Analysis
-
max time kernel
143s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220722-en -
resource tags
-
submitted
05-08-2022 12:16
General
-
Target
a19b2cd3ea8c79684ba85dfe7167c5afa9a739cfceac75f79a9c0132ae0bc7b3.exe
-
Size
949KB
-
MD5
b0e74647415c0edb08b82e65aa7edd27
-
SHA1
f9a486d9918626c73c54af54a9d9e041b141559f
-
SHA256
a19b2cd3ea8c79684ba85dfe7167c5afa9a739cfceac75f79a9c0132ae0bc7b3
-
SHA512
3f76cd80704cb32e5395b39b46095ab77da1883fe4110872419203f3127ed1af2580b11223cca6cd0c2ee719b0ea20f5208753cb2e98cc785ceb866859886385
Malware Config
Extracted
netwire
185.140.53.61:3363
185.140.53.61:3365
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
move4ward
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 4 IoCs
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a19b2cd3ea8c79684ba85dfe7167c5afa9a739cfceac75f79a9c0132ae0bc7b3.exe"C:\Users\Admin\AppData\Local\Temp\a19b2cd3ea8c79684ba85dfe7167c5afa9a739cfceac75f79a9c0132ae0bc7b3.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kgxkkKeg" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6E84.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\a19b2cd3ea8c79684ba85dfe7167c5afa9a739cfceac75f79a9c0132ae0bc7b3.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\a19b2cd3ea8c79684ba85dfe7167c5afa9a739cfceac75f79a9c0132ae0bc7b3.exe"{path}"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp6E84.tmpFilesize
1KB
MD517407ba178b7570a9747db827f2ae3ab
SHA10b747c1f39b536c9d99851cb0bb8c820e1b67c20
SHA2561e845c3cc8d524c08c033ece92fae2fea2538dd197ffb974b9e7ccabff7b47e5
SHA5121c797681969781e87e1e589663940a9e4baec9e46d136b3c6f1d216ceea8d69c594d69cf58233684ba74290834f56f1528e7af2c3a47b61bd7c20ea1fccce0e0
-
memory/2292-135-0x0000000004FE0000-0x000000000507C000-memory.dmpFilesize
624KB
-
memory/2292-134-0x0000000004F40000-0x0000000004FD2000-memory.dmpFilesize
584KB
-
memory/2292-132-0x0000000000470000-0x0000000000564000-memory.dmpFilesize
976KB
-
memory/2292-136-0x0000000004F00000-0x0000000004F0A000-memory.dmpFilesize
40KB
-
memory/2292-133-0x0000000005450000-0x00000000059F4000-memory.dmpFilesize
5.6MB
-
memory/3420-137-0x0000000000000000-mapping.dmp
-
memory/3660-139-0x0000000000000000-mapping.dmp
-
memory/4356-140-0x0000000000000000-mapping.dmp
-
memory/4356-141-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/4356-143-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/4356-144-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/4356-145-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB