General
Target

detail-information.exe

Filesize

494KB

Completed

21-05-2022 01:09

Task

behavioral2

Score
10/10
MD5

07591af2349f8ebc5789fcb0b60c7c91

SHA1

828bcdd3d1e32d2ed0b0660fc92f41a562d4d466

SHA256

b50a0ea3d467e25e9c1917668e10f70e67434e468fcecbb1d3a927a3f105dbfa

SHA512

8bc1068c0d85f62176fe8e23ec23ecbcfaa1296d379c26ff5fe7ee274c5ef7d12b7a1fec44941eca9841af17c61c5c1b3ad50739fb5d5baadd72bf2feef48ad3

Malware Config
Signatures 10

Filter: none

Discovery
  • NetWire RAT payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/2624-136-0x0000000000400000-0x0000000000433000-memory.dmpnetwire
    behavioral2/memory/2968-142-0x0000000000400000-0x0000000000433000-memory.dmpnetwire
  • Netwire

    Description

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

  • Checks computer location settings
    detail-information.exedetail-information.exe

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nationdetail-information.exe
    Key value queried\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nationdetail-information.exe
  • Drops startup file
    detail-information.exedetail-information.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exedetail-information.exe
    File createdC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exedetail-information.exe
  • Suspicious use of SetThreadContext
    detail-information.exedetail-information.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1004 set thread context of 26241004detail-information.exeRegAsm.exe
    PID 2156 set thread context of 29682156detail-information.exeRegAsm.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Suspicious behavior: EnumeratesProcesses
    detail-information.exe

    Reported IOCs

    pidprocess
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
  • Suspicious behavior: MapViewOfSection
    detail-information.exedetail-information.exe

    Reported IOCs

    pidprocess
    1004detail-information.exe
    1004detail-information.exe
    1004detail-information.exe
    2156detail-information.exe
  • Suspicious use of AdjustPrivilegeToken
    detail-information.exedetail-information.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1004detail-information.exe
    Token: SeDebugPrivilege2156detail-information.exe
  • Suspicious use of WriteProcessMemory
    detail-information.execmd.exedetail-information.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1004 wrote to memory of 24321004detail-information.exeRegAsm.exe
    PID 1004 wrote to memory of 24321004detail-information.exeRegAsm.exe
    PID 1004 wrote to memory of 24321004detail-information.exeRegAsm.exe
    PID 1004 wrote to memory of 11081004detail-information.exeRegAsm.exe
    PID 1004 wrote to memory of 11081004detail-information.exeRegAsm.exe
    PID 1004 wrote to memory of 11081004detail-information.exeRegAsm.exe
    PID 1004 wrote to memory of 26241004detail-information.exeRegAsm.exe
    PID 1004 wrote to memory of 26241004detail-information.exeRegAsm.exe
    PID 1004 wrote to memory of 26241004detail-information.exeRegAsm.exe
    PID 1004 wrote to memory of 26241004detail-information.exeRegAsm.exe
    PID 1004 wrote to memory of 31561004detail-information.execmd.exe
    PID 1004 wrote to memory of 31561004detail-information.execmd.exe
    PID 1004 wrote to memory of 31561004detail-information.execmd.exe
    PID 1004 wrote to memory of 21561004detail-information.exedetail-information.exe
    PID 1004 wrote to memory of 21561004detail-information.exedetail-information.exe
    PID 1004 wrote to memory of 21561004detail-information.exedetail-information.exe
    PID 3156 wrote to memory of 28323156cmd.exechoice.exe
    PID 3156 wrote to memory of 28323156cmd.exechoice.exe
    PID 3156 wrote to memory of 28323156cmd.exechoice.exe
    PID 2156 wrote to memory of 29682156detail-information.exeRegAsm.exe
    PID 2156 wrote to memory of 29682156detail-information.exeRegAsm.exe
    PID 2156 wrote to memory of 29682156detail-information.exeRegAsm.exe
    PID 2156 wrote to memory of 29682156detail-information.exeRegAsm.exe
    PID 2156 wrote to memory of 48202156detail-information.execmd.exe
    PID 2156 wrote to memory of 48202156detail-information.execmd.exe
    PID 2156 wrote to memory of 48202156detail-information.execmd.exe
    PID 4820 wrote to memory of 20844820cmd.exechoice.exe
    PID 4820 wrote to memory of 20844820cmd.exechoice.exe
    PID 4820 wrote to memory of 20844820cmd.exechoice.exe
Processes 10
  • C:\Users\Admin\AppData\Local\Temp\detail-information.exe
    "C:\Users\Admin\AppData\Local\Temp\detail-information.exe"
    Checks computer location settings
    Drops startup file
    Suspicious use of SetThreadContext
    Suspicious behavior: EnumeratesProcesses
    Suspicious behavior: MapViewOfSection
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:1004
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      PID:2432
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      PID:1108
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      PID:2624
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\detail-information.exe"
      Suspicious use of WriteProcessMemory
      PID:3156
      • C:\Windows\SysWOW64\choice.exe
        choice /C Y /N /D Y /T 3
        PID:2832
    • C:\Users\Admin\AppData\Local\Temp\detail-information.exe
      "C:\Users\Admin\AppData\Local\Temp\detail-information.exe"
      Checks computer location settings
      Drops startup file
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2156
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        PID:2968
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\detail-information.exe"
        Suspicious use of WriteProcessMemory
        PID:4820
        • C:\Windows\SysWOW64\choice.exe
          choice /C Y /N /D Y /T 3
          PID:2084
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • memory/1004-130-0x0000000000F80000-0x0000000001002000-memory.dmp

                        • memory/1004-131-0x0000000005940000-0x00000000059D2000-memory.dmp

                        • memory/1004-132-0x00000000070E0000-0x00000000070E3000-memory.dmp

                        • memory/1004-135-0x0000000007730000-0x0000000007733000-memory.dmp

                        • memory/2084-141-0x0000000000000000-mapping.dmp

                        • memory/2156-137-0x0000000000000000-mapping.dmp

                        • memory/2624-133-0x0000000000000000-mapping.dmp

                        • memory/2624-136-0x0000000000400000-0x0000000000433000-memory.dmp

                        • memory/2832-138-0x0000000000000000-mapping.dmp

                        • memory/2968-139-0x0000000000000000-mapping.dmp

                        • memory/2968-142-0x0000000000400000-0x0000000000433000-memory.dmp

                        • memory/3156-134-0x0000000000000000-mapping.dmp

                        • memory/4820-140-0x0000000000000000-mapping.dmp