Analysis
-
max time kernel
114s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
19-08-2022 07:22
Static task
static1
Behavioral task
behavioral1
Sample
INVOICE00433.exe
Resource
win7-20220812-en
General
-
Target
INVOICE00433.exe
-
Size
673KB
-
MD5
ba34224f638293815a97a3d4e7f5bc67
-
SHA1
c0dc327bd340eb447cb8e78603fa4dded8c152c9
-
SHA256
40374376894492fb4f8aa245a8197df99859e2f98b786c344f877813a1a3f224
-
SHA512
b410175eccc1dcfa5347b2e72d72c42b08c470095ac9716637973d6dbb0ebd78237a7bc8fba24ef516d2f3e6734449f9a3d8a530c1d54e81180f25ff0fd38403
Malware Config
Extracted
netwire
212.193.30.230:3345
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
Password@9
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 9 IoCs
Processes:
resource yara_rule behavioral1/memory/1816-69-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1816-70-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1816-71-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1816-74-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1816-73-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1816-75-0x000000000040242D-mapping.dmp netwire behavioral1/memory/1816-78-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1816-79-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1816-82-0x0000000000400000-0x0000000000433000-memory.dmp netwire -
Suspicious use of SetThreadContext 1 IoCs
Processes:
INVOICE00433.exedescription pid process target process PID 1388 set thread context of 1816 1388 INVOICE00433.exe INVOICE00433.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 800 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 800 powershell.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
INVOICE00433.exedescription pid process target process PID 1388 wrote to memory of 800 1388 INVOICE00433.exe powershell.exe PID 1388 wrote to memory of 800 1388 INVOICE00433.exe powershell.exe PID 1388 wrote to memory of 800 1388 INVOICE00433.exe powershell.exe PID 1388 wrote to memory of 800 1388 INVOICE00433.exe powershell.exe PID 1388 wrote to memory of 1752 1388 INVOICE00433.exe schtasks.exe PID 1388 wrote to memory of 1752 1388 INVOICE00433.exe schtasks.exe PID 1388 wrote to memory of 1752 1388 INVOICE00433.exe schtasks.exe PID 1388 wrote to memory of 1752 1388 INVOICE00433.exe schtasks.exe PID 1388 wrote to memory of 1816 1388 INVOICE00433.exe INVOICE00433.exe PID 1388 wrote to memory of 1816 1388 INVOICE00433.exe INVOICE00433.exe PID 1388 wrote to memory of 1816 1388 INVOICE00433.exe INVOICE00433.exe PID 1388 wrote to memory of 1816 1388 INVOICE00433.exe INVOICE00433.exe PID 1388 wrote to memory of 1816 1388 INVOICE00433.exe INVOICE00433.exe PID 1388 wrote to memory of 1816 1388 INVOICE00433.exe INVOICE00433.exe PID 1388 wrote to memory of 1816 1388 INVOICE00433.exe INVOICE00433.exe PID 1388 wrote to memory of 1816 1388 INVOICE00433.exe INVOICE00433.exe PID 1388 wrote to memory of 1816 1388 INVOICE00433.exe INVOICE00433.exe PID 1388 wrote to memory of 1816 1388 INVOICE00433.exe INVOICE00433.exe PID 1388 wrote to memory of 1816 1388 INVOICE00433.exe INVOICE00433.exe PID 1388 wrote to memory of 1816 1388 INVOICE00433.exe INVOICE00433.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\INVOICE00433.exe"C:\Users\Admin\AppData\Local\Temp\INVOICE00433.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\IszLCO.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IszLCO" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB03D.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\INVOICE00433.exe"C:\Users\Admin\AppData\Local\Temp\INVOICE00433.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpB03D.tmpFilesize
1KB
MD5db7f7b200a4553e9d6c2dba9c7bc38c6
SHA13ec30755cc4837a17e1b327188837b384d7ea438
SHA256c9dd20e1c5d7724b503518f2024d5d4872247957150e7283d8760f155b3a19ae
SHA51285784d90e883355675c2c46d2e4e3906c4a058e1d36f1352d8c30cc23ec3b3ac534a80256cab17847afc296bf5f45003bc218a22624acb8a1c865c1c4daef55a
-
memory/800-80-0x0000000074C60000-0x000000007520B000-memory.dmpFilesize
5.7MB
-
memory/800-59-0x0000000000000000-mapping.dmp
-
memory/800-81-0x0000000074C60000-0x000000007520B000-memory.dmpFilesize
5.7MB
-
memory/1388-55-0x00000000768A1000-0x00000000768A3000-memory.dmpFilesize
8KB
-
memory/1388-56-0x0000000000640000-0x000000000065A000-memory.dmpFilesize
104KB
-
memory/1388-57-0x0000000000620000-0x000000000062C000-memory.dmpFilesize
48KB
-
memory/1388-58-0x0000000005ED0000-0x0000000005F48000-memory.dmpFilesize
480KB
-
memory/1388-63-0x0000000004760000-0x0000000004794000-memory.dmpFilesize
208KB
-
memory/1388-54-0x0000000000FC0000-0x000000000106E000-memory.dmpFilesize
696KB
-
memory/1752-60-0x0000000000000000-mapping.dmp
-
memory/1816-65-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1816-69-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1816-70-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1816-71-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1816-74-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1816-73-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1816-75-0x000000000040242D-mapping.dmp
-
memory/1816-78-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1816-79-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1816-67-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1816-64-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1816-82-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB