Analysis
-
max time kernel
80s -
max time network
85s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 01:49
General
-
Target
OrderList.exe
-
Size
616KB
-
MD5
1337cd4ad86e2a55d005dd32fdbe03f9
-
SHA1
a0a23d6ecb8c6a60503d0b593165310a6f8a1ab1
-
SHA256
be148ec34c1a4adc8afa7bd26f7951dc5f11984d07024a10b4af1c285f38b588
-
SHA512
8f83ecd25d858f35eb382254e87b45de11a0a884a88ab5fbf4938338ec185a5a8d9ec3dda04abc798d0355e65eedbbfccf7613315bf1962d08b095aecaa748fe
Malware Config
Extracted
netwire
gold1.dnsupdate.info:4770
79.134.225.79:4770
-
activex_autorun
false
- activex_key
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
- install_path
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
- mutex
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
- startup_name
-
use_mutex
false
Signatures
-
NetWire RAT payload 8 IoCs
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\OrderList.exe"C:\Users\Admin\AppData\Local\Temp\OrderList.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\&startupname&" /XML "C:\Users\Admin\AppData\Local\Temp\tmp32D4.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\OrderList.exe"{path}"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp32D4.tmpFilesize
1KB
MD5ab15c7fe3dc23f51a8ed4545eb54a9cb
SHA1206a5e711a5b8819deae10c568fa760a23d9308c
SHA2562889f7b15e75b474bfa37c720f216861f138e8e39e1d2f807ce751a21086674b
SHA51229b8f09dfa625fad63d6cae0fd9d9f9ea19a4b5a001138c5afb644c0d37f1cc2e7bf51a4242af433568b22b19613b1570a234474663cc659dd4ad54c7407a114
-
memory/432-61-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/432-64-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/432-73-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/432-58-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/432-59-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/432-72-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/432-63-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/432-69-0x000000000040242D-mapping.dmp
-
memory/432-65-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/432-67-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/432-68-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1716-56-0x0000000000000000-mapping.dmp
-
memory/1892-54-0x0000000075801000-0x0000000075803000-memory.dmpFilesize
8KB
-
memory/1892-55-0x0000000074A30000-0x0000000074FDB000-memory.dmpFilesize
5.7MB