Analysis
-
max time kernel
157s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
01-08-2022 05:28
Static task
static1
Behavioral task
behavioral1
Sample
INV03483287732.exe
Resource
win7-20220715-en
General
-
Target
INV03483287732.exe
-
Size
776KB
-
MD5
47bae5149fb9832906bf16c11296eb5e
-
SHA1
df8c1b31cfe3d63ec5252e86296bc62efceafc05
-
SHA256
f310b643bdb799627e5b28339b5f455129d61bfd4fb50bdc802b052038c7eb1a
-
SHA512
032f6363b9bf234a24105164eda3aa6b047ca9abcbf8ae7b7640087c201847cc87fa5082f8526357f0b1bbb9216ac582344c3498805aa8ab2810ca114ae0ec26
Malware Config
Extracted
netwire
149.102.132.253:3399
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
lock_executable
false
-
offline_keylogger
false
-
password
Password
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/2696-142-0x0000000000400000-0x0000000000450000-memory.dmp netwire behavioral2/memory/2696-143-0x0000000000400000-0x0000000000450000-memory.dmp netwire behavioral2/memory/2696-146-0x0000000000400000-0x0000000000450000-memory.dmp netwire behavioral2/memory/2696-147-0x0000000000400000-0x0000000000450000-memory.dmp netwire -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
INV03483287732.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation INV03483287732.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
INV03483287732.exedescription pid process target process PID 4648 set thread context of 2696 4648 INV03483287732.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
INV03483287732.exepowershell.exepid process 4648 INV03483287732.exe 4648 INV03483287732.exe 4648 INV03483287732.exe 4648 INV03483287732.exe 4648 INV03483287732.exe 4648 INV03483287732.exe 4648 INV03483287732.exe 4648 INV03483287732.exe 4648 INV03483287732.exe 4648 INV03483287732.exe 4648 INV03483287732.exe 4648 INV03483287732.exe 4648 INV03483287732.exe 4648 INV03483287732.exe 4648 INV03483287732.exe 4648 INV03483287732.exe 4648 INV03483287732.exe 4648 INV03483287732.exe 4648 INV03483287732.exe 4648 INV03483287732.exe 4648 INV03483287732.exe 4648 INV03483287732.exe 4852 powershell.exe 4852 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
INV03483287732.exepowershell.exedescription pid process Token: SeDebugPrivilege 4648 INV03483287732.exe Token: SeDebugPrivilege 4852 powershell.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
INV03483287732.exedescription pid process target process PID 4648 wrote to memory of 4852 4648 INV03483287732.exe powershell.exe PID 4648 wrote to memory of 4852 4648 INV03483287732.exe powershell.exe PID 4648 wrote to memory of 4852 4648 INV03483287732.exe powershell.exe PID 4648 wrote to memory of 3400 4648 INV03483287732.exe schtasks.exe PID 4648 wrote to memory of 3400 4648 INV03483287732.exe schtasks.exe PID 4648 wrote to memory of 3400 4648 INV03483287732.exe schtasks.exe PID 4648 wrote to memory of 2696 4648 INV03483287732.exe vbc.exe PID 4648 wrote to memory of 2696 4648 INV03483287732.exe vbc.exe PID 4648 wrote to memory of 2696 4648 INV03483287732.exe vbc.exe PID 4648 wrote to memory of 2696 4648 INV03483287732.exe vbc.exe PID 4648 wrote to memory of 2696 4648 INV03483287732.exe vbc.exe PID 4648 wrote to memory of 2696 4648 INV03483287732.exe vbc.exe PID 4648 wrote to memory of 2696 4648 INV03483287732.exe vbc.exe PID 4648 wrote to memory of 2696 4648 INV03483287732.exe vbc.exe PID 4648 wrote to memory of 2696 4648 INV03483287732.exe vbc.exe PID 4648 wrote to memory of 2696 4648 INV03483287732.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\INV03483287732.exe"C:\Users\Admin\AppData\Local\Temp\INV03483287732.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\qdrQEmCoUNC.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qdrQEmCoUNC" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6731.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp6731.tmpFilesize
1KB
MD58fb2f375e712c2156e0d1e4f95ed2ec7
SHA1cfed50102bf1026f8896298370d52aad7073d2f7
SHA2565eeee2d0f0cef6704f68a937bca9ffc92fd064d03b0decd4f374c9a3f92b47b5
SHA512b1c3dc5a44af25e93dd1efa3f980c119070d1ab9406ded26a8038a12b80218a4977ac5343b3b05a61526ddef54f3424f49c79b15a8b2d150cd350ce0a383255c
-
memory/2696-147-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/2696-146-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/2696-143-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/2696-142-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/2696-141-0x0000000000000000-mapping.dmp
-
memory/3400-137-0x0000000000000000-mapping.dmp
-
memory/4648-135-0x0000000005420000-0x0000000005486000-memory.dmpFilesize
408KB
-
memory/4648-131-0x0000000005EB0000-0x0000000006454000-memory.dmpFilesize
5.6MB
-
memory/4648-132-0x00000000059F0000-0x0000000005A82000-memory.dmpFilesize
584KB
-
memory/4648-133-0x0000000005A90000-0x0000000005A9A000-memory.dmpFilesize
40KB
-
memory/4648-130-0x0000000000F80000-0x0000000001048000-memory.dmpFilesize
800KB
-
memory/4648-134-0x0000000001970000-0x0000000001A0C000-memory.dmpFilesize
624KB
-
memory/4852-140-0x00000000057E0000-0x0000000005E08000-memory.dmpFilesize
6.2MB
-
memory/4852-144-0x0000000005640000-0x0000000005662000-memory.dmpFilesize
136KB
-
memory/4852-136-0x0000000000000000-mapping.dmp
-
memory/4852-145-0x0000000005760000-0x00000000057C6000-memory.dmpFilesize
408KB
-
memory/4852-138-0x0000000005170000-0x00000000051A6000-memory.dmpFilesize
216KB
-
memory/4852-148-0x0000000006600000-0x000000000661E000-memory.dmpFilesize
120KB
-
memory/4852-149-0x0000000006D60000-0x0000000006D92000-memory.dmpFilesize
200KB
-
memory/4852-150-0x0000000070560000-0x00000000705AC000-memory.dmpFilesize
304KB
-
memory/4852-151-0x00000000066B0000-0x00000000066CE000-memory.dmpFilesize
120KB