Analysis
-
max time kernel
153s -
max time network
160s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
12-10-2022 14:48
Static task
static1
Behavioral task
behavioral1
Sample
INV384878348938.exe
Resource
win7-20220812-en
General
-
Target
INV384878348938.exe
-
Size
1017KB
-
MD5
dc5955217a168760ffeddb431d90ab01
-
SHA1
ae82750bc7a1c1df086464a65998388e72e5af68
-
SHA256
7081a319ab13e92853c07ab0d9d947178e4d615ad77e640109184acdb325b223
-
SHA512
e8d591c304af4a00eb81dbe970b7dafea60342358ac11f4a6ab70471c226ae1e0904353aa894404645e1528985bd2a13062bf089296c7ceab90ca8b45c073703
-
SSDEEP
12288:ALp/8q4UYJIrqMnyNaPHlwsdC9MsbpE7+RdWj/WZsnNK1cWb/v0paqVPxuo6J9S:cYoqAyNaPHlhdYMsbyaRcMsA1cWj9S
Malware Config
Extracted
netwire
podzeye2.duckdns.org:4433
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
lock_executable
false
-
offline_keylogger
false
-
password
Password
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 7 IoCs
resource yara_rule behavioral1/memory/556-69-0x0000000000400000-0x0000000000450000-memory.dmp netwire behavioral1/memory/556-71-0x0000000000400000-0x0000000000450000-memory.dmp netwire behavioral1/memory/556-72-0x0000000000400000-0x0000000000450000-memory.dmp netwire behavioral1/memory/556-74-0x0000000000400000-0x0000000000450000-memory.dmp netwire behavioral1/memory/556-75-0x000000000041AE7B-mapping.dmp netwire behavioral1/memory/556-78-0x0000000000400000-0x0000000000450000-memory.dmp netwire behavioral1/memory/556-80-0x0000000000400000-0x0000000000450000-memory.dmp netwire -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1692 set thread context of 556 1692 INV384878348938.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1716 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 1692 INV384878348938.exe 1692 INV384878348938.exe 1692 INV384878348938.exe 1692 INV384878348938.exe 1692 INV384878348938.exe 1692 INV384878348938.exe 1956 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1692 INV384878348938.exe Token: SeDebugPrivilege 1956 powershell.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 1692 wrote to memory of 1956 1692 INV384878348938.exe 28 PID 1692 wrote to memory of 1956 1692 INV384878348938.exe 28 PID 1692 wrote to memory of 1956 1692 INV384878348938.exe 28 PID 1692 wrote to memory of 1956 1692 INV384878348938.exe 28 PID 1692 wrote to memory of 1716 1692 INV384878348938.exe 30 PID 1692 wrote to memory of 1716 1692 INV384878348938.exe 30 PID 1692 wrote to memory of 1716 1692 INV384878348938.exe 30 PID 1692 wrote to memory of 1716 1692 INV384878348938.exe 30 PID 1692 wrote to memory of 556 1692 INV384878348938.exe 32 PID 1692 wrote to memory of 556 1692 INV384878348938.exe 32 PID 1692 wrote to memory of 556 1692 INV384878348938.exe 32 PID 1692 wrote to memory of 556 1692 INV384878348938.exe 32 PID 1692 wrote to memory of 556 1692 INV384878348938.exe 32 PID 1692 wrote to memory of 556 1692 INV384878348938.exe 32 PID 1692 wrote to memory of 556 1692 INV384878348938.exe 32 PID 1692 wrote to memory of 556 1692 INV384878348938.exe 32 PID 1692 wrote to memory of 556 1692 INV384878348938.exe 32 PID 1692 wrote to memory of 556 1692 INV384878348938.exe 32 PID 1692 wrote to memory of 556 1692 INV384878348938.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\INV384878348938.exe"C:\Users\Admin\AppData\Local\Temp\INV384878348938.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\KFLUADQenQDO.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1956
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KFLUADQenQDO" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1759.tmp"2⤵
- Creates scheduled task(s)
PID:1716
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵PID:556
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5f34524fe17e3d3eca20142ded47e9939
SHA1ed52da6fb4e89e2d9dbaf26fe4c696d7872e27ae
SHA256955b31d50bdf8bcdad09a34a6f912f19b433ee72227c497a8685b66a6d510999
SHA512f3eebd61a79c8222c9c93edfe44ab6c260f0a56c30f1663d07e262a8190c2a77867241b8c51e4602dff82ddd231d1d3ec4111986f1c3a214d47ce8f83ca22964