Analysis
-
max time kernel
62s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-08-2022 15:48
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.W32.AIDetectNet.01.1417.exe
Resource
win7-20220812-en
General
-
Target
SecuriteInfo.com.W32.AIDetectNet.01.1417.exe
-
Size
578KB
-
MD5
a3add136bad0055382516c28b2d98ed6
-
SHA1
bb218fb9cbb76d9c4e0f4d44f3745f3405957a02
-
SHA256
5d7b005b25fc4042bf4306cb81f0e332ff10a61ead6744d4dae14da8f08b7db5
-
SHA512
0c204063f19b2603ec8bff61547d17b14ae01329a4a587c53a37ba37c0aa9122d3fead68138f10ad18788aae00aec580122c7ddc54a3e10b012ab7f5284587a0
-
SSDEEP
12288:hc0FHAlmHX2zbro5A97xpbMlylSx1LHoY/dlBKr9:ZAlmHAgA9QLW
Malware Config
Extracted
netwire
37.0.14.206:3384
-
activex_autorun
false
-
copy_executable
true
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
true
-
offline_keylogger
true
-
password
Password234
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1688-140-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/1688-142-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/1688-143-0x0000000000400000-0x0000000000433000-memory.dmp netwire -
Executes dropped EXE 1 IoCs
Processes:
Host.exepid process 2452 Host.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
SecuriteInfo.com.W32.AIDetectNet.01.1417.exeSecuriteInfo.com.W32.AIDetectNet.01.1417.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation SecuriteInfo.com.W32.AIDetectNet.01.1417.exe Key value queried \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation SecuriteInfo.com.W32.AIDetectNet.01.1417.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.W32.AIDetectNet.01.1417.exedescription pid process target process PID 3612 set thread context of 1688 3612 SecuriteInfo.com.W32.AIDetectNet.01.1417.exe SecuriteInfo.com.W32.AIDetectNet.01.1417.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
SecuriteInfo.com.W32.AIDetectNet.01.1417.exepid process 3612 SecuriteInfo.com.W32.AIDetectNet.01.1417.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
SecuriteInfo.com.W32.AIDetectNet.01.1417.exedescription pid process Token: SeDebugPrivilege 3612 SecuriteInfo.com.W32.AIDetectNet.01.1417.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
SecuriteInfo.com.W32.AIDetectNet.01.1417.exeSecuriteInfo.com.W32.AIDetectNet.01.1417.exedescription pid process target process PID 3612 wrote to memory of 3756 3612 SecuriteInfo.com.W32.AIDetectNet.01.1417.exe schtasks.exe PID 3612 wrote to memory of 3756 3612 SecuriteInfo.com.W32.AIDetectNet.01.1417.exe schtasks.exe PID 3612 wrote to memory of 3756 3612 SecuriteInfo.com.W32.AIDetectNet.01.1417.exe schtasks.exe PID 3612 wrote to memory of 1688 3612 SecuriteInfo.com.W32.AIDetectNet.01.1417.exe SecuriteInfo.com.W32.AIDetectNet.01.1417.exe PID 3612 wrote to memory of 1688 3612 SecuriteInfo.com.W32.AIDetectNet.01.1417.exe SecuriteInfo.com.W32.AIDetectNet.01.1417.exe PID 3612 wrote to memory of 1688 3612 SecuriteInfo.com.W32.AIDetectNet.01.1417.exe SecuriteInfo.com.W32.AIDetectNet.01.1417.exe PID 3612 wrote to memory of 1688 3612 SecuriteInfo.com.W32.AIDetectNet.01.1417.exe SecuriteInfo.com.W32.AIDetectNet.01.1417.exe PID 3612 wrote to memory of 1688 3612 SecuriteInfo.com.W32.AIDetectNet.01.1417.exe SecuriteInfo.com.W32.AIDetectNet.01.1417.exe PID 3612 wrote to memory of 1688 3612 SecuriteInfo.com.W32.AIDetectNet.01.1417.exe SecuriteInfo.com.W32.AIDetectNet.01.1417.exe PID 3612 wrote to memory of 1688 3612 SecuriteInfo.com.W32.AIDetectNet.01.1417.exe SecuriteInfo.com.W32.AIDetectNet.01.1417.exe PID 3612 wrote to memory of 1688 3612 SecuriteInfo.com.W32.AIDetectNet.01.1417.exe SecuriteInfo.com.W32.AIDetectNet.01.1417.exe PID 3612 wrote to memory of 1688 3612 SecuriteInfo.com.W32.AIDetectNet.01.1417.exe SecuriteInfo.com.W32.AIDetectNet.01.1417.exe PID 3612 wrote to memory of 1688 3612 SecuriteInfo.com.W32.AIDetectNet.01.1417.exe SecuriteInfo.com.W32.AIDetectNet.01.1417.exe PID 3612 wrote to memory of 1688 3612 SecuriteInfo.com.W32.AIDetectNet.01.1417.exe SecuriteInfo.com.W32.AIDetectNet.01.1417.exe PID 1688 wrote to memory of 2452 1688 SecuriteInfo.com.W32.AIDetectNet.01.1417.exe Host.exe PID 1688 wrote to memory of 2452 1688 SecuriteInfo.com.W32.AIDetectNet.01.1417.exe Host.exe PID 1688 wrote to memory of 2452 1688 SecuriteInfo.com.W32.AIDetectNet.01.1417.exe Host.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.1417.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.1417.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VqaJbkwvcY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7BE7.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.1417.exe"{path}"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp7BE7.tmpFilesize
1KB
MD586d17d63cdc7f62b8763a932301ce7bd
SHA161d6d2aefdc812374e921195adac4758051bb600
SHA2568ebb4083b4b4b08a4495737a77953d34894a72b3163c22a67a2ad33494f8f37f
SHA5122b47a3e3433a99f893f038fe0636b790bc900cffe92dfabf671f0d1c9a6c0c571f6e02b82d4e3a77c0f230691779c9307e40f875fd336ea6d979fa8f88eab0d5
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
578KB
MD5a3add136bad0055382516c28b2d98ed6
SHA1bb218fb9cbb76d9c4e0f4d44f3745f3405957a02
SHA2565d7b005b25fc4042bf4306cb81f0e332ff10a61ead6744d4dae14da8f08b7db5
SHA5120c204063f19b2603ec8bff61547d17b14ae01329a4a587c53a37ba37c0aa9122d3fead68138f10ad18788aae00aec580122c7ddc54a3e10b012ab7f5284587a0
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
578KB
MD5a3add136bad0055382516c28b2d98ed6
SHA1bb218fb9cbb76d9c4e0f4d44f3745f3405957a02
SHA2565d7b005b25fc4042bf4306cb81f0e332ff10a61ead6744d4dae14da8f08b7db5
SHA5120c204063f19b2603ec8bff61547d17b14ae01329a4a587c53a37ba37c0aa9122d3fead68138f10ad18788aae00aec580122c7ddc54a3e10b012ab7f5284587a0
-
memory/1688-142-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1688-140-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1688-139-0x0000000000000000-mapping.dmp
-
memory/1688-143-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/2452-144-0x0000000000000000-mapping.dmp
-
memory/3612-136-0x0000000005370000-0x000000000537A000-memory.dmpFilesize
40KB
-
memory/3612-135-0x0000000005410000-0x00000000054AC000-memory.dmpFilesize
624KB
-
memory/3612-132-0x00000000008B0000-0x0000000000946000-memory.dmpFilesize
600KB
-
memory/3612-134-0x00000000052D0000-0x0000000005362000-memory.dmpFilesize
584KB
-
memory/3612-133-0x00000000057A0000-0x0000000005D44000-memory.dmpFilesize
5.6MB
-
memory/3756-137-0x0000000000000000-mapping.dmp