Analysis
-
max time kernel
112s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08-07-2022 11:16
Static task
static1
Behavioral task
behavioral1
Sample
41afcc620b9a87add5322f3f17d563bb.exe
Resource
win7-20220414-en
General
-
Target
41afcc620b9a87add5322f3f17d563bb.exe
-
Size
75KB
-
MD5
41afcc620b9a87add5322f3f17d563bb
-
SHA1
308238e449d97520e21cfb601feb15193bf89a68
-
SHA256
7418fd3ec75f43bed921ecf2df4ba922fbd86c2e1e158bf309bbee13d4374125
-
SHA512
1dde37ed40097e22543f95f29db4fe7b5f7c0c68f11e738491f36a2121a6fa54578d4dadb3988f84f42b903559326684b374704d46a2c4fc7d6e12f87a397754
Malware Config
Extracted
netwire
194.5.98.176:3363
194.5.98.176:3365
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
power2022
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/3644-143-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/3644-145-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/3644-146-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/3644-147-0x0000000000400000-0x0000000000433000-memory.dmp netwire -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
41afcc620b9a87add5322f3f17d563bb.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 41afcc620b9a87add5322f3f17d563bb.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
41afcc620b9a87add5322f3f17d563bb.exedescription pid process target process PID 4236 set thread context of 3644 4236 41afcc620b9a87add5322f3f17d563bb.exe InstallUtil.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exe41afcc620b9a87add5322f3f17d563bb.exepid process 4472 powershell.exe 4472 powershell.exe 4236 41afcc620b9a87add5322f3f17d563bb.exe 4236 41afcc620b9a87add5322f3f17d563bb.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
41afcc620b9a87add5322f3f17d563bb.exepowershell.exedescription pid process Token: SeDebugPrivilege 4236 41afcc620b9a87add5322f3f17d563bb.exe Token: SeDebugPrivilege 4472 powershell.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
41afcc620b9a87add5322f3f17d563bb.exedescription pid process target process PID 4236 wrote to memory of 4472 4236 41afcc620b9a87add5322f3f17d563bb.exe powershell.exe PID 4236 wrote to memory of 4472 4236 41afcc620b9a87add5322f3f17d563bb.exe powershell.exe PID 4236 wrote to memory of 4472 4236 41afcc620b9a87add5322f3f17d563bb.exe powershell.exe PID 4236 wrote to memory of 3644 4236 41afcc620b9a87add5322f3f17d563bb.exe InstallUtil.exe PID 4236 wrote to memory of 3644 4236 41afcc620b9a87add5322f3f17d563bb.exe InstallUtil.exe PID 4236 wrote to memory of 3644 4236 41afcc620b9a87add5322f3f17d563bb.exe InstallUtil.exe PID 4236 wrote to memory of 3644 4236 41afcc620b9a87add5322f3f17d563bb.exe InstallUtil.exe PID 4236 wrote to memory of 3644 4236 41afcc620b9a87add5322f3f17d563bb.exe InstallUtil.exe PID 4236 wrote to memory of 3644 4236 41afcc620b9a87add5322f3f17d563bb.exe InstallUtil.exe PID 4236 wrote to memory of 3644 4236 41afcc620b9a87add5322f3f17d563bb.exe InstallUtil.exe PID 4236 wrote to memory of 3644 4236 41afcc620b9a87add5322f3f17d563bb.exe InstallUtil.exe PID 4236 wrote to memory of 3644 4236 41afcc620b9a87add5322f3f17d563bb.exe InstallUtil.exe PID 4236 wrote to memory of 3644 4236 41afcc620b9a87add5322f3f17d563bb.exe InstallUtil.exe PID 4236 wrote to memory of 3644 4236 41afcc620b9a87add5322f3f17d563bb.exe InstallUtil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\41afcc620b9a87add5322f3f17d563bb.exe"C:\Users\Admin\AppData\Local\Temp\41afcc620b9a87add5322f3f17d563bb.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4472 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe2⤵PID:3644