Analysis
-
max time kernel
132s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
01-07-2022 08:02
Static task
static1
Behavioral task
behavioral1
Sample
3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exe
Resource
win10v2004-20220414-en
General
-
Target
3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exe
-
Size
626KB
-
MD5
d2b8bfc68681f6e58838eff7a2cb33c0
-
SHA1
1c365788f6d248efea2a1a7f574efd610866deff
-
SHA256
3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574
-
SHA512
6eeb7aa28dd1a038d8cf87b50c7bc46496cbb6e0b2181ea01bf9b0c0b3601229f84845a6025a21357b2fede93ac34ead37fd96809b0f914f89cae7ca4f43a6dc
Malware Config
Extracted
netwire
185.101.93.198:8681
185.101.93.198:9691
89.46.223.154:8585
89.46.223.154:1194
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3952-147-0x0000000000400000-0x000000000042C000-memory.dmp netwire -
Executes dropped EXE 2 IoCs
Processes:
plesk.exeplesk.exepid process 4564 plesk.exe 3952 plesk.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation 3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AHDSKD87372930473JNDKSKSNSBG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\plesk\\plesk.vbs -FF" WScript.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
plesk.exedescription pid process target process PID 4564 set thread context of 3952 4564 plesk.exe plesk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings 3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exeplesk.exepid process 4468 3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exe 4564 plesk.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exeplesk.exedescription pid process target process PID 4468 wrote to memory of 4712 4468 3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exe WScript.exe PID 4468 wrote to memory of 4712 4468 3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exe WScript.exe PID 4468 wrote to memory of 4712 4468 3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exe WScript.exe PID 4468 wrote to memory of 4564 4468 3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exe plesk.exe PID 4468 wrote to memory of 4564 4468 3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exe plesk.exe PID 4468 wrote to memory of 4564 4468 3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exe plesk.exe PID 4564 wrote to memory of 3952 4564 plesk.exe plesk.exe PID 4564 wrote to memory of 3952 4564 plesk.exe plesk.exe PID 4564 wrote to memory of 3952 4564 plesk.exe plesk.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exe"C:\Users\Admin\AppData\Local\Temp\3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\plesk\plesk.vbs"2⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\plesk\plesk.exe"C:\Users\Admin\AppData\Local\Temp\plesk\plesk.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\plesk\plesk.exeC:\Users\Admin\AppData\Local\Temp\plesk\plesk.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\plesk\plesk.exeFilesize
626KB
MD5d2b8bfc68681f6e58838eff7a2cb33c0
SHA11c365788f6d248efea2a1a7f574efd610866deff
SHA2563e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574
SHA5126eeb7aa28dd1a038d8cf87b50c7bc46496cbb6e0b2181ea01bf9b0c0b3601229f84845a6025a21357b2fede93ac34ead37fd96809b0f914f89cae7ca4f43a6dc
-
C:\Users\Admin\AppData\Local\Temp\plesk\plesk.exeFilesize
626KB
MD5d2b8bfc68681f6e58838eff7a2cb33c0
SHA11c365788f6d248efea2a1a7f574efd610866deff
SHA2563e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574
SHA5126eeb7aa28dd1a038d8cf87b50c7bc46496cbb6e0b2181ea01bf9b0c0b3601229f84845a6025a21357b2fede93ac34ead37fd96809b0f914f89cae7ca4f43a6dc
-
C:\Users\Admin\AppData\Local\Temp\plesk\plesk.exeFilesize
626KB
MD5d2b8bfc68681f6e58838eff7a2cb33c0
SHA11c365788f6d248efea2a1a7f574efd610866deff
SHA2563e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574
SHA5126eeb7aa28dd1a038d8cf87b50c7bc46496cbb6e0b2181ea01bf9b0c0b3601229f84845a6025a21357b2fede93ac34ead37fd96809b0f914f89cae7ca4f43a6dc
-
C:\Users\Admin\AppData\Local\Temp\plesk\plesk.vbsFilesize
1024B
MD5f964ef1908684af0edaffac5e9be4e20
SHA165b65b4a3398ab4cdd0c4ab1db6eb25f6172cb2c
SHA256bba4125f2fabc793609bec64ec8e26c920a2e4213b4eeab3fac338bb716e9143
SHA51226cfd088e96766041ace82a7483cc620eb8ccf7765b6b9f7e987c2eb18561ee895c7f6e66d90712e8d50a88c87a35a3266a1db5829bb1ff0b749af9791a5eda1
-
memory/3952-143-0x0000000000000000-mapping.dmp
-
memory/3952-147-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/3952-153-0x00000000770E0000-0x0000000077283000-memory.dmpFilesize
1.6MB
-
memory/4468-138-0x00000000770E0000-0x0000000077283000-memory.dmpFilesize
1.6MB
-
memory/4468-132-0x0000000002390000-0x0000000002396000-memory.dmpFilesize
24KB
-
memory/4468-133-0x00000000770E0000-0x0000000077283000-memory.dmpFilesize
1.6MB
-
memory/4564-135-0x0000000000000000-mapping.dmp
-
memory/4564-142-0x00000000770E0000-0x0000000077283000-memory.dmpFilesize
1.6MB
-
memory/4564-145-0x00000000770E0000-0x0000000077283000-memory.dmpFilesize
1.6MB
-
memory/4712-134-0x0000000000000000-mapping.dmp