netwire | 2ab9934c6f1943130335ca6ca749a47b06f70b1011c480e8d194f2a0f3ac850d

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions	2ab9934c6f1943130335ca6ca749a47b06f70b1011c480e8d194f2a0f3ac850d.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions	Host.exe

Executes dropped EXE 2 IoCs

pid	Process
2040	Host.exe
4980	Host.exe

Looks for VMWare Tools registry key 2 TTPs 2 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	Host.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	2ab9934c6f1943130335ca6ca749a47b06f70b1011c480e8d194f2a0f3ac850d.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2ab9934c6f1943130335ca6ca749a47b06f70b1011c480e8d194f2a0f3ac850d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2ab9934c6f1943130335ca6ca749a47b06f70b1011c480e8d194f2a0f3ac850d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Host.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Host.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	2ab9934c6f1943130335ca6ca749a47b06f70b1011c480e8d194f2a0f3ac850d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	2ab9934c6f1943130335ca6ca749a47b06f70b1011c480e8d194f2a0f3ac850d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	Host.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Host.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe"	Host.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	2ab9934c6f1943130335ca6ca749a47b06f70b1011c480e8d194f2a0f3ac850d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Host.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	Host.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	2ab9934c6f1943130335ca6ca749a47b06f70b1011c480e8d194f2a0f3ac850d.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2748 set thread context of 3940	2748	2ab9934c6f1943130335ca6ca749a47b06f70b1011c480e8d194f2a0f3ac850d.exe	97
PID 2040 set thread context of 4980	2040	Host.exe	105

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
4452	schtasks.exe
4028	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2748	2ab9934c6f1943130335ca6ca749a47b06f70b1011c480e8d194f2a0f3ac850d.exe
2748	2ab9934c6f1943130335ca6ca749a47b06f70b1011c480e8d194f2a0f3ac850d.exe
2748	2ab9934c6f1943130335ca6ca749a47b06f70b1011c480e8d194f2a0f3ac850d.exe
2452	powershell.exe
2748	2ab9934c6f1943130335ca6ca749a47b06f70b1011c480e8d194f2a0f3ac850d.exe
4936	powershell.exe
2748	2ab9934c6f1943130335ca6ca749a47b06f70b1011c480e8d194f2a0f3ac850d.exe
4936	powershell.exe
2452	powershell.exe
2040	Host.exe
3720	powershell.exe
700	powershell.exe
2040	Host.exe
3720	powershell.exe
700	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2748	2ab9934c6f1943130335ca6ca749a47b06f70b1011c480e8d194f2a0f3ac850d.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	4936	powershell.exe
Token: SeDebugPrivilege	2040	Host.exe
Token: SeDebugPrivilege	3720	powershell.exe
Token: SeDebugPrivilege	700	powershell.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 2452	2748	2ab9934c6f1943130335ca6ca749a47b06f70b1011c480e8d194f2a0f3ac850d.exe	91
PID 2748 wrote to memory of 2452	2748	2ab9934c6f1943130335ca6ca749a47b06f70b1011c480e8d194f2a0f3ac850d.exe	91
PID 2748 wrote to memory of 2452	2748	2ab9934c6f1943130335ca6ca749a47b06f70b1011c480e8d194f2a0f3ac850d.exe	91
PID 2748 wrote to memory of 4936	2748	2ab9934c6f1943130335ca6ca749a47b06f70b1011c480e8d194f2a0f3ac850d.exe	93
PID 2748 wrote to memory of 4936	2748	2ab9934c6f1943130335ca6ca749a47b06f70b1011c480e8d194f2a0f3ac850d.exe	93
PID 2748 wrote to memory of 4936	2748	2ab9934c6f1943130335ca6ca749a47b06f70b1011c480e8d194f2a0f3ac850d.exe	93
PID 2748 wrote to memory of 4452	2748	2ab9934c6f1943130335ca6ca749a47b06f70b1011c480e8d194f2a0f3ac850d.exe	95
PID 2748 wrote to memory of 4452	2748	2ab9934c6f1943130335ca6ca749a47b06f70b1011c480e8d194f2a0f3ac850d.exe	95
PID 2748 wrote to memory of 4452	2748	2ab9934c6f1943130335ca6ca749a47b06f70b1011c480e8d194f2a0f3ac850d.exe	95
PID 2748 wrote to memory of 3940	2748	2ab9934c6f1943130335ca6ca749a47b06f70b1011c480e8d194f2a0f3ac850d.exe	97
PID 2748 wrote to memory of 3940	2748	2ab9934c6f1943130335ca6ca749a47b06f70b1011c480e8d194f2a0f3ac850d.exe	97
PID 2748 wrote to memory of 3940	2748	2ab9934c6f1943130335ca6ca749a47b06f70b1011c480e8d194f2a0f3ac850d.exe	97
PID 2748 wrote to memory of 3940	2748	2ab9934c6f1943130335ca6ca749a47b06f70b1011c480e8d194f2a0f3ac850d.exe	97
PID 2748 wrote to memory of 3940	2748	2ab9934c6f1943130335ca6ca749a47b06f70b1011c480e8d194f2a0f3ac850d.exe	97
PID 2748 wrote to memory of 3940	2748	2ab9934c6f1943130335ca6ca749a47b06f70b1011c480e8d194f2a0f3ac850d.exe	97
PID 2748 wrote to memory of 3940	2748	2ab9934c6f1943130335ca6ca749a47b06f70b1011c480e8d194f2a0f3ac850d.exe	97
PID 2748 wrote to memory of 3940	2748	2ab9934c6f1943130335ca6ca749a47b06f70b1011c480e8d194f2a0f3ac850d.exe	97
PID 2748 wrote to memory of 3940	2748	2ab9934c6f1943130335ca6ca749a47b06f70b1011c480e8d194f2a0f3ac850d.exe	97
PID 2748 wrote to memory of 3940	2748	2ab9934c6f1943130335ca6ca749a47b06f70b1011c480e8d194f2a0f3ac850d.exe	97
PID 2748 wrote to memory of 3940	2748	2ab9934c6f1943130335ca6ca749a47b06f70b1011c480e8d194f2a0f3ac850d.exe	97
PID 3940 wrote to memory of 2040	3940	2ab9934c6f1943130335ca6ca749a47b06f70b1011c480e8d194f2a0f3ac850d.exe	98
PID 3940 wrote to memory of 2040	3940	2ab9934c6f1943130335ca6ca749a47b06f70b1011c480e8d194f2a0f3ac850d.exe	98
PID 3940 wrote to memory of 2040	3940	2ab9934c6f1943130335ca6ca749a47b06f70b1011c480e8d194f2a0f3ac850d.exe	98
PID 2040 wrote to memory of 3720	2040	Host.exe	99
PID 2040 wrote to memory of 3720	2040	Host.exe	99
PID 2040 wrote to memory of 3720	2040	Host.exe	99
PID 2040 wrote to memory of 700	2040	Host.exe	101
PID 2040 wrote to memory of 700	2040	Host.exe	101
PID 2040 wrote to memory of 700	2040	Host.exe	101
PID 2040 wrote to memory of 4028	2040	Host.exe	103
PID 2040 wrote to memory of 4028	2040	Host.exe	103
PID 2040 wrote to memory of 4028	2040	Host.exe	103
PID 2040 wrote to memory of 4980	2040	Host.exe	105
PID 2040 wrote to memory of 4980	2040	Host.exe	105
PID 2040 wrote to memory of 4980	2040	Host.exe	105
PID 2040 wrote to memory of 4980	2040	Host.exe	105
PID 2040 wrote to memory of 4980	2040	Host.exe	105
PID 2040 wrote to memory of 4980	2040	Host.exe	105
PID 2040 wrote to memory of 4980	2040	Host.exe	105
PID 2040 wrote to memory of 4980	2040	Host.exe	105
PID 2040 wrote to memory of 4980	2040	Host.exe	105
PID 2040 wrote to memory of 4980	2040	Host.exe	105
PID 2040 wrote to memory of 4980	2040	Host.exe	105

C:\Users\Admin\AppData\Local\Temp\2ab9934c6f1943130335ca6ca749a47b06f70b1011c480e8d194f2a0f3ac850d.exe
"C:\Users\Admin\AppData\Local\Temp\2ab9934c6f1943130335ca6ca749a47b06f70b1011c480e8d194f2a0f3ac850d.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2ab9934c6f1943130335ca6ca749a47b06f70b1011c480e8d194f2a0f3ac850d.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2452
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ZqCpvOTXTOGWy.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4936
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZqCpvOTXTOGWy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4BC9.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:4452
- C:\Users\Admin\AppData\Local\Temp\2ab9934c6f1943130335ca6ca749a47b06f70b1011c480e8d194f2a0f3ac850d.exe
  "C:\Users\Admin\AppData\Local\Temp\2ab9934c6f1943130335ca6ca749a47b06f70b1011c480e8d194f2a0f3ac850d.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3940
- - C:\Users\Admin\AppData\Roaming\Install\Host.exe
    "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
    3⤵
    - Looks for VirtualBox Guest Additions in registry
    - Executes dropped EXE
    - Looks for VMWare Tools registry key
    - Checks BIOS information in registry
    - Checks computer location settings
    - Maps connected drives based on registry
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3720
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ZqCpvOTXTOGWy.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:700
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZqCpvOTXTOGWy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp97C.tmp"
      4⤵
      Creates scheduled task(s)
      PID:4028
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:4980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion