Analysis
-
max time kernel
148s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
01-07-2022 03:22
Static task
static1
Behavioral task
behavioral1
Sample
9a467bed83e79cad5de5137aa5c956dc3dfd2297d5e400e45505b994ddab9b96.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
9a467bed83e79cad5de5137aa5c956dc3dfd2297d5e400e45505b994ddab9b96.exe
Resource
win10v2004-20220414-en
General
-
Target
9a467bed83e79cad5de5137aa5c956dc3dfd2297d5e400e45505b994ddab9b96.exe
-
Size
652KB
-
MD5
5d548ef0bc655dea29f8427b71c675e7
-
SHA1
1252e4fcd256b45d33861383c28220cbcc478f6c
-
SHA256
9a467bed83e79cad5de5137aa5c956dc3dfd2297d5e400e45505b994ddab9b96
-
SHA512
cb02f742c5cf26a5a39afba5654df56f761320fe2cd1f960f4a6c8aa861c797740cb1d74e7d38fae90c4e599a6d6d1514ce79f7bb2ddb1b1e56a6456312697b4
Malware Config
Signatures
-
NetWire RAT payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/372-147-0x0000000000430000-0x0000000000455000-memory.dmp netwire behavioral2/memory/372-150-0x0000000000430000-0x0000000000455000-memory.dmp netwire behavioral2/memory/372-154-0x0000000000430000-0x0000000000455000-memory.dmp netwire -
Executes dropped EXE 1 IoCs
Processes:
scxzca.exepid process 5100 scxzca.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
9a467bed83e79cad5de5137aa5c956dc3dfd2297d5e400e45505b994ddab9b96.exescxzca.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 9a467bed83e79cad5de5137aa5c956dc3dfd2297d5e400e45505b994ddab9b96.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation scxzca.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
scxzca.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\scxzca = "C:\\Users\\Admin\\AppData\\Local\\scxzca.exe" scxzca.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
scxzca.exedescription pid process target process PID 5100 set thread context of 372 5100 scxzca.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1584 372 WerFault.exe svchost.exe -
NTFS ADS 3 IoCs
Processes:
cmd.execmd.execmd.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\scxzca.exe:Zone.Identifier cmd.exe File created C:\Users\Admin\AppData\Local\Temp\9a467bed83e79cad5de5137aa5c956dc3dfd2297d5e400e45505b994ddab9b96.exe:Zone.Identifier cmd.exe File created C:\Users\Admin\AppData\Local\scxzca.exe\:Zone.Identifier:$DATA cmd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
9a467bed83e79cad5de5137aa5c956dc3dfd2297d5e400e45505b994ddab9b96.exescxzca.exedescription pid process Token: SeDebugPrivilege 2884 9a467bed83e79cad5de5137aa5c956dc3dfd2297d5e400e45505b994ddab9b96.exe Token: SeDebugPrivilege 5100 scxzca.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
9a467bed83e79cad5de5137aa5c956dc3dfd2297d5e400e45505b994ddab9b96.execmd.exescxzca.exedescription pid process target process PID 2884 wrote to memory of 3588 2884 9a467bed83e79cad5de5137aa5c956dc3dfd2297d5e400e45505b994ddab9b96.exe cmd.exe PID 2884 wrote to memory of 3588 2884 9a467bed83e79cad5de5137aa5c956dc3dfd2297d5e400e45505b994ddab9b96.exe cmd.exe PID 2884 wrote to memory of 3588 2884 9a467bed83e79cad5de5137aa5c956dc3dfd2297d5e400e45505b994ddab9b96.exe cmd.exe PID 2884 wrote to memory of 4168 2884 9a467bed83e79cad5de5137aa5c956dc3dfd2297d5e400e45505b994ddab9b96.exe cmd.exe PID 2884 wrote to memory of 4168 2884 9a467bed83e79cad5de5137aa5c956dc3dfd2297d5e400e45505b994ddab9b96.exe cmd.exe PID 2884 wrote to memory of 4168 2884 9a467bed83e79cad5de5137aa5c956dc3dfd2297d5e400e45505b994ddab9b96.exe cmd.exe PID 2884 wrote to memory of 4028 2884 9a467bed83e79cad5de5137aa5c956dc3dfd2297d5e400e45505b994ddab9b96.exe cmd.exe PID 2884 wrote to memory of 4028 2884 9a467bed83e79cad5de5137aa5c956dc3dfd2297d5e400e45505b994ddab9b96.exe cmd.exe PID 2884 wrote to memory of 4028 2884 9a467bed83e79cad5de5137aa5c956dc3dfd2297d5e400e45505b994ddab9b96.exe cmd.exe PID 4028 wrote to memory of 5100 4028 cmd.exe scxzca.exe PID 4028 wrote to memory of 5100 4028 cmd.exe scxzca.exe PID 4028 wrote to memory of 5100 4028 cmd.exe scxzca.exe PID 5100 wrote to memory of 2032 5100 scxzca.exe cmd.exe PID 5100 wrote to memory of 2032 5100 scxzca.exe cmd.exe PID 5100 wrote to memory of 2032 5100 scxzca.exe cmd.exe PID 5100 wrote to memory of 372 5100 scxzca.exe svchost.exe PID 5100 wrote to memory of 372 5100 scxzca.exe svchost.exe PID 5100 wrote to memory of 372 5100 scxzca.exe svchost.exe PID 5100 wrote to memory of 372 5100 scxzca.exe svchost.exe PID 5100 wrote to memory of 372 5100 scxzca.exe svchost.exe PID 5100 wrote to memory of 372 5100 scxzca.exe svchost.exe PID 5100 wrote to memory of 372 5100 scxzca.exe svchost.exe PID 5100 wrote to memory of 372 5100 scxzca.exe svchost.exe PID 5100 wrote to memory of 372 5100 scxzca.exe svchost.exe PID 5100 wrote to memory of 372 5100 scxzca.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a467bed83e79cad5de5137aa5c956dc3dfd2297d5e400e45505b994ddab9b96.exe"C:\Users\Admin\AppData\Local\Temp\9a467bed83e79cad5de5137aa5c956dc3dfd2297d5e400e45505b994ddab9b96.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\9a467bed83e79cad5de5137aa5c956dc3dfd2297d5e400e45505b994ddab9b96.exe:Zone.Identifier"2⤵
- NTFS ADS
PID:3588 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\9a467bed83e79cad5de5137aa5c956dc3dfd2297d5e400e45505b994ddab9b96.exe" "C:\Users\Admin\AppData\Local\scxzca.exe"2⤵
- NTFS ADS
PID:4168 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\scxzca.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Users\Admin\AppData\Local\scxzca.exe"C:\Users\Admin\AppData\Local\scxzca.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\scxzca.exe:Zone.Identifier"4⤵
- NTFS ADS
PID:2032 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵PID:372
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 372 -s 3205⤵
- Program crash
PID:1584
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 372 -ip 3721⤵PID:2140
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
652KB
MD55d548ef0bc655dea29f8427b71c675e7
SHA11252e4fcd256b45d33861383c28220cbcc478f6c
SHA2569a467bed83e79cad5de5137aa5c956dc3dfd2297d5e400e45505b994ddab9b96
SHA512cb02f742c5cf26a5a39afba5654df56f761320fe2cd1f960f4a6c8aa861c797740cb1d74e7d38fae90c4e599a6d6d1514ce79f7bb2ddb1b1e56a6456312697b4
-
Filesize
652KB
MD55d548ef0bc655dea29f8427b71c675e7
SHA11252e4fcd256b45d33861383c28220cbcc478f6c
SHA2569a467bed83e79cad5de5137aa5c956dc3dfd2297d5e400e45505b994ddab9b96
SHA512cb02f742c5cf26a5a39afba5654df56f761320fe2cd1f960f4a6c8aa861c797740cb1d74e7d38fae90c4e599a6d6d1514ce79f7bb2ddb1b1e56a6456312697b4