Analysis
-
max time kernel
149s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
02-08-2022 18:01
Behavioral task
behavioral1
Sample
3564b2127c519a9e39b63f0e6994a3d1.exe
Resource
win7-20220715-en
General
-
Target
3564b2127c519a9e39b63f0e6994a3d1.exe
-
Size
160KB
-
MD5
3564b2127c519a9e39b63f0e6994a3d1
-
SHA1
158c22dea6eb92f518af7ea947e08521a904e3ad
-
SHA256
09103f6536c9315c4d1cfa28a4105a2e9bd06f5c432bb62dc5a2b1d0b5902fdd
-
SHA512
37bdd044469917c500a4d4cfc8b8280207198be956bb208efdac7a74dc3a49b97df237885ece8bf8d3e0c9642156c24285e9ed8fa27adad32adbde6613fc5029
Malware Config
Extracted
netwire
37.0.14.206:3384
-
activex_autorun
false
-
copy_executable
true
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
true
-
offline_keylogger
true
-
password
Password234
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Install\Host.exe netwire C:\Users\Admin\AppData\Roaming\Install\Host.exe netwire -
Executes dropped EXE 1 IoCs
Processes:
Host.exepid process 4692 Host.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3564b2127c519a9e39b63f0e6994a3d1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation 3564b2127c519a9e39b63f0e6994a3d1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
3564b2127c519a9e39b63f0e6994a3d1.exedescription pid process target process PID 3736 wrote to memory of 4692 3736 3564b2127c519a9e39b63f0e6994a3d1.exe Host.exe PID 3736 wrote to memory of 4692 3736 3564b2127c519a9e39b63f0e6994a3d1.exe Host.exe PID 3736 wrote to memory of 4692 3736 3564b2127c519a9e39b63f0e6994a3d1.exe Host.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3564b2127c519a9e39b63f0e6994a3d1.exe"C:\Users\Admin\AppData\Local\Temp\3564b2127c519a9e39b63f0e6994a3d1.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
160KB
MD53564b2127c519a9e39b63f0e6994a3d1
SHA1158c22dea6eb92f518af7ea947e08521a904e3ad
SHA25609103f6536c9315c4d1cfa28a4105a2e9bd06f5c432bb62dc5a2b1d0b5902fdd
SHA51237bdd044469917c500a4d4cfc8b8280207198be956bb208efdac7a74dc3a49b97df237885ece8bf8d3e0c9642156c24285e9ed8fa27adad32adbde6613fc5029
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
160KB
MD53564b2127c519a9e39b63f0e6994a3d1
SHA1158c22dea6eb92f518af7ea947e08521a904e3ad
SHA25609103f6536c9315c4d1cfa28a4105a2e9bd06f5c432bb62dc5a2b1d0b5902fdd
SHA51237bdd044469917c500a4d4cfc8b8280207198be956bb208efdac7a74dc3a49b97df237885ece8bf8d3e0c9642156c24285e9ed8fa27adad32adbde6613fc5029
-
memory/4692-130-0x0000000000000000-mapping.dmp