Analysis

  • max time kernel
    148s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    01-07-2022 03:22

General

  • Target

    9a467bed83e79cad5de5137aa5c956dc3dfd2297d5e400e45505b994ddab9b96.exe

  • Size

    652KB

  • MD5

    5d548ef0bc655dea29f8427b71c675e7

  • SHA1

    1252e4fcd256b45d33861383c28220cbcc478f6c

  • SHA256

    9a467bed83e79cad5de5137aa5c956dc3dfd2297d5e400e45505b994ddab9b96

  • SHA512

    cb02f742c5cf26a5a39afba5654df56f761320fe2cd1f960f4a6c8aa861c797740cb1d74e7d38fae90c4e599a6d6d1514ce79f7bb2ddb1b1e56a6456312697b4

Malware Config

Signatures

  • NetWire RAT payload 3 IoCs
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • NTFS ADS 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9a467bed83e79cad5de5137aa5c956dc3dfd2297d5e400e45505b994ddab9b96.exe
    "C:\Users\Admin\AppData\Local\Temp\9a467bed83e79cad5de5137aa5c956dc3dfd2297d5e400e45505b994ddab9b96.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2884
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\9a467bed83e79cad5de5137aa5c956dc3dfd2297d5e400e45505b994ddab9b96.exe:Zone.Identifier"
      2⤵
      • NTFS ADS
      PID:3588
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\9a467bed83e79cad5de5137aa5c956dc3dfd2297d5e400e45505b994ddab9b96.exe" "C:\Users\Admin\AppData\Local\scxzca.exe"
      2⤵
      • NTFS ADS
      PID:4168
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\scxzca.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4028
      • C:\Users\Admin\AppData\Local\scxzca.exe
        "C:\Users\Admin\AppData\Local\scxzca.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5100
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\scxzca.exe:Zone.Identifier"
          4⤵
          • NTFS ADS
          PID:2032
        • C:\Windows\SysWOW64\svchost.exe
          C:\Windows\system32\svchost.exe
          4⤵
            PID:372
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 372 -s 320
              5⤵
              • Program crash
              PID:1584
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 372 -ip 372
      1⤵
        PID:2140

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\scxzca.exe

        Filesize

        652KB

        MD5

        5d548ef0bc655dea29f8427b71c675e7

        SHA1

        1252e4fcd256b45d33861383c28220cbcc478f6c

        SHA256

        9a467bed83e79cad5de5137aa5c956dc3dfd2297d5e400e45505b994ddab9b96

        SHA512

        cb02f742c5cf26a5a39afba5654df56f761320fe2cd1f960f4a6c8aa861c797740cb1d74e7d38fae90c4e599a6d6d1514ce79f7bb2ddb1b1e56a6456312697b4

      • C:\Users\Admin\AppData\Local\scxzca.exe

        Filesize

        652KB

        MD5

        5d548ef0bc655dea29f8427b71c675e7

        SHA1

        1252e4fcd256b45d33861383c28220cbcc478f6c

        SHA256

        9a467bed83e79cad5de5137aa5c956dc3dfd2297d5e400e45505b994ddab9b96

        SHA512

        cb02f742c5cf26a5a39afba5654df56f761320fe2cd1f960f4a6c8aa861c797740cb1d74e7d38fae90c4e599a6d6d1514ce79f7bb2ddb1b1e56a6456312697b4

      • memory/372-154-0x0000000000430000-0x0000000000455000-memory.dmp

        Filesize

        148KB

      • memory/372-150-0x0000000000430000-0x0000000000455000-memory.dmp

        Filesize

        148KB

      • memory/372-147-0x0000000000430000-0x0000000000455000-memory.dmp

        Filesize

        148KB

      • memory/372-145-0x0000000000000000-mapping.dmp

      • memory/2032-142-0x0000000000000000-mapping.dmp

      • memory/2884-134-0x0000000006870000-0x0000000006E14000-memory.dmp

        Filesize

        5.6MB

      • memory/2884-136-0x00000000059F0000-0x0000000005A12000-memory.dmp

        Filesize

        136KB

      • memory/2884-135-0x0000000006490000-0x0000000006652000-memory.dmp

        Filesize

        1.8MB

      • memory/2884-130-0x0000000000DC0000-0x0000000000E6A000-memory.dmp

        Filesize

        680KB

      • memory/2884-132-0x00000000058E0000-0x0000000005972000-memory.dmp

        Filesize

        584KB

      • memory/2884-131-0x00000000057D0000-0x0000000005836000-memory.dmp

        Filesize

        408KB

      • memory/3588-133-0x0000000000000000-mapping.dmp

      • memory/4028-138-0x0000000000000000-mapping.dmp

      • memory/4168-137-0x0000000000000000-mapping.dmp

      • memory/5100-139-0x0000000000000000-mapping.dmp

      • memory/5100-143-0x0000000006270000-0x000000000630C000-memory.dmp

        Filesize

        624KB

      • memory/5100-144-0x0000000006220000-0x0000000006242000-memory.dmp

        Filesize

        136KB