General
Target

FADEX_16.exe

Filesize

291KB

Completed

21-05-2022 04:41

Task

behavioral2

Score
10/10
MD5

33a4cfe431ca51de83e78a58a0ba4631

SHA1

ce870eae750f10ec50dcfba2850ba3e0b7d50be8

SHA256

f24e45d41404cdbd5b3e88ef39f6b047d062ade5cb3bddbe2ad40d5331e27210

SHA256

fb1569a7bdc839875024c8cf29d41f8166b346b3b512a806e6f40af697a3c3cb95526caabf1431ad22fcbe284bde177cd837a87db1decce87cb1316cf9f044a3

Malware Config

Extracted

Family

netwire

C2

winx.xcapdatap.capetown:7390

Attributes
activex_autorun
false
activex_key
copy_executable
false
delete_original
false
host_id
Jagz_$$$
install_path
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
offline_keylogger
true
password
P@55w0rd!
registry_autorun
false
startup_name
use_mutex
false
Signatures 9

Filter: none

Discovery
Persistence
  • NetWire RAT payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/4624-138-0x0000000000400000-0x0000000000433000-memory.dmpnetwire
    behavioral2/memory/4624-140-0x0000000000400000-0x0000000000433000-memory.dmpnetwire
  • Netwire

    Description

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

  • Checks computer location settings
    FADEX_16.exe

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\NationFADEX_16.exe
  • Suspicious use of SetThreadContext
    FADEX_16.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4976 set thread context of 46244976FADEX_16.exeFADEX_16.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Creates scheduled task(s)
    schtasks.exe

    Description

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    TTPs

    Scheduled Task

    Reported IOCs

    pidprocess
    256schtasks.exe
  • Suspicious behavior: EnumeratesProcesses
    FADEX_16.exe

    Reported IOCs

    pidprocess
    4976FADEX_16.exe
    4976FADEX_16.exe
  • Suspicious use of AdjustPrivilegeToken
    FADEX_16.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege4976FADEX_16.exe
  • Suspicious use of WriteProcessMemory
    FADEX_16.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4976 wrote to memory of 2564976FADEX_16.exeschtasks.exe
    PID 4976 wrote to memory of 2564976FADEX_16.exeschtasks.exe
    PID 4976 wrote to memory of 2564976FADEX_16.exeschtasks.exe
    PID 4976 wrote to memory of 15004976FADEX_16.exeFADEX_16.exe
    PID 4976 wrote to memory of 15004976FADEX_16.exeFADEX_16.exe
    PID 4976 wrote to memory of 15004976FADEX_16.exeFADEX_16.exe
    PID 4976 wrote to memory of 46244976FADEX_16.exeFADEX_16.exe
    PID 4976 wrote to memory of 46244976FADEX_16.exeFADEX_16.exe
    PID 4976 wrote to memory of 46244976FADEX_16.exeFADEX_16.exe
    PID 4976 wrote to memory of 46244976FADEX_16.exeFADEX_16.exe
    PID 4976 wrote to memory of 46244976FADEX_16.exeFADEX_16.exe
    PID 4976 wrote to memory of 46244976FADEX_16.exeFADEX_16.exe
    PID 4976 wrote to memory of 46244976FADEX_16.exeFADEX_16.exe
    PID 4976 wrote to memory of 46244976FADEX_16.exeFADEX_16.exe
    PID 4976 wrote to memory of 46244976FADEX_16.exeFADEX_16.exe
    PID 4976 wrote to memory of 46244976FADEX_16.exeFADEX_16.exe
    PID 4976 wrote to memory of 46244976FADEX_16.exeFADEX_16.exe
Processes 4
  • C:\Users\Admin\AppData\Local\Temp\FADEX_16.exe
    "C:\Users\Admin\AppData\Local\Temp\FADEX_16.exe"
    Checks computer location settings
    Suspicious use of SetThreadContext
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:4976
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BElCbvvZQg" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1B82.tmp"
      Creates scheduled task(s)
      PID:256
    • C:\Users\Admin\AppData\Local\Temp\FADEX_16.exe
      "{path}"
      PID:1500
    • C:\Users\Admin\AppData\Local\Temp\FADEX_16.exe
      "{path}"
      PID:4624
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • C:\Users\Admin\AppData\Local\Temp\tmp1B82.tmp

                        MD5

                        c8642594b101f95d4159bb48eacdee84

                        SHA1

                        f7fde5bf2ed63d97544bb3298e4f7bfc87117840

                        SHA256

                        e0f1ab66affb018d910b4dbe9d6034c133862480665074083d8d5d85c1e5f47f

                        SHA512

                        606d44169cfd5f86183ffa201eabf4a1aa1c0a3e64ca2b0542ebb2ffb9fd4cb9ecb8dfc6a5d5d64600860c448262dc9735113708bb15718bcd8a3aabc3902973

                      • memory/256-134-0x0000000000000000-mapping.dmp

                      • memory/1500-136-0x0000000000000000-mapping.dmp

                      • memory/4624-137-0x0000000000000000-mapping.dmp

                      • memory/4624-138-0x0000000000400000-0x0000000000433000-memory.dmp

                      • memory/4624-140-0x0000000000400000-0x0000000000433000-memory.dmp

                      • memory/4976-130-0x00000000008F0000-0x000000000093E000-memory.dmp

                      • memory/4976-131-0x0000000005350000-0x00000000053EC000-memory.dmp

                      • memory/4976-132-0x0000000005490000-0x0000000005522000-memory.dmp

                      • memory/4976-133-0x0000000006090000-0x0000000006634000-memory.dmp