Analysis
-
max time kernel
121s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
12-10-2022 04:30
Static task
static1
Behavioral task
behavioral1
Sample
3f2a653458d88060d8e2dcfde4a2b396.exe
Resource
win7-20220901-en
General
-
Target
3f2a653458d88060d8e2dcfde4a2b396.exe
-
Size
793KB
-
MD5
3f2a653458d88060d8e2dcfde4a2b396
-
SHA1
8b514d159d3aad5ed0eb8b0b5ee7db53e183738e
-
SHA256
af18d799c7288fc034106f041f1595591719fb64adebebc3f78b634229a7f83d
-
SHA512
a4be00914fe7719d7983997e211fe1869eea4a09e31fb40989bb87c325053d76908d70173154713e8fe617739c4559759f1521333646b5d9e1a53c64cb0656a1
-
SSDEEP
12288:RejUauu2iNaLrA7Ed3Oml1OktIQvRCUKPnN5CdTenWlCqjJ5nS4TU41WjZfX6SyG:Mjzuu1QSEd3OmTO8IQvRZKPNa0WrjrS
Malware Config
Extracted
netwire
37.0.14.206:3384
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
lock_executable
false
-
offline_keylogger
false
-
password
Password234
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 8 IoCs
resource yara_rule behavioral2/memory/1892-141-0x0000000000400000-0x000000000044F000-memory.dmp netwire behavioral2/memory/1892-142-0x0000000000400000-0x000000000044F000-memory.dmp netwire behavioral2/memory/1892-143-0x0000000000400000-0x000000000044F000-memory.dmp netwire behavioral2/memory/1892-146-0x0000000000400000-0x000000000044F000-memory.dmp netwire behavioral2/memory/3932-153-0x0000000000400000-0x000000000044F000-memory.dmp netwire behavioral2/memory/3932-154-0x0000000000400000-0x000000000044F000-memory.dmp netwire behavioral2/memory/3932-155-0x0000000000400000-0x000000000044F000-memory.dmp netwire behavioral2/memory/3932-156-0x0000000000400000-0x000000000044F000-memory.dmp netwire -
Executes dropped EXE 2 IoCs
pid Process 2924 Host.exe 3932 Host.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 3f2a653458d88060d8e2dcfde4a2b396.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 3f2a653458d88060d8e2dcfde4a2b396.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Host.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4820 set thread context of 1892 4820 3f2a653458d88060d8e2dcfde4a2b396.exe 96 PID 2924 set thread context of 3932 2924 Host.exe 100 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2464 schtasks.exe 1500 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 4820 3f2a653458d88060d8e2dcfde4a2b396.exe 4820 3f2a653458d88060d8e2dcfde4a2b396.exe 2924 Host.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4820 3f2a653458d88060d8e2dcfde4a2b396.exe Token: SeDebugPrivilege 2924 Host.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 4820 wrote to memory of 2464 4820 3f2a653458d88060d8e2dcfde4a2b396.exe 93 PID 4820 wrote to memory of 2464 4820 3f2a653458d88060d8e2dcfde4a2b396.exe 93 PID 4820 wrote to memory of 2464 4820 3f2a653458d88060d8e2dcfde4a2b396.exe 93 PID 4820 wrote to memory of 4736 4820 3f2a653458d88060d8e2dcfde4a2b396.exe 95 PID 4820 wrote to memory of 4736 4820 3f2a653458d88060d8e2dcfde4a2b396.exe 95 PID 4820 wrote to memory of 4736 4820 3f2a653458d88060d8e2dcfde4a2b396.exe 95 PID 4820 wrote to memory of 1892 4820 3f2a653458d88060d8e2dcfde4a2b396.exe 96 PID 4820 wrote to memory of 1892 4820 3f2a653458d88060d8e2dcfde4a2b396.exe 96 PID 4820 wrote to memory of 1892 4820 3f2a653458d88060d8e2dcfde4a2b396.exe 96 PID 4820 wrote to memory of 1892 4820 3f2a653458d88060d8e2dcfde4a2b396.exe 96 PID 4820 wrote to memory of 1892 4820 3f2a653458d88060d8e2dcfde4a2b396.exe 96 PID 4820 wrote to memory of 1892 4820 3f2a653458d88060d8e2dcfde4a2b396.exe 96 PID 4820 wrote to memory of 1892 4820 3f2a653458d88060d8e2dcfde4a2b396.exe 96 PID 4820 wrote to memory of 1892 4820 3f2a653458d88060d8e2dcfde4a2b396.exe 96 PID 4820 wrote to memory of 1892 4820 3f2a653458d88060d8e2dcfde4a2b396.exe 96 PID 4820 wrote to memory of 1892 4820 3f2a653458d88060d8e2dcfde4a2b396.exe 96 PID 1892 wrote to memory of 2924 1892 3f2a653458d88060d8e2dcfde4a2b396.exe 97 PID 1892 wrote to memory of 2924 1892 3f2a653458d88060d8e2dcfde4a2b396.exe 97 PID 1892 wrote to memory of 2924 1892 3f2a653458d88060d8e2dcfde4a2b396.exe 97 PID 2924 wrote to memory of 1500 2924 Host.exe 98 PID 2924 wrote to memory of 1500 2924 Host.exe 98 PID 2924 wrote to memory of 1500 2924 Host.exe 98 PID 2924 wrote to memory of 3932 2924 Host.exe 100 PID 2924 wrote to memory of 3932 2924 Host.exe 100 PID 2924 wrote to memory of 3932 2924 Host.exe 100 PID 2924 wrote to memory of 3932 2924 Host.exe 100 PID 2924 wrote to memory of 3932 2924 Host.exe 100 PID 2924 wrote to memory of 3932 2924 Host.exe 100 PID 2924 wrote to memory of 3932 2924 Host.exe 100 PID 2924 wrote to memory of 3932 2924 Host.exe 100 PID 2924 wrote to memory of 3932 2924 Host.exe 100 PID 2924 wrote to memory of 3932 2924 Host.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f2a653458d88060d8e2dcfde4a2b396.exe"C:\Users\Admin\AppData\Local\Temp\3f2a653458d88060d8e2dcfde4a2b396.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DpaItRCg" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB602.tmp"2⤵
- Creates scheduled task(s)
PID:2464
-
-
C:\Users\Admin\AppData\Local\Temp\3f2a653458d88060d8e2dcfde4a2b396.exe"{path}"2⤵PID:4736
-
-
C:\Users\Admin\AppData\Local\Temp\3f2a653458d88060d8e2dcfde4a2b396.exe"{path}"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DpaItRCg" /XML "C:\Users\Admin\AppData\Local\Temp\tmp76D1.tmp"4⤵
- Creates scheduled task(s)
PID:1500
-
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"{path}"4⤵
- Executes dropped EXE
PID:3932
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD56538a0a2fd8225d24a9c2761c0e9f8e6
SHA1aca4ea030081636fb4453b12a4cce21005088f80
SHA2564172e6541997863e7de028b6520b71c87c42c1b3ec2ad7eb948cb35b0414e491
SHA512f97cc253a9d98e2c6158457c8dffb5c373c92e35214ebef5bfd52f1cd494d11139607d2baf3c1029fe34dd657a025d348ee96ff188cdca67ea9349ce4d29cf03
-
Filesize
1KB
MD56538a0a2fd8225d24a9c2761c0e9f8e6
SHA1aca4ea030081636fb4453b12a4cce21005088f80
SHA2564172e6541997863e7de028b6520b71c87c42c1b3ec2ad7eb948cb35b0414e491
SHA512f97cc253a9d98e2c6158457c8dffb5c373c92e35214ebef5bfd52f1cd494d11139607d2baf3c1029fe34dd657a025d348ee96ff188cdca67ea9349ce4d29cf03
-
Filesize
793KB
MD53f2a653458d88060d8e2dcfde4a2b396
SHA18b514d159d3aad5ed0eb8b0b5ee7db53e183738e
SHA256af18d799c7288fc034106f041f1595591719fb64adebebc3f78b634229a7f83d
SHA512a4be00914fe7719d7983997e211fe1869eea4a09e31fb40989bb87c325053d76908d70173154713e8fe617739c4559759f1521333646b5d9e1a53c64cb0656a1
-
Filesize
793KB
MD53f2a653458d88060d8e2dcfde4a2b396
SHA18b514d159d3aad5ed0eb8b0b5ee7db53e183738e
SHA256af18d799c7288fc034106f041f1595591719fb64adebebc3f78b634229a7f83d
SHA512a4be00914fe7719d7983997e211fe1869eea4a09e31fb40989bb87c325053d76908d70173154713e8fe617739c4559759f1521333646b5d9e1a53c64cb0656a1
-
Filesize
793KB
MD53f2a653458d88060d8e2dcfde4a2b396
SHA18b514d159d3aad5ed0eb8b0b5ee7db53e183738e
SHA256af18d799c7288fc034106f041f1595591719fb64adebebc3f78b634229a7f83d
SHA512a4be00914fe7719d7983997e211fe1869eea4a09e31fb40989bb87c325053d76908d70173154713e8fe617739c4559759f1521333646b5d9e1a53c64cb0656a1