General
Target

FADEX_16.exe

Filesize

291KB

Completed

21-05-2022 04:41

Task

behavioral1

Score
10/10
MD5

33a4cfe431ca51de83e78a58a0ba4631

SHA1

ce870eae750f10ec50dcfba2850ba3e0b7d50be8

SHA256

f24e45d41404cdbd5b3e88ef39f6b047d062ade5cb3bddbe2ad40d5331e27210

SHA256

fb1569a7bdc839875024c8cf29d41f8166b346b3b512a806e6f40af697a3c3cb95526caabf1431ad22fcbe284bde177cd837a87db1decce87cb1316cf9f044a3

Malware Config

Extracted

Family

netwire

C2

winx.xcapdatap.capetown:7390

Attributes
activex_autorun
false
activex_key
copy_executable
false
delete_original
false
host_id
Jagz_$$$
install_path
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
offline_keylogger
true
password
P@55w0rd!
registry_autorun
false
startup_name
use_mutex
false
Signatures 9

Filter: none

Discovery
Persistence
  • NetWire RAT payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1188-65-0x0000000000400000-0x0000000000433000-memory.dmpnetwire
    behavioral1/memory/1188-66-0x0000000000400000-0x0000000000433000-memory.dmpnetwire
    behavioral1/memory/1188-67-0x0000000000400000-0x0000000000433000-memory.dmpnetwire
    behavioral1/memory/1188-69-0x0000000000400000-0x0000000000433000-memory.dmpnetwire
    behavioral1/memory/1188-70-0x0000000000400000-0x0000000000433000-memory.dmpnetwire
    behavioral1/memory/1188-71-0x000000000040242D-mapping.dmpnetwire
    behavioral1/memory/1188-74-0x0000000000400000-0x0000000000433000-memory.dmpnetwire
    behavioral1/memory/1188-75-0x0000000000400000-0x0000000000433000-memory.dmpnetwire
  • Netwire

    Description

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

  • ReZer0 packer

    Description

    Detects ReZer0, a packer with multiple versions used in various campaigns.

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1956-56-0x00000000004B0000-0x00000000004E6000-memory.dmprezer0
  • Suspicious use of SetThreadContext
    FADEX_16.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1956 set thread context of 11881956FADEX_16.exeFADEX_16.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Creates scheduled task(s)
    schtasks.exe

    Description

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    TTPs

    Scheduled Task

    Reported IOCs

    pidprocess
    1736schtasks.exe
  • Suspicious behavior: EnumeratesProcesses
    FADEX_16.exe

    Reported IOCs

    pidprocess
    1956FADEX_16.exe
    1956FADEX_16.exe
  • Suspicious use of AdjustPrivilegeToken
    FADEX_16.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1956FADEX_16.exe
  • Suspicious use of WriteProcessMemory
    FADEX_16.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1956 wrote to memory of 17361956FADEX_16.exeschtasks.exe
    PID 1956 wrote to memory of 17361956FADEX_16.exeschtasks.exe
    PID 1956 wrote to memory of 17361956FADEX_16.exeschtasks.exe
    PID 1956 wrote to memory of 17361956FADEX_16.exeschtasks.exe
    PID 1956 wrote to memory of 17401956FADEX_16.exeFADEX_16.exe
    PID 1956 wrote to memory of 17401956FADEX_16.exeFADEX_16.exe
    PID 1956 wrote to memory of 17401956FADEX_16.exeFADEX_16.exe
    PID 1956 wrote to memory of 17401956FADEX_16.exeFADEX_16.exe
    PID 1956 wrote to memory of 12201956FADEX_16.exeFADEX_16.exe
    PID 1956 wrote to memory of 12201956FADEX_16.exeFADEX_16.exe
    PID 1956 wrote to memory of 12201956FADEX_16.exeFADEX_16.exe
    PID 1956 wrote to memory of 12201956FADEX_16.exeFADEX_16.exe
    PID 1956 wrote to memory of 11881956FADEX_16.exeFADEX_16.exe
    PID 1956 wrote to memory of 11881956FADEX_16.exeFADEX_16.exe
    PID 1956 wrote to memory of 11881956FADEX_16.exeFADEX_16.exe
    PID 1956 wrote to memory of 11881956FADEX_16.exeFADEX_16.exe
    PID 1956 wrote to memory of 11881956FADEX_16.exeFADEX_16.exe
    PID 1956 wrote to memory of 11881956FADEX_16.exeFADEX_16.exe
    PID 1956 wrote to memory of 11881956FADEX_16.exeFADEX_16.exe
    PID 1956 wrote to memory of 11881956FADEX_16.exeFADEX_16.exe
    PID 1956 wrote to memory of 11881956FADEX_16.exeFADEX_16.exe
    PID 1956 wrote to memory of 11881956FADEX_16.exeFADEX_16.exe
    PID 1956 wrote to memory of 11881956FADEX_16.exeFADEX_16.exe
    PID 1956 wrote to memory of 11881956FADEX_16.exeFADEX_16.exe
Processes 5
  • C:\Users\Admin\AppData\Local\Temp\FADEX_16.exe
    "C:\Users\Admin\AppData\Local\Temp\FADEX_16.exe"
    Suspicious use of SetThreadContext
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:1956
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BElCbvvZQg" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2AAA.tmp"
      Creates scheduled task(s)
      PID:1736
    • C:\Users\Admin\AppData\Local\Temp\FADEX_16.exe
      "{path}"
      PID:1740
    • C:\Users\Admin\AppData\Local\Temp\FADEX_16.exe
      "{path}"
      PID:1220
    • C:\Users\Admin\AppData\Local\Temp\FADEX_16.exe
      "{path}"
      PID:1188
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • C:\Users\Admin\AppData\Local\Temp\tmp2AAA.tmp

                        MD5

                        61cd71051c88909cb200c5b09cd4d799

                        SHA1

                        9eced5c6282e85525c6c514f1ad08ac6e6de27ad

                        SHA256

                        4fdc1b7eed031eec27f3268c2b61407d5be9de76dbd1b2c535ade8a429867a78

                        SHA512

                        168495815c5b5b8029ac667564c8a4fcc9139751995b31c169a7e7f783c0567bc47e771a574ca531b4451cbe150f85f5e553f2bd929789994abca7b27818dcec

                      • memory/1188-67-0x0000000000400000-0x0000000000433000-memory.dmp

                      • memory/1188-74-0x0000000000400000-0x0000000000433000-memory.dmp

                      • memory/1188-71-0x000000000040242D-mapping.dmp

                      • memory/1188-70-0x0000000000400000-0x0000000000433000-memory.dmp

                      • memory/1188-69-0x0000000000400000-0x0000000000433000-memory.dmp

                      • memory/1188-60-0x0000000000400000-0x0000000000433000-memory.dmp

                      • memory/1188-61-0x0000000000400000-0x0000000000433000-memory.dmp

                      • memory/1188-63-0x0000000000400000-0x0000000000433000-memory.dmp

                      • memory/1188-65-0x0000000000400000-0x0000000000433000-memory.dmp

                      • memory/1188-66-0x0000000000400000-0x0000000000433000-memory.dmp

                      • memory/1188-75-0x0000000000400000-0x0000000000433000-memory.dmp

                      • memory/1736-58-0x0000000000000000-mapping.dmp

                      • memory/1956-57-0x0000000075DB1000-0x0000000075DB3000-memory.dmp

                      • memory/1956-56-0x00000000004B0000-0x00000000004E6000-memory.dmp

                      • memory/1956-55-0x00000000001F0000-0x0000000000200000-memory.dmp

                      • memory/1956-54-0x0000000000940000-0x000000000098E000-memory.dmp