Analysis
-
max time kernel
96s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 03:08
Static task
static1
Behavioral task
behavioral1
Sample
FADEX_16.exe
Resource
win7-20220414-en
General
-
Target
FADEX_16.exe
-
Size
291KB
-
MD5
33a4cfe431ca51de83e78a58a0ba4631
-
SHA1
ce870eae750f10ec50dcfba2850ba3e0b7d50be8
-
SHA256
f24e45d41404cdbd5b3e88ef39f6b047d062ade5cb3bddbe2ad40d5331e27210
-
SHA512
fb1569a7bdc839875024c8cf29d41f8166b346b3b512a806e6f40af697a3c3cb95526caabf1431ad22fcbe284bde177cd837a87db1decce87cb1316cf9f044a3
Malware Config
Extracted
netwire
winx.xcapdatap.capetown:7390
-
activex_autorun
false
- activex_key
-
copy_executable
false
-
delete_original
false
-
host_id
Jagz_$$$
- install_path
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
- mutex
-
offline_keylogger
true
-
password
P@55w0rd!
-
registry_autorun
false
- startup_name
-
use_mutex
false
Signatures
-
NetWire RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4624-138-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/4624-140-0x0000000000400000-0x0000000000433000-memory.dmp netwire -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
FADEX_16.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation FADEX_16.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
FADEX_16.exedescription pid process target process PID 4976 set thread context of 4624 4976 FADEX_16.exe FADEX_16.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
FADEX_16.exepid process 4976 FADEX_16.exe 4976 FADEX_16.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
FADEX_16.exedescription pid process Token: SeDebugPrivilege 4976 FADEX_16.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
FADEX_16.exedescription pid process target process PID 4976 wrote to memory of 256 4976 FADEX_16.exe schtasks.exe PID 4976 wrote to memory of 256 4976 FADEX_16.exe schtasks.exe PID 4976 wrote to memory of 256 4976 FADEX_16.exe schtasks.exe PID 4976 wrote to memory of 1500 4976 FADEX_16.exe FADEX_16.exe PID 4976 wrote to memory of 1500 4976 FADEX_16.exe FADEX_16.exe PID 4976 wrote to memory of 1500 4976 FADEX_16.exe FADEX_16.exe PID 4976 wrote to memory of 4624 4976 FADEX_16.exe FADEX_16.exe PID 4976 wrote to memory of 4624 4976 FADEX_16.exe FADEX_16.exe PID 4976 wrote to memory of 4624 4976 FADEX_16.exe FADEX_16.exe PID 4976 wrote to memory of 4624 4976 FADEX_16.exe FADEX_16.exe PID 4976 wrote to memory of 4624 4976 FADEX_16.exe FADEX_16.exe PID 4976 wrote to memory of 4624 4976 FADEX_16.exe FADEX_16.exe PID 4976 wrote to memory of 4624 4976 FADEX_16.exe FADEX_16.exe PID 4976 wrote to memory of 4624 4976 FADEX_16.exe FADEX_16.exe PID 4976 wrote to memory of 4624 4976 FADEX_16.exe FADEX_16.exe PID 4976 wrote to memory of 4624 4976 FADEX_16.exe FADEX_16.exe PID 4976 wrote to memory of 4624 4976 FADEX_16.exe FADEX_16.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FADEX_16.exe"C:\Users\Admin\AppData\Local\Temp\FADEX_16.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BElCbvvZQg" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1B82.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\FADEX_16.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\FADEX_16.exe"{path}"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp1B82.tmpFilesize
1KB
MD5c8642594b101f95d4159bb48eacdee84
SHA1f7fde5bf2ed63d97544bb3298e4f7bfc87117840
SHA256e0f1ab66affb018d910b4dbe9d6034c133862480665074083d8d5d85c1e5f47f
SHA512606d44169cfd5f86183ffa201eabf4a1aa1c0a3e64ca2b0542ebb2ffb9fd4cb9ecb8dfc6a5d5d64600860c448262dc9735113708bb15718bcd8a3aabc3902973
-
memory/256-134-0x0000000000000000-mapping.dmp
-
memory/1500-136-0x0000000000000000-mapping.dmp
-
memory/4624-137-0x0000000000000000-mapping.dmp
-
memory/4624-138-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/4624-140-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/4976-130-0x00000000008F0000-0x000000000093E000-memory.dmpFilesize
312KB
-
memory/4976-131-0x0000000005350000-0x00000000053EC000-memory.dmpFilesize
624KB
-
memory/4976-132-0x0000000005490000-0x0000000005522000-memory.dmpFilesize
584KB
-
memory/4976-133-0x0000000006090000-0x0000000006634000-memory.dmpFilesize
5.6MB