Analysis
-
max time kernel
90s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-08-2022 15:47
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe
Resource
win7-20220812-en
General
-
Target
SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe
-
Size
578KB
-
MD5
a3add136bad0055382516c28b2d98ed6
-
SHA1
bb218fb9cbb76d9c4e0f4d44f3745f3405957a02
-
SHA256
5d7b005b25fc4042bf4306cb81f0e332ff10a61ead6744d4dae14da8f08b7db5
-
SHA512
0c204063f19b2603ec8bff61547d17b14ae01329a4a587c53a37ba37c0aa9122d3fead68138f10ad18788aae00aec580122c7ddc54a3e10b012ab7f5284587a0
-
SSDEEP
12288:hc0FHAlmHX2zbro5A97xpbMlylSx1LHoY/dlBKr9:ZAlmHAgA9QLW
Malware Config
Extracted
netwire
37.0.14.206:3384
-
activex_autorun
false
-
copy_executable
true
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
true
-
offline_keylogger
true
-
password
Password234
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/2860-141-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/2860-143-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/2860-144-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/4980-154-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/4980-155-0x0000000000400000-0x0000000000433000-memory.dmp netwire -
Executes dropped EXE 2 IoCs
Processes:
Host.exeHost.exepid process 4696 Host.exe 4980 Host.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exeSecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exeHost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe Key value queried \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe Key value queried \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation Host.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exeHost.exedescription pid process target process PID 4468 set thread context of 2860 4468 SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe PID 4696 set thread context of 4980 4696 Host.exe Host.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2364 schtasks.exe 4052 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exeHost.exepid process 4468 SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe 4468 SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe 4468 SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe 4696 Host.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exeHost.exedescription pid process Token: SeDebugPrivilege 4468 SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe Token: SeDebugPrivilege 4696 Host.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exeSecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exeHost.exedescription pid process target process PID 4468 wrote to memory of 2364 4468 SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe schtasks.exe PID 4468 wrote to memory of 2364 4468 SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe schtasks.exe PID 4468 wrote to memory of 2364 4468 SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe schtasks.exe PID 4468 wrote to memory of 3888 4468 SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe PID 4468 wrote to memory of 3888 4468 SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe PID 4468 wrote to memory of 3888 4468 SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe PID 4468 wrote to memory of 2860 4468 SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe PID 4468 wrote to memory of 2860 4468 SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe PID 4468 wrote to memory of 2860 4468 SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe PID 4468 wrote to memory of 2860 4468 SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe PID 4468 wrote to memory of 2860 4468 SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe PID 4468 wrote to memory of 2860 4468 SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe PID 4468 wrote to memory of 2860 4468 SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe PID 4468 wrote to memory of 2860 4468 SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe PID 4468 wrote to memory of 2860 4468 SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe PID 4468 wrote to memory of 2860 4468 SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe PID 4468 wrote to memory of 2860 4468 SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe PID 2860 wrote to memory of 4696 2860 SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe Host.exe PID 2860 wrote to memory of 4696 2860 SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe Host.exe PID 2860 wrote to memory of 4696 2860 SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe Host.exe PID 4696 wrote to memory of 4052 4696 Host.exe schtasks.exe PID 4696 wrote to memory of 4052 4696 Host.exe schtasks.exe PID 4696 wrote to memory of 4052 4696 Host.exe schtasks.exe PID 4696 wrote to memory of 4980 4696 Host.exe Host.exe PID 4696 wrote to memory of 4980 4696 Host.exe Host.exe PID 4696 wrote to memory of 4980 4696 Host.exe Host.exe PID 4696 wrote to memory of 4980 4696 Host.exe Host.exe PID 4696 wrote to memory of 4980 4696 Host.exe Host.exe PID 4696 wrote to memory of 4980 4696 Host.exe Host.exe PID 4696 wrote to memory of 4980 4696 Host.exe Host.exe PID 4696 wrote to memory of 4980 4696 Host.exe Host.exe PID 4696 wrote to memory of 4980 4696 Host.exe Host.exe PID 4696 wrote to memory of 4980 4696 Host.exe Host.exe PID 4696 wrote to memory of 4980 4696 Host.exe Host.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VqaJbkwvcY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4AF3.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe"{path}"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VqaJbkwvcY" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCE9A.tmp"4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"{path}"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp4AF3.tmpFilesize
1KB
MD586d17d63cdc7f62b8763a932301ce7bd
SHA161d6d2aefdc812374e921195adac4758051bb600
SHA2568ebb4083b4b4b08a4495737a77953d34894a72b3163c22a67a2ad33494f8f37f
SHA5122b47a3e3433a99f893f038fe0636b790bc900cffe92dfabf671f0d1c9a6c0c571f6e02b82d4e3a77c0f230691779c9307e40f875fd336ea6d979fa8f88eab0d5
-
C:\Users\Admin\AppData\Local\Temp\tmpCE9A.tmpFilesize
1KB
MD586d17d63cdc7f62b8763a932301ce7bd
SHA161d6d2aefdc812374e921195adac4758051bb600
SHA2568ebb4083b4b4b08a4495737a77953d34894a72b3163c22a67a2ad33494f8f37f
SHA5122b47a3e3433a99f893f038fe0636b790bc900cffe92dfabf671f0d1c9a6c0c571f6e02b82d4e3a77c0f230691779c9307e40f875fd336ea6d979fa8f88eab0d5
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
578KB
MD5a3add136bad0055382516c28b2d98ed6
SHA1bb218fb9cbb76d9c4e0f4d44f3745f3405957a02
SHA2565d7b005b25fc4042bf4306cb81f0e332ff10a61ead6744d4dae14da8f08b7db5
SHA5120c204063f19b2603ec8bff61547d17b14ae01329a4a587c53a37ba37c0aa9122d3fead68138f10ad18788aae00aec580122c7ddc54a3e10b012ab7f5284587a0
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
578KB
MD5a3add136bad0055382516c28b2d98ed6
SHA1bb218fb9cbb76d9c4e0f4d44f3745f3405957a02
SHA2565d7b005b25fc4042bf4306cb81f0e332ff10a61ead6744d4dae14da8f08b7db5
SHA5120c204063f19b2603ec8bff61547d17b14ae01329a4a587c53a37ba37c0aa9122d3fead68138f10ad18788aae00aec580122c7ddc54a3e10b012ab7f5284587a0
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
578KB
MD5a3add136bad0055382516c28b2d98ed6
SHA1bb218fb9cbb76d9c4e0f4d44f3745f3405957a02
SHA2565d7b005b25fc4042bf4306cb81f0e332ff10a61ead6744d4dae14da8f08b7db5
SHA5120c204063f19b2603ec8bff61547d17b14ae01329a4a587c53a37ba37c0aa9122d3fead68138f10ad18788aae00aec580122c7ddc54a3e10b012ab7f5284587a0
-
memory/2364-137-0x0000000000000000-mapping.dmp
-
memory/2860-143-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/2860-140-0x0000000000000000-mapping.dmp
-
memory/2860-141-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/2860-144-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/3888-139-0x0000000000000000-mapping.dmp
-
memory/4052-148-0x0000000000000000-mapping.dmp
-
memory/4468-135-0x0000000005060000-0x00000000050FC000-memory.dmpFilesize
624KB
-
memory/4468-136-0x0000000002AA0000-0x0000000002AAA000-memory.dmpFilesize
40KB
-
memory/4468-132-0x00000000004C0000-0x0000000000556000-memory.dmpFilesize
600KB
-
memory/4468-134-0x0000000004FC0000-0x0000000005052000-memory.dmpFilesize
584KB
-
memory/4468-133-0x00000000054D0000-0x0000000005A74000-memory.dmpFilesize
5.6MB
-
memory/4696-145-0x0000000000000000-mapping.dmp
-
memory/4980-150-0x0000000000000000-mapping.dmp
-
memory/4980-154-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/4980-155-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB