Analysis
-
max time kernel
128s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
12-08-2022 08:17
Static task
static1
Behavioral task
behavioral1
Sample
INVOICE00543.exe
Resource
win7-20220718-en
General
-
Target
INVOICE00543.exe
-
Size
666KB
-
MD5
dfb8147fe8e22fb63d4953cbe8d6742d
-
SHA1
95bd5bd63a3ee48a8b54e53c441d0dd2c896dfce
-
SHA256
ae2f65dc73b9f6946ced973c5dd998d53123110a8c7a4ad6d88e7cc56d9e3d6d
-
SHA512
186e15dd64bdc3d01395118a3ebdfbbd392eaaa1d387f1b762dfcba80f3024c344e39e7fca537e3752d5d627ca73e3bb468834528431bd9987e5cc1ff0bd210e
Malware Config
Extracted
netwire
212.193.30.230:3345
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
Password@9
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4208-141-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/4208-144-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/4208-147-0x0000000000400000-0x0000000000433000-memory.dmp netwire -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
INVOICE00543.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation INVOICE00543.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
INVOICE00543.exedescription pid process target process PID 4316 set thread context of 4208 4316 INVOICE00543.exe INVOICE00543.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 4152 powershell.exe 4152 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 4152 powershell.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
INVOICE00543.exedescription pid process target process PID 4316 wrote to memory of 4152 4316 INVOICE00543.exe powershell.exe PID 4316 wrote to memory of 4152 4316 INVOICE00543.exe powershell.exe PID 4316 wrote to memory of 4152 4316 INVOICE00543.exe powershell.exe PID 4316 wrote to memory of 4524 4316 INVOICE00543.exe schtasks.exe PID 4316 wrote to memory of 4524 4316 INVOICE00543.exe schtasks.exe PID 4316 wrote to memory of 4524 4316 INVOICE00543.exe schtasks.exe PID 4316 wrote to memory of 4208 4316 INVOICE00543.exe INVOICE00543.exe PID 4316 wrote to memory of 4208 4316 INVOICE00543.exe INVOICE00543.exe PID 4316 wrote to memory of 4208 4316 INVOICE00543.exe INVOICE00543.exe PID 4316 wrote to memory of 4208 4316 INVOICE00543.exe INVOICE00543.exe PID 4316 wrote to memory of 4208 4316 INVOICE00543.exe INVOICE00543.exe PID 4316 wrote to memory of 4208 4316 INVOICE00543.exe INVOICE00543.exe PID 4316 wrote to memory of 4208 4316 INVOICE00543.exe INVOICE00543.exe PID 4316 wrote to memory of 4208 4316 INVOICE00543.exe INVOICE00543.exe PID 4316 wrote to memory of 4208 4316 INVOICE00543.exe INVOICE00543.exe PID 4316 wrote to memory of 4208 4316 INVOICE00543.exe INVOICE00543.exe PID 4316 wrote to memory of 4208 4316 INVOICE00543.exe INVOICE00543.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\INVOICE00543.exe"C:\Users\Admin\AppData\Local\Temp\INVOICE00543.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uncvaaUfS.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uncvaaUfS" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6726.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\INVOICE00543.exe"C:\Users\Admin\AppData\Local\Temp\INVOICE00543.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp6726.tmpFilesize
1KB
MD5cda235e421d7b54bd217ebb56a04da45
SHA151016e398fab9a40b6e2f5b5ff47cb0f59cbe0b3
SHA256c0072457a2a58c059f618946fc622702815bda2139b9e40ebd2f2c243db1dac6
SHA51215408578ded66e896f6f60a8a01153b4e7b23d4118d0e220049d87053cfa446233ffe839ab7698c1a7b28f7cfd230f991daef7216008dc9047ea08863818e5fb
-
memory/4152-152-0x0000000007F40000-0x00000000085BA000-memory.dmpFilesize
6.5MB
-
memory/4152-151-0x0000000006A80000-0x0000000006A9E000-memory.dmpFilesize
120KB
-
memory/4152-145-0x00000000054B0000-0x00000000054D2000-memory.dmpFilesize
136KB
-
memory/4152-157-0x0000000007BB0000-0x0000000007BCA000-memory.dmpFilesize
104KB
-
memory/4152-156-0x0000000007AA0000-0x0000000007AAE000-memory.dmpFilesize
56KB
-
memory/4152-136-0x0000000000000000-mapping.dmp
-
memory/4152-155-0x0000000007AF0000-0x0000000007B86000-memory.dmpFilesize
600KB
-
memory/4152-154-0x00000000078E0000-0x00000000078EA000-memory.dmpFilesize
40KB
-
memory/4152-139-0x0000000002CC0000-0x0000000002CF6000-memory.dmpFilesize
216KB
-
memory/4152-146-0x0000000005750000-0x00000000057B6000-memory.dmpFilesize
408KB
-
memory/4152-142-0x00000000058C0000-0x0000000005EE8000-memory.dmpFilesize
6.2MB
-
memory/4152-150-0x0000000071630000-0x000000007167C000-memory.dmpFilesize
304KB
-
memory/4152-149-0x0000000006AA0000-0x0000000006AD2000-memory.dmpFilesize
200KB
-
memory/4152-158-0x0000000007B90000-0x0000000007B98000-memory.dmpFilesize
32KB
-
memory/4152-153-0x0000000006BC0000-0x0000000006BDA000-memory.dmpFilesize
104KB
-
memory/4152-148-0x0000000006570000-0x000000000658E000-memory.dmpFilesize
120KB
-
memory/4208-147-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/4208-141-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/4208-140-0x0000000000000000-mapping.dmp
-
memory/4208-144-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/4316-133-0x0000000005610000-0x000000000561A000-memory.dmpFilesize
40KB
-
memory/4316-132-0x00000000056A0000-0x0000000005732000-memory.dmpFilesize
584KB
-
memory/4316-130-0x0000000000CF0000-0x0000000000D9E000-memory.dmpFilesize
696KB
-
memory/4316-131-0x0000000005BB0000-0x0000000006154000-memory.dmpFilesize
5.6MB
-
memory/4316-135-0x0000000007F40000-0x0000000007FA6000-memory.dmpFilesize
408KB
-
memory/4316-134-0x0000000007E30000-0x0000000007ECC000-memory.dmpFilesize
624KB
-
memory/4524-137-0x0000000000000000-mapping.dmp