Analysis
-
max time kernel
100s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
04-08-2022 21:31
Static task
static1
Behavioral task
behavioral1
Sample
INV03483287732.exe
Resource
win7-20220715-en
General
-
Target
INV03483287732.exe
-
Size
782KB
-
MD5
2fe9032113e6cad33dee260c180cf758
-
SHA1
db6b2f0bc2936400b3b1c8c118a77d0ba4e61c57
-
SHA256
171c720d3c447b5011c0de2a4669df9406bcf4ba7581c7e8582f4ad526bb43b2
-
SHA512
70245873ee8fca013357437af10bd6a2a34cf094bb46a34466b91743943ab3ea4b561100a6768bec684f1a0f30f0e4ed9b643b4f8728da69141df7e886f86cde
Malware Config
Extracted
netwire
149.102.132.253:3399
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
lock_executable
false
-
offline_keylogger
false
-
password
Password
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4196-142-0x0000000000400000-0x0000000000450000-memory.dmp netwire behavioral2/memory/4196-143-0x0000000000400000-0x0000000000450000-memory.dmp netwire behavioral2/memory/4196-144-0x0000000000400000-0x0000000000450000-memory.dmp netwire behavioral2/memory/4196-147-0x0000000000400000-0x0000000000450000-memory.dmp netwire -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
INV03483287732.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation INV03483287732.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
INV03483287732.exedescription pid process target process PID 4832 set thread context of 4196 4832 INV03483287732.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
INV03483287732.exepowershell.exepid process 4832 INV03483287732.exe 4832 INV03483287732.exe 4832 INV03483287732.exe 4832 INV03483287732.exe 4832 INV03483287732.exe 4832 INV03483287732.exe 4832 INV03483287732.exe 2624 powershell.exe 2624 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
INV03483287732.exepowershell.exedescription pid process Token: SeDebugPrivilege 4832 INV03483287732.exe Token: SeDebugPrivilege 2624 powershell.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
INV03483287732.exedescription pid process target process PID 4832 wrote to memory of 2624 4832 INV03483287732.exe powershell.exe PID 4832 wrote to memory of 2624 4832 INV03483287732.exe powershell.exe PID 4832 wrote to memory of 2624 4832 INV03483287732.exe powershell.exe PID 4832 wrote to memory of 4932 4832 INV03483287732.exe schtasks.exe PID 4832 wrote to memory of 4932 4832 INV03483287732.exe schtasks.exe PID 4832 wrote to memory of 4932 4832 INV03483287732.exe schtasks.exe PID 4832 wrote to memory of 4196 4832 INV03483287732.exe vbc.exe PID 4832 wrote to memory of 4196 4832 INV03483287732.exe vbc.exe PID 4832 wrote to memory of 4196 4832 INV03483287732.exe vbc.exe PID 4832 wrote to memory of 4196 4832 INV03483287732.exe vbc.exe PID 4832 wrote to memory of 4196 4832 INV03483287732.exe vbc.exe PID 4832 wrote to memory of 4196 4832 INV03483287732.exe vbc.exe PID 4832 wrote to memory of 4196 4832 INV03483287732.exe vbc.exe PID 4832 wrote to memory of 4196 4832 INV03483287732.exe vbc.exe PID 4832 wrote to memory of 4196 4832 INV03483287732.exe vbc.exe PID 4832 wrote to memory of 4196 4832 INV03483287732.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\INV03483287732.exe"C:\Users\Admin\AppData\Local\Temp\INV03483287732.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\xefxVoegFLrT.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xefxVoegFLrT" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9579.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp9579.tmpFilesize
1KB
MD5d9f222e1786f4c465b1c24f495b0cc2c
SHA14471211861893e30096c52733ec10d20d418591d
SHA256363844d9b2f8456532a92e693adf6aa41c082e5d5cf8cbb58f8bbe34cfcc9daf
SHA512532ee5139c64a5ca34adef136903cc22f0d5764d828930f2489a2dc403031291d1051cbc3fff74c9238aede2dbaf6457145e66aaf3ac92044b0aaf60d1270ffa
-
memory/2624-155-0x0000000007C90000-0x0000000007D26000-memory.dmpFilesize
600KB
-
memory/2624-153-0x0000000007A10000-0x0000000007A2A000-memory.dmpFilesize
104KB
-
memory/2624-156-0x0000000007C40000-0x0000000007C4E000-memory.dmpFilesize
56KB
-
memory/2624-148-0x0000000006710000-0x000000000672E000-memory.dmpFilesize
120KB
-
memory/2624-139-0x00000000050B0000-0x00000000050E6000-memory.dmpFilesize
216KB
-
memory/2624-136-0x0000000000000000-mapping.dmp
-
memory/2624-157-0x0000000007D50000-0x0000000007D6A000-memory.dmpFilesize
104KB
-
memory/2624-158-0x0000000007D30000-0x0000000007D38000-memory.dmpFilesize
32KB
-
memory/2624-154-0x0000000007A80000-0x0000000007A8A000-memory.dmpFilesize
40KB
-
memory/2624-141-0x0000000005740000-0x0000000005D68000-memory.dmpFilesize
6.2MB
-
memory/2624-152-0x0000000008050000-0x00000000086CA000-memory.dmpFilesize
6.5MB
-
memory/2624-151-0x0000000006D10000-0x0000000006D2E000-memory.dmpFilesize
120KB
-
memory/2624-150-0x00000000717C0000-0x000000007180C000-memory.dmpFilesize
304KB
-
memory/2624-149-0x0000000006CD0000-0x0000000006D02000-memory.dmpFilesize
200KB
-
memory/2624-145-0x00000000056E0000-0x0000000005702000-memory.dmpFilesize
136KB
-
memory/2624-146-0x0000000005EE0000-0x0000000005F46000-memory.dmpFilesize
408KB
-
memory/4196-144-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/4196-147-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/4196-143-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/4196-142-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/4196-140-0x0000000000000000-mapping.dmp
-
memory/4832-130-0x0000000000190000-0x0000000000258000-memory.dmpFilesize
800KB
-
memory/4832-135-0x000000000C170000-0x000000000C1D6000-memory.dmpFilesize
408KB
-
memory/4832-134-0x00000000093F0000-0x000000000948C000-memory.dmpFilesize
624KB
-
memory/4832-133-0x0000000004BF0000-0x0000000004BFA000-memory.dmpFilesize
40KB
-
memory/4832-132-0x0000000004C50000-0x0000000004CE2000-memory.dmpFilesize
584KB
-
memory/4832-131-0x0000000005200000-0x00000000057A4000-memory.dmpFilesize
5.6MB
-
memory/4932-137-0x0000000000000000-mapping.dmp