Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
31-07-2022 04:48
Static task
static1
Behavioral task
behavioral1
Sample
647f075a30a3b628fa2b988223dde0f69bb0149b33fced9a78806de23ab7937c.exe
Resource
win7-20220715-en
General
-
Target
647f075a30a3b628fa2b988223dde0f69bb0149b33fced9a78806de23ab7937c.exe
-
Size
1.2MB
-
MD5
1bea501f52f6075bb7ca051ad4454e8c
-
SHA1
73f2f06dfa4a91bda577df01ac6b55189126f9ed
-
SHA256
647f075a30a3b628fa2b988223dde0f69bb0149b33fced9a78806de23ab7937c
-
SHA512
130ad7fd52c0f72fbb4bc13387bcc2d36d4dede4f2000bf2bba4d5a1f97f4e0ff71b18541179264be5e0502a2584444766c1e564fb90ba2623ed4875c9e78dde
Malware Config
Extracted
netwire
info1.nowddns.com:5552
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
Sms v2.0
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
wBXPRhxS
-
offline_keylogger
true
-
password
caster
-
registry_autorun
false
-
use_mutex
true
Signatures
-
NetWire RAT payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/1216-137-0x0000000000F80000-0x00000000016AC000-memory.dmp netwire behavioral2/memory/1216-138-0x0000000000F82BCB-mapping.dmp netwire behavioral2/memory/1216-140-0x0000000000F80000-0x00000000016AC000-memory.dmp netwire behavioral2/memory/1216-141-0x0000000000F80000-0x00000000016AC000-memory.dmp netwire -
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
svs.exepid process 3656 svs.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
647f075a30a3b628fa2b988223dde0f69bb0149b33fced9a78806de23ab7937c.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation 647f075a30a3b628fa2b988223dde0f69bb0149b33fced9a78806de23ab7937c.exe Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 2 IoCs
Processes:
svs.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk svs.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk svs.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
svs.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce svs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\14712696 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\14712696\\start.vbs" svs.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run svs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\14712696\\svs.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\14712696\\DXV_FC~1" svs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
svs.exedescription pid process target process PID 3656 set thread context of 1216 3656 svs.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
Processes:
647f075a30a3b628fa2b988223dde0f69bb0149b33fced9a78806de23ab7937c.exeWScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings 647f075a30a3b628fa2b988223dde0f69bb0149b33fced9a78806de23ab7937c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WScript.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svs.exepid process 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe 3656 svs.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
647f075a30a3b628fa2b988223dde0f69bb0149b33fced9a78806de23ab7937c.exeWScript.exesvs.exedescription pid process target process PID 4280 wrote to memory of 4708 4280 647f075a30a3b628fa2b988223dde0f69bb0149b33fced9a78806de23ab7937c.exe WScript.exe PID 4280 wrote to memory of 4708 4280 647f075a30a3b628fa2b988223dde0f69bb0149b33fced9a78806de23ab7937c.exe WScript.exe PID 4280 wrote to memory of 4708 4280 647f075a30a3b628fa2b988223dde0f69bb0149b33fced9a78806de23ab7937c.exe WScript.exe PID 4708 wrote to memory of 3656 4708 WScript.exe svs.exe PID 4708 wrote to memory of 3656 4708 WScript.exe svs.exe PID 4708 wrote to memory of 3656 4708 WScript.exe svs.exe PID 3656 wrote to memory of 1216 3656 svs.exe RegSvcs.exe PID 3656 wrote to memory of 1216 3656 svs.exe RegSvcs.exe PID 3656 wrote to memory of 1216 3656 svs.exe RegSvcs.exe PID 3656 wrote to memory of 1216 3656 svs.exe RegSvcs.exe PID 3656 wrote to memory of 1216 3656 svs.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\647f075a30a3b628fa2b988223dde0f69bb0149b33fced9a78806de23ab7937c.exe"C:\Users\Admin\AppData\Local\Temp\647f075a30a3b628fa2b988223dde0f69bb0149b33fced9a78806de23ab7937c.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14712696\pgq.vbs"2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Users\Admin\AppData\Local\Temp\14712696\svs.exe"C:\Users\Admin\AppData\Local\Temp\14712696\svs.exe" dxv=fcp3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵PID:1216
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
231.6MB
MD5a0b360650307f2420a717b5223750b35
SHA1234d738a69eeb2be318cf0d3cf783f49f886baf3
SHA2569e0d70431e0fa822181aee13e1151a448fe44e0b428cb26e30c42f179795252b
SHA5120fc11dd30f87ba84fe3b35726db801b10e1a695372efedda5e765fdafc6e8eab911d409a7e9db838dcb6b377a4d6994e1e0d8c43029c79912fdaa3754466351f
-
Filesize
15KB
MD5951531e0d8e5c2334809b69a14cb8982
SHA1cccc13d65996eb191b53de2ac83f13b9e74544f3
SHA256d43f2e9c8875597cd359ae6ea8e9ef070df705781bc94ba9030193ebd63e37b9
SHA512b3fe88f41a6e71a1b79bf26d13651b20324dc98a1dca59cdaad5afd4937876d11000d8b44b909efe67ce60830c402a3de8c856093662addd63d88f87644ba97e
-
Filesize
333KB
MD5117b51a098b81a23f0e91b0ef98661a2
SHA136c10109497186038fa0412d14934b67a05fc871
SHA256a03a929be89bbb86680468e5a2f4854edc445868d7bf48b0d5c2367507c8e2c3
SHA512f7f30695d542a5cd70ddd50b99ca99fc85a25e6d4ca675d9dc8b4f4a67b0454047c22f372cd0875c01b79b651fc1c847909111a1ac8cfe80fcbb73068f2f3e3d
-
Filesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
Filesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59