Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
31-07-2022 06:21
Static task
static1
Behavioral task
behavioral1
Sample
602c739be9c3c942bc0684d824d5aa52ff7bca30abb2c8261dc0106c2571b7a2.exe
Resource
win7-20220715-en
General
-
Target
602c739be9c3c942bc0684d824d5aa52ff7bca30abb2c8261dc0106c2571b7a2.exe
-
Size
1.4MB
-
MD5
77f0f467f4dd24a29e61427720c0ca1e
-
SHA1
7877047c7ac9bf91a13a7c5d6eae70460f3d3d5b
-
SHA256
602c739be9c3c942bc0684d824d5aa52ff7bca30abb2c8261dc0106c2571b7a2
-
SHA512
078e4904880602085ac61e016c5bc3a8fd4081b4b46f8d15fa594211b9224324e21765e58706c86b2bfbc21cda2d85220fd8b53ebc38bb4f46f5545ee8d6e5d8
Malware Config
Extracted
netwire
185.125.205.84:6394
-
activex_autorun
true
-
activex_key
{A21KRE7N-163G-58R1-55FA-N5EO6T322124}
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
-
use_mutex
false
Extracted
formbook
3.9
ch
sfbayfoodie.com
tridonics.com
got-stuff.com
vvk2.com
legacytrailsurgery.com
lintec-europeuk.com
pqbs4all.online
tensionon.com
5pkmko5-ddz.com
anuvallie.com
chornatastudio.com
hydroponic.today
soluinformatic.com
senero.info
pdblm.com
zumarecordings.com
vfun.ltd
hanyiwaimai.com
sourcingdog.com
hntgwl.com
katzenpension-happycat.com
mellovr.com
mybabyrompers.com
randolphinsnc.com
wemuggle.com
asalusul.online
myfireatl.com
hskclub.com
sherry5.com
ukpropertyessentials.com
bionanox.com
wnrjqq.info
uploadmetothe.cloud
aplusmathematicstution.com
lookez-nous.com
districtnewsbeat.com
media-think.com
arquitecturacoherente.com
wobe.ltd
philips-futurelab.com
iaminvisiblebeauty.com
businessfinancialaid.com
facehack.tech
eurodak.com
dvubfs.men
vrbitman.com
gwia.business
thenumberfactory.com
verify-sms-id.com
fortun8.enterprises
relydorn.net
metanewpower.com
wyn.vin
61666hb.com
cybertronichosting.com
26999dd.com
lefraje.com
8v9c.com
softwarevest.com
daotaonghethammythequeen.com
andreas-theurer.info
metodobrains.net
softonlab.com
terminalstream.com
wireboz.com
Signatures
-
NetWire RAT payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Host.exe netwire C:\Users\Admin\AppData\Local\Temp\Host.exe netwire -
Formbook payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\bin.exe formbook C:\Users\Admin\AppData\Local\Temp\bin.exe formbook behavioral2/memory/4504-151-0x0000000000DC0000-0x0000000000DEA000-memory.dmp formbook behavioral2/memory/4504-154-0x0000000000DC0000-0x0000000000DEA000-memory.dmp formbook -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
systray.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run systray.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\0LVPDZIXD = "C:\\Program Files (x86)\\D-zwlan7\\dtuhc60nu.exe" systray.exe -
Executes dropped EXE 2 IoCs
Processes:
Host.exebin.exepid process 2948 Host.exe 1492 bin.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
Host.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A21KRE7N-163G-58R1-55FA-N5EO6T322124} Host.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A21KRE7N-163G-58R1-55FA-N5EO6T322124}\StubPath = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Host.exe\"" Host.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
602c739be9c3c942bc0684d824d5aa52ff7bca30abb2c8261dc0106c2571b7a2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation 602c739be9c3c942bc0684d824d5aa52ff7bca30abb2c8261dc0106c2571b7a2.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
602c739be9c3c942bc0684d824d5aa52ff7bca30abb2c8261dc0106c2571b7a2.exebin.exesystray.exedescription pid process target process PID 3360 set thread context of 4760 3360 602c739be9c3c942bc0684d824d5aa52ff7bca30abb2c8261dc0106c2571b7a2.exe 602c739be9c3c942bc0684d824d5aa52ff7bca30abb2c8261dc0106c2571b7a2.exe PID 1492 set thread context of 1032 1492 bin.exe Explorer.EXE PID 1492 set thread context of 1032 1492 bin.exe Explorer.EXE PID 4504 set thread context of 1032 4504 systray.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
systray.exedescription ioc process File opened for modification C:\Program Files (x86)\D-zwlan7\dtuhc60nu.exe systray.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
systray.exedescription ioc process Key created \Registry\User\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 systray.exe -
Suspicious behavior: EnumeratesProcesses 52 IoCs
Processes:
bin.exesystray.exepid process 1492 bin.exe 1492 bin.exe 1492 bin.exe 1492 bin.exe 1492 bin.exe 1492 bin.exe 4504 systray.exe 4504 systray.exe 4504 systray.exe 4504 systray.exe 4504 systray.exe 4504 systray.exe 4504 systray.exe 4504 systray.exe 4504 systray.exe 4504 systray.exe 4504 systray.exe 4504 systray.exe 4504 systray.exe 4504 systray.exe 4504 systray.exe 4504 systray.exe 4504 systray.exe 4504 systray.exe 4504 systray.exe 4504 systray.exe 4504 systray.exe 4504 systray.exe 4504 systray.exe 4504 systray.exe 4504 systray.exe 4504 systray.exe 4504 systray.exe 4504 systray.exe 4504 systray.exe 4504 systray.exe 4504 systray.exe 4504 systray.exe 4504 systray.exe 4504 systray.exe 4504 systray.exe 4504 systray.exe 4504 systray.exe 4504 systray.exe 4504 systray.exe 4504 systray.exe 4504 systray.exe 4504 systray.exe 4504 systray.exe 4504 systray.exe 4504 systray.exe 4504 systray.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1032 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
bin.exesystray.exepid process 1492 bin.exe 1492 bin.exe 1492 bin.exe 1492 bin.exe 4504 systray.exe 4504 systray.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
bin.exesystray.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1492 bin.exe Token: SeDebugPrivilege 4504 systray.exe Token: SeShutdownPrivilege 1032 Explorer.EXE Token: SeCreatePagefilePrivilege 1032 Explorer.EXE Token: SeShutdownPrivilege 1032 Explorer.EXE Token: SeCreatePagefilePrivilege 1032 Explorer.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
602c739be9c3c942bc0684d824d5aa52ff7bca30abb2c8261dc0106c2571b7a2.exe602c739be9c3c942bc0684d824d5aa52ff7bca30abb2c8261dc0106c2571b7a2.exeExplorer.EXEsystray.exedescription pid process target process PID 3360 wrote to memory of 4760 3360 602c739be9c3c942bc0684d824d5aa52ff7bca30abb2c8261dc0106c2571b7a2.exe 602c739be9c3c942bc0684d824d5aa52ff7bca30abb2c8261dc0106c2571b7a2.exe PID 3360 wrote to memory of 4760 3360 602c739be9c3c942bc0684d824d5aa52ff7bca30abb2c8261dc0106c2571b7a2.exe 602c739be9c3c942bc0684d824d5aa52ff7bca30abb2c8261dc0106c2571b7a2.exe PID 3360 wrote to memory of 4760 3360 602c739be9c3c942bc0684d824d5aa52ff7bca30abb2c8261dc0106c2571b7a2.exe 602c739be9c3c942bc0684d824d5aa52ff7bca30abb2c8261dc0106c2571b7a2.exe PID 3360 wrote to memory of 4760 3360 602c739be9c3c942bc0684d824d5aa52ff7bca30abb2c8261dc0106c2571b7a2.exe 602c739be9c3c942bc0684d824d5aa52ff7bca30abb2c8261dc0106c2571b7a2.exe PID 3360 wrote to memory of 4760 3360 602c739be9c3c942bc0684d824d5aa52ff7bca30abb2c8261dc0106c2571b7a2.exe 602c739be9c3c942bc0684d824d5aa52ff7bca30abb2c8261dc0106c2571b7a2.exe PID 4760 wrote to memory of 2948 4760 602c739be9c3c942bc0684d824d5aa52ff7bca30abb2c8261dc0106c2571b7a2.exe Host.exe PID 4760 wrote to memory of 2948 4760 602c739be9c3c942bc0684d824d5aa52ff7bca30abb2c8261dc0106c2571b7a2.exe Host.exe PID 4760 wrote to memory of 2948 4760 602c739be9c3c942bc0684d824d5aa52ff7bca30abb2c8261dc0106c2571b7a2.exe Host.exe PID 4760 wrote to memory of 1492 4760 602c739be9c3c942bc0684d824d5aa52ff7bca30abb2c8261dc0106c2571b7a2.exe bin.exe PID 4760 wrote to memory of 1492 4760 602c739be9c3c942bc0684d824d5aa52ff7bca30abb2c8261dc0106c2571b7a2.exe bin.exe PID 4760 wrote to memory of 1492 4760 602c739be9c3c942bc0684d824d5aa52ff7bca30abb2c8261dc0106c2571b7a2.exe bin.exe PID 1032 wrote to memory of 4504 1032 Explorer.EXE systray.exe PID 1032 wrote to memory of 4504 1032 Explorer.EXE systray.exe PID 1032 wrote to memory of 4504 1032 Explorer.EXE systray.exe PID 4504 wrote to memory of 3216 4504 systray.exe cmd.exe PID 4504 wrote to memory of 3216 4504 systray.exe cmd.exe PID 4504 wrote to memory of 3216 4504 systray.exe cmd.exe PID 4504 wrote to memory of 2784 4504 systray.exe cmd.exe PID 4504 wrote to memory of 2784 4504 systray.exe cmd.exe PID 4504 wrote to memory of 2784 4504 systray.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\602c739be9c3c942bc0684d824d5aa52ff7bca30abb2c8261dc0106c2571b7a2.exe"C:\Users\Admin\AppData\Local\Temp\602c739be9c3c942bc0684d824d5aa52ff7bca30abb2c8261dc0106c2571b7a2.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\602c739be9c3c942bc0684d824d5aa52ff7bca30abb2c8261dc0106c2571b7a2.exe"C:\Users\Admin\AppData\Local\Temp\602c739be9c3c942bc0684d824d5aa52ff7bca30abb2c8261dc0106c2571b7a2.exe"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Host.exe"C:\Users\Admin\AppData\Local\Temp\Host.exe"4⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
-
C:\Users\Admin\AppData\Local\Temp\bin.exe"C:\Users\Admin\AppData\Local\Temp\bin.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\bin.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Local\Temp\Host.exeFilesize
131KB
MD5bd8c30632482740d0a8c121c79b34115
SHA13efa6dec1eb8f3e6302c09bfa999819ad9657f08
SHA25661df713215e4cb220b89b8d72fd8bed17e2f06fa6fe3e410c62e198f6a68e199
SHA51224a91881d22b564c88b3197ec1f02acb4011f64b85ded622506c477ef236076ff5f59dda16c4b14ab31651d478ce2e26a604d2f3b8622a1bba2c290700ce99d3
-
C:\Users\Admin\AppData\Local\Temp\Host.exeFilesize
131KB
MD5bd8c30632482740d0a8c121c79b34115
SHA13efa6dec1eb8f3e6302c09bfa999819ad9657f08
SHA25661df713215e4cb220b89b8d72fd8bed17e2f06fa6fe3e410c62e198f6a68e199
SHA51224a91881d22b564c88b3197ec1f02acb4011f64b85ded622506c477ef236076ff5f59dda16c4b14ab31651d478ce2e26a604d2f3b8622a1bba2c290700ce99d3
-
C:\Users\Admin\AppData\Local\Temp\bin.exeFilesize
167KB
MD562ed8d7db5e96d9b46679e698736499e
SHA1e59344f8552682d73501182ac71bf79876b4e085
SHA25616e599296fc19b3383a0122d861ea59cb8f68f0d814dfff8b656b67b21f98718
SHA51267c1e03c0a7717a48f9dc95d73f03e24f1ca613bda9c3e1e08f50e6a27758e90367a159c8aef8cc8dc81aba864796d2fbde24fcd8a2565a5f192cb0df87c74d2
-
C:\Users\Admin\AppData\Local\Temp\bin.exeFilesize
167KB
MD562ed8d7db5e96d9b46679e698736499e
SHA1e59344f8552682d73501182ac71bf79876b4e085
SHA25616e599296fc19b3383a0122d861ea59cb8f68f0d814dfff8b656b67b21f98718
SHA51267c1e03c0a7717a48f9dc95d73f03e24f1ca613bda9c3e1e08f50e6a27758e90367a159c8aef8cc8dc81aba864796d2fbde24fcd8a2565a5f192cb0df87c74d2
-
C:\Users\Admin\AppData\Roaming\L-0A962E\L-0logim.jpegFilesize
76KB
MD533e5586fe9080aef4e3b62712f027c6b
SHA150eff5d939328cf86fa4259db3bb3765ed804887
SHA256811422b62563b1c6e09fdab658e0f7fadd619a8636c723257dadf412543403ec
SHA5123b405774b1b747971d06d1500a801ba336cc648771eee41d7045654bdaf98dbeda51d6332652f887524b0d0b0e39d8c7424411d1aa00b562809f8f4edd489f41
-
C:\Users\Admin\AppData\Roaming\L-0A962E\L-0logrg.iniFilesize
38B
MD54aadf49fed30e4c9b3fe4a3dd6445ebe
SHA11e332822167c6f351b99615eada2c30a538ff037
SHA25675034beb7bded9aeab5748f4592b9e1419256caec474065d43e531ec5cc21c56
SHA512eb5b3908d5e7b43ba02165e092f05578f45f15a148b4c3769036aa542c23a0f7cd2bc2770cf4119a7e437de3f681d9e398511f69f66824c516d9b451bb95f945
-
C:\Users\Admin\AppData\Roaming\L-0A962E\L-0logri.iniFilesize
40B
MD5d63a82e5d81e02e399090af26db0b9cb
SHA191d0014c8f54743bba141fd60c9d963f869d76c9
SHA256eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae
SHA51238afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad
-
C:\Users\Admin\AppData\Roaming\L-0A962E\L-0logrv.iniFilesize
872B
MD5bbc41c78bae6c71e63cb544a6a284d94
SHA133f2c1d9fa0e9c99b80bc2500621e95af38b1f9a
SHA256ee83c6bcea9353c74bfc0a7e739f3c4a765ace894470e09cdcdebba700b8d4cb
SHA5120aea424b57adae3e14ad6491cab585f554b4dffe601b5a17bad6ee6177d2f0f995e419cde576e2d1782b9bddc0661aada11a2c9f1454ae625d9e3223635ec9f4
-
memory/1032-144-0x0000000008770000-0x000000000889A000-memory.dmpFilesize
1.2MB
-
memory/1032-153-0x0000000003110000-0x00000000031F4000-memory.dmpFilesize
912KB
-
memory/1032-146-0x00000000085F0000-0x000000000875E000-memory.dmpFilesize
1.4MB
-
memory/1032-155-0x0000000003110000-0x00000000031F4000-memory.dmpFilesize
912KB
-
memory/1492-143-0x0000000000A30000-0x0000000000A44000-memory.dmpFilesize
80KB
-
memory/1492-145-0x0000000002810000-0x0000000002824000-memory.dmpFilesize
80KB
-
memory/1492-142-0x0000000000A80000-0x0000000000DCA000-memory.dmpFilesize
3.3MB
-
memory/1492-139-0x0000000000000000-mapping.dmp
-
memory/2784-157-0x0000000000000000-mapping.dmp
-
memory/2948-136-0x0000000000000000-mapping.dmp
-
memory/3216-148-0x0000000000000000-mapping.dmp
-
memory/4504-147-0x0000000000000000-mapping.dmp
-
memory/4504-154-0x0000000000DC0000-0x0000000000DEA000-memory.dmpFilesize
168KB
-
memory/4504-152-0x0000000002D50000-0x0000000002DE3000-memory.dmpFilesize
588KB
-
memory/4504-150-0x0000000002F10000-0x000000000325A000-memory.dmpFilesize
3.3MB
-
memory/4504-151-0x0000000000DC0000-0x0000000000DEA000-memory.dmpFilesize
168KB
-
memory/4504-149-0x0000000000CF0000-0x0000000000CF6000-memory.dmpFilesize
24KB
-
memory/4760-130-0x0000000000000000-mapping.dmp
-
memory/4760-135-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4760-131-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB