Analysis
-
max time kernel
151s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 00:49
General
-
Target
detail-information.exe
-
Size
494KB
-
MD5
07591af2349f8ebc5789fcb0b60c7c91
-
SHA1
828bcdd3d1e32d2ed0b0660fc92f41a562d4d466
-
SHA256
b50a0ea3d467e25e9c1917668e10f70e67434e468fcecbb1d3a927a3f105dbfa
-
SHA512
8bc1068c0d85f62176fe8e23ec23ecbcfaa1296d379c26ff5fe7ee274c5ef7d12b7a1fec44941eca9841af17c61c5c1b3ad50739fb5d5baadd72bf2feef48ad3
Score
10/10
Malware Config
Signatures
-
NetWire RAT payload 2 IoCs
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 29 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\detail-information.exe"C:\Users\Admin\AppData\Local\Temp\detail-information.exe"1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\detail-information.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 33⤵
-
C:\Users\Admin\AppData\Local\Temp\detail-information.exe"C:\Users\Admin\AppData\Local\Temp\detail-information.exe"2⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\detail-information.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 34⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1004-130-0x0000000000F80000-0x0000000001002000-memory.dmpFilesize
520KB
-
memory/1004-131-0x0000000005940000-0x00000000059D2000-memory.dmpFilesize
584KB
-
memory/1004-132-0x00000000070E0000-0x00000000070E3000-memory.dmpFilesize
12KB
-
memory/1004-135-0x0000000007730000-0x0000000007733000-memory.dmpFilesize
12KB
-
memory/2084-141-0x0000000000000000-mapping.dmp
-
memory/2156-137-0x0000000000000000-mapping.dmp
-
memory/2624-136-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/2624-133-0x0000000000000000-mapping.dmp
-
memory/2832-138-0x0000000000000000-mapping.dmp
-
memory/2968-139-0x0000000000000000-mapping.dmp
-
memory/2968-142-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/3156-134-0x0000000000000000-mapping.dmp
-
memory/4820-140-0x0000000000000000-mapping.dmp