Analysis
-
max time kernel
141s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
13-09-2022 09:55
Static task
static1
Behavioral task
behavioral1
Sample
INV+PL+BL-003536478.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
INV+PL+BL-003536478.exe
Resource
win10v2004-20220812-en
General
-
Target
INV+PL+BL-003536478.exe
-
Size
954KB
-
MD5
306b63ef6d498f120a2bf3ddee4be41b
-
SHA1
37e5c6185df085107121da25affc5c6fcdf8d24a
-
SHA256
ea2f83162c01de01bcb3a9b6111aef54503ef8375b85f8bea71cd25d7d6602b3
-
SHA512
4de711fc94459a1d9138295fdbda2ac4a59c347bfbea1f9619905cfb43b7f91f6de5b8813e5a6d77bd407848f5514e2612d04c44a803062c2ae20950e0d83d25
-
SSDEEP
12288:FexmKY72X2bs6lOgunYjvFqkqRIAQfPv3SntMOalGR1ykXzN0sBr9viUVTm:A3Y7I2binY7FS9wvStvacRN3JviUd
Malware Config
Extracted
netwire
212.193.29.37:3030
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
client
-
install_path
%AppData%\Install\Host.exe
-
lock_executable
false
-
mutex
xcCpnqVL
-
offline_keylogger
false
-
password
123456
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 11 IoCs
Processes:
resource yara_rule behavioral1/memory/1936-65-0x0000000000400000-0x0000000000450000-memory.dmp netwire behavioral1/memory/1936-67-0x0000000000400000-0x0000000000450000-memory.dmp netwire behavioral1/memory/1936-68-0x0000000000400000-0x0000000000450000-memory.dmp netwire behavioral1/memory/1936-70-0x0000000000400000-0x0000000000450000-memory.dmp netwire behavioral1/memory/1936-71-0x000000000041AE7B-mapping.dmp netwire behavioral1/memory/1936-74-0x0000000000400000-0x0000000000450000-memory.dmp netwire behavioral1/memory/1936-78-0x0000000000400000-0x0000000000450000-memory.dmp netwire behavioral1/memory/1544-94-0x000000000041AE7B-mapping.dmp netwire behavioral1/memory/1544-98-0x0000000000400000-0x0000000000450000-memory.dmp netwire behavioral1/memory/1544-99-0x0000000000400000-0x0000000000450000-memory.dmp netwire behavioral1/memory/1544-100-0x0000000000400000-0x0000000000450000-memory.dmp netwire -
Executes dropped EXE 2 IoCs
Processes:
Host.exeHost.exepid process 2032 Host.exe 1544 Host.exe -
Loads dropped DLL 1 IoCs
Processes:
INV+PL+BL-003536478.exepid process 1936 INV+PL+BL-003536478.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Host.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Host.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\7È›ït5]1_BX×…—“ = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe" Host.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
INV+PL+BL-003536478.exeHost.exedescription pid process target process PID 1184 set thread context of 1936 1184 INV+PL+BL-003536478.exe INV+PL+BL-003536478.exe PID 2032 set thread context of 1544 2032 Host.exe Host.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
INV+PL+BL-003536478.exeHost.exepid process 1184 INV+PL+BL-003536478.exe 1184 INV+PL+BL-003536478.exe 1184 INV+PL+BL-003536478.exe 2032 Host.exe 2032 Host.exe 2032 Host.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
INV+PL+BL-003536478.exeHost.exedescription pid process Token: SeDebugPrivilege 1184 INV+PL+BL-003536478.exe Token: SeDebugPrivilege 2032 Host.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
INV+PL+BL-003536478.exeINV+PL+BL-003536478.exeHost.exedescription pid process target process PID 1184 wrote to memory of 1936 1184 INV+PL+BL-003536478.exe INV+PL+BL-003536478.exe PID 1184 wrote to memory of 1936 1184 INV+PL+BL-003536478.exe INV+PL+BL-003536478.exe PID 1184 wrote to memory of 1936 1184 INV+PL+BL-003536478.exe INV+PL+BL-003536478.exe PID 1184 wrote to memory of 1936 1184 INV+PL+BL-003536478.exe INV+PL+BL-003536478.exe PID 1184 wrote to memory of 1936 1184 INV+PL+BL-003536478.exe INV+PL+BL-003536478.exe PID 1184 wrote to memory of 1936 1184 INV+PL+BL-003536478.exe INV+PL+BL-003536478.exe PID 1184 wrote to memory of 1936 1184 INV+PL+BL-003536478.exe INV+PL+BL-003536478.exe PID 1184 wrote to memory of 1936 1184 INV+PL+BL-003536478.exe INV+PL+BL-003536478.exe PID 1184 wrote to memory of 1936 1184 INV+PL+BL-003536478.exe INV+PL+BL-003536478.exe PID 1184 wrote to memory of 1936 1184 INV+PL+BL-003536478.exe INV+PL+BL-003536478.exe PID 1184 wrote to memory of 1936 1184 INV+PL+BL-003536478.exe INV+PL+BL-003536478.exe PID 1936 wrote to memory of 2032 1936 INV+PL+BL-003536478.exe Host.exe PID 1936 wrote to memory of 2032 1936 INV+PL+BL-003536478.exe Host.exe PID 1936 wrote to memory of 2032 1936 INV+PL+BL-003536478.exe Host.exe PID 1936 wrote to memory of 2032 1936 INV+PL+BL-003536478.exe Host.exe PID 2032 wrote to memory of 1544 2032 Host.exe Host.exe PID 2032 wrote to memory of 1544 2032 Host.exe Host.exe PID 2032 wrote to memory of 1544 2032 Host.exe Host.exe PID 2032 wrote to memory of 1544 2032 Host.exe Host.exe PID 2032 wrote to memory of 1544 2032 Host.exe Host.exe PID 2032 wrote to memory of 1544 2032 Host.exe Host.exe PID 2032 wrote to memory of 1544 2032 Host.exe Host.exe PID 2032 wrote to memory of 1544 2032 Host.exe Host.exe PID 2032 wrote to memory of 1544 2032 Host.exe Host.exe PID 2032 wrote to memory of 1544 2032 Host.exe Host.exe PID 2032 wrote to memory of 1544 2032 Host.exe Host.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\INV+PL+BL-003536478.exe"C:\Users\Admin\AppData\Local\Temp\INV+PL+BL-003536478.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Users\Admin\AppData\Local\Temp\INV+PL+BL-003536478.exe"C:\Users\Admin\AppData\Local\Temp\INV+PL+BL-003536478.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1544
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
954KB
MD5306b63ef6d498f120a2bf3ddee4be41b
SHA137e5c6185df085107121da25affc5c6fcdf8d24a
SHA256ea2f83162c01de01bcb3a9b6111aef54503ef8375b85f8bea71cd25d7d6602b3
SHA5124de711fc94459a1d9138295fdbda2ac4a59c347bfbea1f9619905cfb43b7f91f6de5b8813e5a6d77bd407848f5514e2612d04c44a803062c2ae20950e0d83d25
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
954KB
MD5306b63ef6d498f120a2bf3ddee4be41b
SHA137e5c6185df085107121da25affc5c6fcdf8d24a
SHA256ea2f83162c01de01bcb3a9b6111aef54503ef8375b85f8bea71cd25d7d6602b3
SHA5124de711fc94459a1d9138295fdbda2ac4a59c347bfbea1f9619905cfb43b7f91f6de5b8813e5a6d77bd407848f5514e2612d04c44a803062c2ae20950e0d83d25
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
954KB
MD5306b63ef6d498f120a2bf3ddee4be41b
SHA137e5c6185df085107121da25affc5c6fcdf8d24a
SHA256ea2f83162c01de01bcb3a9b6111aef54503ef8375b85f8bea71cd25d7d6602b3
SHA5124de711fc94459a1d9138295fdbda2ac4a59c347bfbea1f9619905cfb43b7f91f6de5b8813e5a6d77bd407848f5514e2612d04c44a803062c2ae20950e0d83d25
-
\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
954KB
MD5306b63ef6d498f120a2bf3ddee4be41b
SHA137e5c6185df085107121da25affc5c6fcdf8d24a
SHA256ea2f83162c01de01bcb3a9b6111aef54503ef8375b85f8bea71cd25d7d6602b3
SHA5124de711fc94459a1d9138295fdbda2ac4a59c347bfbea1f9619905cfb43b7f91f6de5b8813e5a6d77bd407848f5514e2612d04c44a803062c2ae20950e0d83d25
-
memory/1184-57-0x0000000000540000-0x000000000054C000-memory.dmpFilesize
48KB
-
memory/1184-59-0x0000000005CA0000-0x0000000005CEA000-memory.dmpFilesize
296KB
-
memory/1184-58-0x0000000005E30000-0x0000000005ED4000-memory.dmpFilesize
656KB
-
memory/1184-56-0x0000000000520000-0x000000000053A000-memory.dmpFilesize
104KB
-
memory/1184-54-0x0000000000D40000-0x0000000000E34000-memory.dmpFilesize
976KB
-
memory/1184-55-0x0000000074BB1000-0x0000000074BB3000-memory.dmpFilesize
8KB
-
memory/1544-100-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1544-99-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1544-98-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1544-94-0x000000000041AE7B-mapping.dmp
-
memory/1936-70-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1936-74-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1936-71-0x000000000041AE7B-mapping.dmp
-
memory/1936-78-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1936-68-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1936-67-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1936-65-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1936-63-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1936-61-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1936-60-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/2032-76-0x0000000000000000-mapping.dmp
-
memory/2032-80-0x0000000000C60000-0x0000000000D54000-memory.dmpFilesize
976KB
-
memory/2032-82-0x00000000053F0000-0x0000000005494000-memory.dmpFilesize
656KB