Analysis
-
max time kernel
159s -
max time network
167s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
04-08-2022 21:28
Static task
static1
Behavioral task
behavioral1
Sample
FACTURA-027783278873287.exe
Resource
win7-20220718-en
General
-
Target
FACTURA-027783278873287.exe
-
Size
1.3MB
-
MD5
35711d2a8e8e96e025f54b5ca77db5f5
-
SHA1
4e3776b5db886079b003c28bec7656c5882d6fd0
-
SHA256
00c21d0a93a75ed3a206befabace5574014f5ea5dfbd314e46e3720d82c7a2e6
-
SHA512
917e3d4bf94133828375d69cfa21557405452fa28ddf5d874635867526eb670b4308815a81124d6ebdb5640c1890c48f22d4ee46ec0180af3310241dfbfcc862
Malware Config
Extracted
netwire
xman2.duckdns.org:4433
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
lock_executable
false
-
offline_keylogger
false
-
password
Password
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 9 IoCs
Processes:
resource yara_rule behavioral1/memory/916-70-0x0000000000400000-0x0000000000450000-memory.dmp netwire behavioral1/memory/916-72-0x0000000000400000-0x0000000000450000-memory.dmp netwire behavioral1/memory/916-73-0x0000000000400000-0x0000000000450000-memory.dmp netwire behavioral1/memory/916-75-0x0000000000400000-0x0000000000450000-memory.dmp netwire behavioral1/memory/916-76-0x000000000041AE7B-mapping.dmp netwire behavioral1/memory/916-79-0x0000000000400000-0x0000000000450000-memory.dmp netwire behavioral1/memory/916-80-0x0000000000400000-0x0000000000450000-memory.dmp netwire behavioral1/memory/916-82-0x0000000000400000-0x0000000000450000-memory.dmp netwire behavioral1/memory/916-84-0x0000000000400000-0x0000000000450000-memory.dmp netwire -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
FACTURA-027783278873287.exedescription pid process target process PID 860 set thread context of 916 860 FACTURA-027783278873287.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
FACTURA-027783278873287.exepowershell.exepid process 860 FACTURA-027783278873287.exe 860 FACTURA-027783278873287.exe 860 FACTURA-027783278873287.exe 860 FACTURA-027783278873287.exe 860 FACTURA-027783278873287.exe 860 FACTURA-027783278873287.exe 860 FACTURA-027783278873287.exe 860 FACTURA-027783278873287.exe 860 FACTURA-027783278873287.exe 860 FACTURA-027783278873287.exe 860 FACTURA-027783278873287.exe 860 FACTURA-027783278873287.exe 2036 powershell.exe 860 FACTURA-027783278873287.exe 860 FACTURA-027783278873287.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
FACTURA-027783278873287.exepowershell.exedescription pid process Token: SeDebugPrivilege 860 FACTURA-027783278873287.exe Token: SeDebugPrivilege 2036 powershell.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
FACTURA-027783278873287.exevbc.execmd.exedescription pid process target process PID 860 wrote to memory of 2036 860 FACTURA-027783278873287.exe powershell.exe PID 860 wrote to memory of 2036 860 FACTURA-027783278873287.exe powershell.exe PID 860 wrote to memory of 2036 860 FACTURA-027783278873287.exe powershell.exe PID 860 wrote to memory of 2036 860 FACTURA-027783278873287.exe powershell.exe PID 860 wrote to memory of 968 860 FACTURA-027783278873287.exe schtasks.exe PID 860 wrote to memory of 968 860 FACTURA-027783278873287.exe schtasks.exe PID 860 wrote to memory of 968 860 FACTURA-027783278873287.exe schtasks.exe PID 860 wrote to memory of 968 860 FACTURA-027783278873287.exe schtasks.exe PID 860 wrote to memory of 916 860 FACTURA-027783278873287.exe vbc.exe PID 860 wrote to memory of 916 860 FACTURA-027783278873287.exe vbc.exe PID 860 wrote to memory of 916 860 FACTURA-027783278873287.exe vbc.exe PID 860 wrote to memory of 916 860 FACTURA-027783278873287.exe vbc.exe PID 860 wrote to memory of 916 860 FACTURA-027783278873287.exe vbc.exe PID 860 wrote to memory of 916 860 FACTURA-027783278873287.exe vbc.exe PID 860 wrote to memory of 916 860 FACTURA-027783278873287.exe vbc.exe PID 860 wrote to memory of 916 860 FACTURA-027783278873287.exe vbc.exe PID 860 wrote to memory of 916 860 FACTURA-027783278873287.exe vbc.exe PID 860 wrote to memory of 916 860 FACTURA-027783278873287.exe vbc.exe PID 860 wrote to memory of 916 860 FACTURA-027783278873287.exe vbc.exe PID 916 wrote to memory of 332 916 vbc.exe cmd.exe PID 916 wrote to memory of 332 916 vbc.exe cmd.exe PID 916 wrote to memory of 332 916 vbc.exe cmd.exe PID 916 wrote to memory of 332 916 vbc.exe cmd.exe PID 332 wrote to memory of 1556 332 cmd.exe PING.EXE PID 332 wrote to memory of 1556 332 cmd.exe PING.EXE PID 332 wrote to memory of 1556 332 cmd.exe PING.EXE PID 332 wrote to memory of 1556 332 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\FACTURA-027783278873287.exe"C:\Users\Admin\AppData\Local\Temp\FACTURA-027783278873287.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DFwGjXjjmkAS.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DFwGjXjjmkAS" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD77C.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30004⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpD77C.tmpFilesize
1KB
MD5a10baa400269d088dd636964a8bd7e9d
SHA1dcb3a0f9065ae4d128c600a5c8e4597e160aefb6
SHA256ea5f6e178ef931c3e147e04f94741a857ca07e46a9351cf5188a24f4cd4df529
SHA5125e582d75968fbb8d48c8b22a7951bf8b7d97559e9c39087957a0ff12d3c8bd872a8f1c953423d54e4fce6ae0aa34b5337925ef169ea037f8fff9f4be498ff803
-
memory/332-83-0x0000000000000000-mapping.dmp
-
memory/860-64-0x0000000004B50000-0x0000000004B9A000-memory.dmpFilesize
296KB
-
memory/860-55-0x0000000076921000-0x0000000076923000-memory.dmpFilesize
8KB
-
memory/860-56-0x0000000000420000-0x0000000000436000-memory.dmpFilesize
88KB
-
memory/860-57-0x00000000004B0000-0x00000000004BA000-memory.dmpFilesize
40KB
-
memory/860-58-0x0000000006260000-0x00000000062F8000-memory.dmpFilesize
608KB
-
memory/860-54-0x0000000000E70000-0x0000000000FB6000-memory.dmpFilesize
1.3MB
-
memory/916-79-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/916-76-0x000000000041AE7B-mapping.dmp
-
memory/916-65-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/916-66-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/916-68-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/916-70-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/916-72-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/916-73-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/916-75-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/916-84-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/916-82-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/916-80-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/968-60-0x0000000000000000-mapping.dmp
-
memory/1556-85-0x0000000000000000-mapping.dmp
-
memory/2036-81-0x000000006E120000-0x000000006E6CB000-memory.dmpFilesize
5.7MB
-
memory/2036-59-0x0000000000000000-mapping.dmp
-
memory/2036-63-0x000000006E120000-0x000000006E6CB000-memory.dmpFilesize
5.7MB