Analysis
-
max time kernel
153s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 01:19
Static task
static1
Behavioral task
behavioral1
Sample
CPA accountant COVID_19 pandemic relief (20,000$).exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
CPA accountant COVID_19 pandemic relief (20,000$).exe
Resource
win10v2004-20220414-en
General
-
Target
CPA accountant COVID_19 pandemic relief (20,000$).exe
-
Size
584KB
-
MD5
1918fa86b99fda35462ec060e9c419bb
-
SHA1
3d393d15044bd193851297bdc94c38f44a6e1fd2
-
SHA256
a34bd4c266e3891796816854e78d62384dcf36a8f456476e69d0dacf109d1737
-
SHA512
b6cae10db3ecd2bebb5b017c7a09f46ef5a6f9a84747419d0b041b4b6b6769b43e4e4df2454d38c15b58f3a4e10f9d60eb416a1ef3383f32f8d62fd6a09dc15e
Malware Config
Extracted
netwire
38.132.124.156:1199
-
activex_autorun
false
- activex_key
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
- install_path
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
- mutex
-
offline_keylogger
true
-
password
12345
-
registry_autorun
true
-
startup_name
ronies
-
use_mutex
false
Signatures
-
NetWire RAT payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4872-143-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/4872-146-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/4872-147-0x0000000000400000-0x0000000000433000-memory.dmp netwire -
Executes dropped EXE 2 IoCs
Processes:
service.exeservice.exepid process 5096 service.exe 4872 service.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
CPA accountant COVID_19 pandemic relief (20,000$).exeservice.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation CPA accountant COVID_19 pandemic relief (20,000$).exe Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation service.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
service.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ service.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ronies = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe" service.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
service.exedescription pid process target process PID 5096 set thread context of 4872 5096 service.exe service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
CPA accountant COVID_19 pandemic relief (20,000$).exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings CPA accountant COVID_19 pandemic relief (20,000$).exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 5004 WINWORD.EXE 5004 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
service.exepid process 5096 service.exe 5096 service.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
service.exedescription pid process Token: SeDebugPrivilege 5096 service.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
WINWORD.EXEpid process 5004 WINWORD.EXE 5004 WINWORD.EXE 5004 WINWORD.EXE 5004 WINWORD.EXE 5004 WINWORD.EXE 5004 WINWORD.EXE 5004 WINWORD.EXE 5004 WINWORD.EXE 5004 WINWORD.EXE 5004 WINWORD.EXE 5004 WINWORD.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
CPA accountant COVID_19 pandemic relief (20,000$).exeservice.exedescription pid process target process PID 4316 wrote to memory of 5096 4316 CPA accountant COVID_19 pandemic relief (20,000$).exe service.exe PID 4316 wrote to memory of 5096 4316 CPA accountant COVID_19 pandemic relief (20,000$).exe service.exe PID 4316 wrote to memory of 5096 4316 CPA accountant COVID_19 pandemic relief (20,000$).exe service.exe PID 4316 wrote to memory of 5004 4316 CPA accountant COVID_19 pandemic relief (20,000$).exe WINWORD.EXE PID 4316 wrote to memory of 5004 4316 CPA accountant COVID_19 pandemic relief (20,000$).exe WINWORD.EXE PID 5096 wrote to memory of 216 5096 service.exe schtasks.exe PID 5096 wrote to memory of 216 5096 service.exe schtasks.exe PID 5096 wrote to memory of 216 5096 service.exe schtasks.exe PID 5096 wrote to memory of 4872 5096 service.exe service.exe PID 5096 wrote to memory of 4872 5096 service.exe service.exe PID 5096 wrote to memory of 4872 5096 service.exe service.exe PID 5096 wrote to memory of 4872 5096 service.exe service.exe PID 5096 wrote to memory of 4872 5096 service.exe service.exe PID 5096 wrote to memory of 4872 5096 service.exe service.exe PID 5096 wrote to memory of 4872 5096 service.exe service.exe PID 5096 wrote to memory of 4872 5096 service.exe service.exe PID 5096 wrote to memory of 4872 5096 service.exe service.exe PID 5096 wrote to memory of 4872 5096 service.exe service.exe PID 5096 wrote to memory of 4872 5096 service.exe service.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CPA accountant COVID_19 pandemic relief (20,000$).exe"C:\Users\Admin\AppData\Local\Temp\CPA accountant COVID_19 pandemic relief (20,000$).exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\service.exe"C:\Users\Admin\AppData\Local\Temp\service.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HRgFfvmwT" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC4F6.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\service.exe"C:\Users\Admin\AppData\Local\Temp\service.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\CPA accountant COVID_19 pandemic relief (20,000$).docx" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\CPA accountant COVID_19 pandemic relief (20,000$).docxFilesize
68KB
MD5f5338a212a363459b7354fd8091d5501
SHA1d5f79a7e7a664147f71dc58988462c51f489e16b
SHA2569a62f34e8c12aeed7a693399f5d17676c9af7b50865f160fc7eb4d709c252583
SHA512e033137c54ce92fec4d51f79d2cc79e6d6335060a1ba1f5ad0d30833749034c0c2c750e9cea9b654b1c36ea6cf67adddb08c0c165f46d75530cf7af1c1d81ab0
-
C:\Users\Admin\AppData\Local\Temp\service.exeFilesize
311KB
MD5a69b9cf282c900d55cd7452e039daf41
SHA10ea752ca500e4b9df336cb4438e7804d3b0186ad
SHA2563e2526d2955b6709532d1a16a221882619690292dce1527a3399a8d704a4c79d
SHA512caa067276632186c0ef2e9bf821ad64aff680645a4d0436dac2cefa7aa99feb76cb6a52e672c325ba51783635388f32cd64c2a69f0aa52c1f8f37ab4d29d1765
-
C:\Users\Admin\AppData\Local\Temp\service.exeFilesize
311KB
MD5a69b9cf282c900d55cd7452e039daf41
SHA10ea752ca500e4b9df336cb4438e7804d3b0186ad
SHA2563e2526d2955b6709532d1a16a221882619690292dce1527a3399a8d704a4c79d
SHA512caa067276632186c0ef2e9bf821ad64aff680645a4d0436dac2cefa7aa99feb76cb6a52e672c325ba51783635388f32cd64c2a69f0aa52c1f8f37ab4d29d1765
-
C:\Users\Admin\AppData\Local\Temp\service.exeFilesize
311KB
MD5a69b9cf282c900d55cd7452e039daf41
SHA10ea752ca500e4b9df336cb4438e7804d3b0186ad
SHA2563e2526d2955b6709532d1a16a221882619690292dce1527a3399a8d704a4c79d
SHA512caa067276632186c0ef2e9bf821ad64aff680645a4d0436dac2cefa7aa99feb76cb6a52e672c325ba51783635388f32cd64c2a69f0aa52c1f8f37ab4d29d1765
-
C:\Users\Admin\AppData\Local\Temp\tmpC4F6.tmpFilesize
1KB
MD5eff579e5fc87c2f9fee0fa3c069e3467
SHA12e96a30600227dd3de6dd785a03a8677020608e2
SHA25647251f00a39b3d2f3265eb41dd0847abd2e4cf690e0657250f51f7edadf196ef
SHA512448732d4bac8d4feaf7dbf2a9894467201801a1af0e73fe52e88ba55fc72e72a9468820eba726cc83bc77f8b7a09c761b9dfb7024b02846e7d6a7344475c4273
-
memory/216-140-0x0000000000000000-mapping.dmp
-
memory/4872-146-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/4872-147-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/4872-143-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/4872-142-0x0000000000000000-mapping.dmp
-
memory/5004-136-0x00007FF901770000-0x00007FF901780000-memory.dmpFilesize
64KB
-
memory/5004-135-0x00007FF901770000-0x00007FF901780000-memory.dmpFilesize
64KB
-
memory/5004-139-0x00007FF901770000-0x00007FF901780000-memory.dmpFilesize
64KB
-
memory/5004-138-0x00007FF901770000-0x00007FF901780000-memory.dmpFilesize
64KB
-
memory/5004-137-0x00007FF901770000-0x00007FF901780000-memory.dmpFilesize
64KB
-
memory/5004-148-0x00007FF8FF710000-0x00007FF8FF720000-memory.dmpFilesize
64KB
-
memory/5004-149-0x00007FF8FF710000-0x00007FF8FF720000-memory.dmpFilesize
64KB
-
memory/5004-133-0x0000000000000000-mapping.dmp
-
memory/5096-134-0x0000000073060000-0x0000000073611000-memory.dmpFilesize
5.7MB
-
memory/5096-130-0x0000000000000000-mapping.dmp