Analysis
-
max time kernel
116s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
13-09-2022 09:55
Static task
static1
Behavioral task
behavioral1
Sample
INV+PL+BL-003536478.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
INV+PL+BL-003536478.exe
Resource
win10v2004-20220812-en
General
-
Target
INV+PL+BL-003536478.exe
-
Size
954KB
-
MD5
306b63ef6d498f120a2bf3ddee4be41b
-
SHA1
37e5c6185df085107121da25affc5c6fcdf8d24a
-
SHA256
ea2f83162c01de01bcb3a9b6111aef54503ef8375b85f8bea71cd25d7d6602b3
-
SHA512
4de711fc94459a1d9138295fdbda2ac4a59c347bfbea1f9619905cfb43b7f91f6de5b8813e5a6d77bd407848f5514e2612d04c44a803062c2ae20950e0d83d25
-
SSDEEP
12288:FexmKY72X2bs6lOgunYjvFqkqRIAQfPv3SntMOalGR1ykXzN0sBr9viUVTm:A3Y7I2binY7FS9wvStvacRN3JviUd
Malware Config
Extracted
netwire
212.193.29.37:3030
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
client
-
install_path
%AppData%\Install\Host.exe
-
lock_executable
false
-
mutex
xcCpnqVL
-
offline_keylogger
false
-
password
123456
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 9 IoCs
Processes:
resource yara_rule behavioral2/memory/2748-139-0x0000000000400000-0x0000000000450000-memory.dmp netwire behavioral2/memory/2748-140-0x0000000000400000-0x0000000000450000-memory.dmp netwire behavioral2/memory/2748-141-0x0000000000400000-0x0000000000450000-memory.dmp netwire behavioral2/memory/2748-142-0x0000000000400000-0x0000000000450000-memory.dmp netwire behavioral2/memory/2748-146-0x0000000000400000-0x0000000000450000-memory.dmp netwire behavioral2/memory/2960-150-0x0000000000400000-0x0000000000450000-memory.dmp netwire behavioral2/memory/2960-151-0x0000000000400000-0x0000000000450000-memory.dmp netwire behavioral2/memory/2960-152-0x0000000000400000-0x0000000000450000-memory.dmp netwire behavioral2/memory/2960-153-0x0000000000400000-0x0000000000450000-memory.dmp netwire -
Executes dropped EXE 2 IoCs
Processes:
Host.exeHost.exepid process 1532 Host.exe 2960 Host.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
INV+PL+BL-003536478.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation INV+PL+BL-003536478.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Host.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Host.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7È›ït5]1_BX×…—“ = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe" Host.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
INV+PL+BL-003536478.exeHost.exedescription pid process target process PID 4944 set thread context of 2748 4944 INV+PL+BL-003536478.exe INV+PL+BL-003536478.exe PID 1532 set thread context of 2960 1532 Host.exe Host.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
INV+PL+BL-003536478.exeHost.exepid process 4944 INV+PL+BL-003536478.exe 4944 INV+PL+BL-003536478.exe 4944 INV+PL+BL-003536478.exe 1532 Host.exe 1532 Host.exe 1532 Host.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
INV+PL+BL-003536478.exeHost.exedescription pid process Token: SeDebugPrivilege 4944 INV+PL+BL-003536478.exe Token: SeDebugPrivilege 1532 Host.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
INV+PL+BL-003536478.exeINV+PL+BL-003536478.exeHost.exedescription pid process target process PID 4944 wrote to memory of 2748 4944 INV+PL+BL-003536478.exe INV+PL+BL-003536478.exe PID 4944 wrote to memory of 2748 4944 INV+PL+BL-003536478.exe INV+PL+BL-003536478.exe PID 4944 wrote to memory of 2748 4944 INV+PL+BL-003536478.exe INV+PL+BL-003536478.exe PID 4944 wrote to memory of 2748 4944 INV+PL+BL-003536478.exe INV+PL+BL-003536478.exe PID 4944 wrote to memory of 2748 4944 INV+PL+BL-003536478.exe INV+PL+BL-003536478.exe PID 4944 wrote to memory of 2748 4944 INV+PL+BL-003536478.exe INV+PL+BL-003536478.exe PID 4944 wrote to memory of 2748 4944 INV+PL+BL-003536478.exe INV+PL+BL-003536478.exe PID 4944 wrote to memory of 2748 4944 INV+PL+BL-003536478.exe INV+PL+BL-003536478.exe PID 4944 wrote to memory of 2748 4944 INV+PL+BL-003536478.exe INV+PL+BL-003536478.exe PID 4944 wrote to memory of 2748 4944 INV+PL+BL-003536478.exe INV+PL+BL-003536478.exe PID 2748 wrote to memory of 1532 2748 INV+PL+BL-003536478.exe Host.exe PID 2748 wrote to memory of 1532 2748 INV+PL+BL-003536478.exe Host.exe PID 2748 wrote to memory of 1532 2748 INV+PL+BL-003536478.exe Host.exe PID 1532 wrote to memory of 2960 1532 Host.exe Host.exe PID 1532 wrote to memory of 2960 1532 Host.exe Host.exe PID 1532 wrote to memory of 2960 1532 Host.exe Host.exe PID 1532 wrote to memory of 2960 1532 Host.exe Host.exe PID 1532 wrote to memory of 2960 1532 Host.exe Host.exe PID 1532 wrote to memory of 2960 1532 Host.exe Host.exe PID 1532 wrote to memory of 2960 1532 Host.exe Host.exe PID 1532 wrote to memory of 2960 1532 Host.exe Host.exe PID 1532 wrote to memory of 2960 1532 Host.exe Host.exe PID 1532 wrote to memory of 2960 1532 Host.exe Host.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\INV+PL+BL-003536478.exe"C:\Users\Admin\AppData\Local\Temp\INV+PL+BL-003536478.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Users\Admin\AppData\Local\Temp\INV+PL+BL-003536478.exe"C:\Users\Admin\AppData\Local\Temp\INV+PL+BL-003536478.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2960
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
954KB
MD5306b63ef6d498f120a2bf3ddee4be41b
SHA137e5c6185df085107121da25affc5c6fcdf8d24a
SHA256ea2f83162c01de01bcb3a9b6111aef54503ef8375b85f8bea71cd25d7d6602b3
SHA5124de711fc94459a1d9138295fdbda2ac4a59c347bfbea1f9619905cfb43b7f91f6de5b8813e5a6d77bd407848f5514e2612d04c44a803062c2ae20950e0d83d25
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
954KB
MD5306b63ef6d498f120a2bf3ddee4be41b
SHA137e5c6185df085107121da25affc5c6fcdf8d24a
SHA256ea2f83162c01de01bcb3a9b6111aef54503ef8375b85f8bea71cd25d7d6602b3
SHA5124de711fc94459a1d9138295fdbda2ac4a59c347bfbea1f9619905cfb43b7f91f6de5b8813e5a6d77bd407848f5514e2612d04c44a803062c2ae20950e0d83d25
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
954KB
MD5306b63ef6d498f120a2bf3ddee4be41b
SHA137e5c6185df085107121da25affc5c6fcdf8d24a
SHA256ea2f83162c01de01bcb3a9b6111aef54503ef8375b85f8bea71cd25d7d6602b3
SHA5124de711fc94459a1d9138295fdbda2ac4a59c347bfbea1f9619905cfb43b7f91f6de5b8813e5a6d77bd407848f5514e2612d04c44a803062c2ae20950e0d83d25
-
memory/1532-143-0x0000000000000000-mapping.dmp
-
memory/2748-142-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/2748-146-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/2748-138-0x0000000000000000-mapping.dmp
-
memory/2748-139-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/2748-140-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/2748-141-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/2960-147-0x0000000000000000-mapping.dmp
-
memory/2960-150-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/2960-151-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/2960-152-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/2960-153-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/4944-137-0x0000000008A50000-0x0000000008AB6000-memory.dmpFilesize
408KB
-
memory/4944-136-0x00000000086E0000-0x000000000877C000-memory.dmpFilesize
624KB
-
memory/4944-135-0x0000000004DC0000-0x0000000004DCA000-memory.dmpFilesize
40KB
-
memory/4944-134-0x0000000004C00000-0x0000000004C92000-memory.dmpFilesize
584KB
-
memory/4944-132-0x00000000002B0000-0x00000000003A4000-memory.dmpFilesize
976KB
-
memory/4944-133-0x00000000050D0000-0x0000000005674000-memory.dmpFilesize
5.6MB