4bd1098191d5598090b3769a64ec8e369019ae7c3
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
419KB
MD5fd175da54494e88a5777471577927264
SHA160398520b817355b5644f4b3dfbb147638122dd2
SHA25673b0fb36b1b8763ebb06328273016c4c4c65b20d2abc3b5bb0566a6f13aa086d
SHA512ceb0f4aa2a962f5e5da4a7d5f1f50ebfb59918eb1ecaded728ae0266f1ae03e37a44f3e9dc06d1ebd5c46fc4bd1098191d5598090b3769a64ec8e369019ae7c3
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
419KB
MD5fd175da54494e88a5777471577927264
SHA160398520b817355b5644f4b3dfbb147638122dd2
SHA25673b0fb36b1b8763ebb06328273016c4c4c65b20d2abc3b5bb0566a6f13aa086d
SHA512ceb0f4aa2a962f5e5da4a7d5f1f50ebfb59918eb1ecaded728ae0266f1ae03e37a44f3e9dc06d1ebd5c46fc4bd1098191d5598090b3769a64ec8e369019ae7c3
-
\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
419KB
MD5fd175da54494e88a5777471577927264
SHA160398520b817355b5644f4b3dfbb147638122dd2
SHA25673b0fb36b1b8763ebb06328273016c4c4c65b20d2abc3b5bb0566a6f13aa086d
SHA512ceb0f4aa2a962f5e5da4a7d5f1f50ebfb59918eb1ecaded728ae0266f1ae03e37a44f3e9dc06d1ebd5c46fc4bd1098191d5598090b3769a64ec8e369019ae7c3
-
memory/380-99-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/380-98-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/380-94-0x000000000040242D-mapping.dmp
-
memory/1176-58-0x0000000000000000-mapping.dmp
-
memory/1356-80-0x00000000000B0000-0x000000000011E000-memory.dmpFilesize
440KB
-
memory/1356-76-0x0000000000000000-mapping.dmp
-
memory/1624-63-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1624-66-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1624-71-0x000000000040242D-mapping.dmp
-
memory/1624-73-0x0000000076241000-0x0000000076243000-memory.dmpFilesize
8KB
-
memory/1624-74-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1624-70-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1624-69-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1624-65-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1624-67-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1624-60-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1624-79-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1624-61-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1704-54-0x0000000000DC0000-0x0000000000E2E000-memory.dmpFilesize
440KB
-
memory/1704-57-0x0000000004D40000-0x0000000004D8C000-memory.dmpFilesize
304KB
-
memory/1704-56-0x0000000004B90000-0x0000000004BF0000-memory.dmpFilesize
384KB
-
memory/1704-55-0x0000000000750000-0x000000000075A000-memory.dmpFilesize
40KB
-
memory/1876-81-0x0000000000000000-mapping.dmp