Analysis
-
max time kernel
137s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
12-10-2022 14:48
Static task
static1
Behavioral task
behavioral1
Sample
INV384878348938.exe
Resource
win7-20220901-en
General
-
Target
INV384878348938.exe
-
Size
1017KB
-
MD5
dc5955217a168760ffeddb431d90ab01
-
SHA1
ae82750bc7a1c1df086464a65998388e72e5af68
-
SHA256
7081a319ab13e92853c07ab0d9d947178e4d615ad77e640109184acdb325b223
-
SHA512
e8d591c304af4a00eb81dbe970b7dafea60342358ac11f4a6ab70471c226ae1e0904353aa894404645e1528985bd2a13062bf089296c7ceab90ca8b45c073703
-
SSDEEP
12288:ALp/8q4UYJIrqMnyNaPHlwsdC9MsbpE7+RdWj/WZsnNK1cWb/v0paqVPxuo6J9S:cYoqAyNaPHlhdYMsbyaRcMsA1cWj9S
Malware Config
Extracted
netwire
podzeye2.duckdns.org:4433
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
lock_executable
false
-
offline_keylogger
false
-
password
Password
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 7 IoCs
Processes:
resource yara_rule behavioral1/memory/112-69-0x0000000000400000-0x0000000000450000-memory.dmp netwire behavioral1/memory/112-71-0x0000000000400000-0x0000000000450000-memory.dmp netwire behavioral1/memory/112-72-0x0000000000400000-0x0000000000450000-memory.dmp netwire behavioral1/memory/112-75-0x000000000041AE7B-mapping.dmp netwire behavioral1/memory/112-74-0x0000000000400000-0x0000000000450000-memory.dmp netwire behavioral1/memory/112-78-0x0000000000400000-0x0000000000450000-memory.dmp netwire behavioral1/memory/112-80-0x0000000000400000-0x0000000000450000-memory.dmp netwire -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
INV384878348938.exedescription pid process target process PID 1380 set thread context of 112 1380 INV384878348938.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
INV384878348938.exepowershell.exepid process 1380 INV384878348938.exe 1380 INV384878348938.exe 1380 INV384878348938.exe 1380 INV384878348938.exe 1380 INV384878348938.exe 1380 INV384878348938.exe 1380 INV384878348938.exe 1380 INV384878348938.exe 1380 INV384878348938.exe 1380 INV384878348938.exe 1116 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
INV384878348938.exepowershell.exedescription pid process Token: SeDebugPrivilege 1380 INV384878348938.exe Token: SeDebugPrivilege 1116 powershell.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
INV384878348938.exedescription pid process target process PID 1380 wrote to memory of 1116 1380 INV384878348938.exe powershell.exe PID 1380 wrote to memory of 1116 1380 INV384878348938.exe powershell.exe PID 1380 wrote to memory of 1116 1380 INV384878348938.exe powershell.exe PID 1380 wrote to memory of 1116 1380 INV384878348938.exe powershell.exe PID 1380 wrote to memory of 1136 1380 INV384878348938.exe schtasks.exe PID 1380 wrote to memory of 1136 1380 INV384878348938.exe schtasks.exe PID 1380 wrote to memory of 1136 1380 INV384878348938.exe schtasks.exe PID 1380 wrote to memory of 1136 1380 INV384878348938.exe schtasks.exe PID 1380 wrote to memory of 620 1380 INV384878348938.exe vbc.exe PID 1380 wrote to memory of 620 1380 INV384878348938.exe vbc.exe PID 1380 wrote to memory of 620 1380 INV384878348938.exe vbc.exe PID 1380 wrote to memory of 620 1380 INV384878348938.exe vbc.exe PID 1380 wrote to memory of 2032 1380 INV384878348938.exe vbc.exe PID 1380 wrote to memory of 2032 1380 INV384878348938.exe vbc.exe PID 1380 wrote to memory of 2032 1380 INV384878348938.exe vbc.exe PID 1380 wrote to memory of 2032 1380 INV384878348938.exe vbc.exe PID 1380 wrote to memory of 1328 1380 INV384878348938.exe vbc.exe PID 1380 wrote to memory of 1328 1380 INV384878348938.exe vbc.exe PID 1380 wrote to memory of 1328 1380 INV384878348938.exe vbc.exe PID 1380 wrote to memory of 1328 1380 INV384878348938.exe vbc.exe PID 1380 wrote to memory of 1852 1380 INV384878348938.exe vbc.exe PID 1380 wrote to memory of 1852 1380 INV384878348938.exe vbc.exe PID 1380 wrote to memory of 1852 1380 INV384878348938.exe vbc.exe PID 1380 wrote to memory of 1852 1380 INV384878348938.exe vbc.exe PID 1380 wrote to memory of 112 1380 INV384878348938.exe vbc.exe PID 1380 wrote to memory of 112 1380 INV384878348938.exe vbc.exe PID 1380 wrote to memory of 112 1380 INV384878348938.exe vbc.exe PID 1380 wrote to memory of 112 1380 INV384878348938.exe vbc.exe PID 1380 wrote to memory of 112 1380 INV384878348938.exe vbc.exe PID 1380 wrote to memory of 112 1380 INV384878348938.exe vbc.exe PID 1380 wrote to memory of 112 1380 INV384878348938.exe vbc.exe PID 1380 wrote to memory of 112 1380 INV384878348938.exe vbc.exe PID 1380 wrote to memory of 112 1380 INV384878348938.exe vbc.exe PID 1380 wrote to memory of 112 1380 INV384878348938.exe vbc.exe PID 1380 wrote to memory of 112 1380 INV384878348938.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\INV384878348938.exe"C:\Users\Admin\AppData\Local\Temp\INV384878348938.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\KFLUADQenQDO.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KFLUADQenQDO" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF1BF.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpF1BF.tmpFilesize
1KB
MD5cea4f7e6f4d319b4e6616a03cf77ae8f
SHA149108b96ce1c5ab35aa2fe1c939eb37b24f99d6c
SHA25686c225fef3be8f1c8c362563d6f74032920b88cd65924775253a03bfbc7c8200
SHA51203af8dd688a100dfa15b0c76c35ddb4e3cc7abe1c69401c2d00943790038f5f76b79a935c56dcb93ce16c00802032b75a018d534ea81564a73d8cc382f0e79bd
-
memory/112-75-0x000000000041AE7B-mapping.dmp
-
memory/112-69-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/112-64-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/112-80-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/112-65-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/112-78-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/112-74-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/112-67-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/112-72-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/112-71-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1116-79-0x000000006D1F0000-0x000000006D79B000-memory.dmpFilesize
5.7MB
-
memory/1116-81-0x000000006D1F0000-0x000000006D79B000-memory.dmpFilesize
5.7MB
-
memory/1116-59-0x0000000000000000-mapping.dmp
-
memory/1136-60-0x0000000000000000-mapping.dmp
-
memory/1380-63-0x0000000004EC0000-0x0000000004F0A000-memory.dmpFilesize
296KB
-
memory/1380-56-0x00000000004E0000-0x00000000004FA000-memory.dmpFilesize
104KB
-
memory/1380-54-0x00000000003A0000-0x00000000004A4000-memory.dmpFilesize
1.0MB
-
memory/1380-55-0x00000000757A1000-0x00000000757A3000-memory.dmpFilesize
8KB
-
memory/1380-58-0x0000000004C70000-0x0000000004D14000-memory.dmpFilesize
656KB
-
memory/1380-57-0x00000000002C0000-0x00000000002CC000-memory.dmpFilesize
48KB