Analysis
-
max time kernel
90s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
19-10-2022 21:12
Static task
static1
Behavioral task
behavioral1
Sample
f95ca970fd36c1bd26cc1cb4a3906dcfce59ae7295853f474dc12256abb0afb4.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
f95ca970fd36c1bd26cc1cb4a3906dcfce59ae7295853f474dc12256abb0afb4.exe
Resource
win10v2004-20220901-en
General
-
Target
f95ca970fd36c1bd26cc1cb4a3906dcfce59ae7295853f474dc12256abb0afb4.exe
-
Size
85KB
-
MD5
a1fa94f6a3152f357ea81ab6e5d4e0b0
-
SHA1
d739823af398a63766671fa75b1e2f3deae65fd6
-
SHA256
f95ca970fd36c1bd26cc1cb4a3906dcfce59ae7295853f474dc12256abb0afb4
-
SHA512
4aa3a4cb9c36aef859d286576efaf099e64ceb9e4759c303f823b6b0fbb9751da39ae60bd2bb680020d58b4236d74b5a1c9e41636737acd12c3df833d74cadc8
-
SSDEEP
1536:EKDAfxn6ptAU1iASaS82Hu7hNYPhWe7WHfVQa9zHU2BBLrgUoYXj3WxyEGLD8:EKDAIpthLSVYhePhPqHfaaZpvSu8
Malware Config
Signatures
-
NetWire RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1444-142-0x0000000000400000-0x0000000000418000-memory.dmp netwire -
Executes dropped EXE 1 IoCs
Processes:
Host.exepid process 1940 Host.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f95ca970fd36c1bd26cc1cb4a3906dcfce59ae7295853f474dc12256abb0afb4.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation f95ca970fd36c1bd26cc1cb4a3906dcfce59ae7295853f474dc12256abb0afb4.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bVsS7o2nDI = "C:\\Users\\Admin\\AppData\\Roaming\\eIOKfjAZ\\qfc4rnO.exe.lnk" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
f95ca970fd36c1bd26cc1cb4a3906dcfce59ae7295853f474dc12256abb0afb4.exedescription pid process target process PID 1380 set thread context of 1444 1380 f95ca970fd36c1bd26cc1cb4a3906dcfce59ae7295853f474dc12256abb0afb4.exe cvtres.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
f95ca970fd36c1bd26cc1cb4a3906dcfce59ae7295853f474dc12256abb0afb4.exepid process 1380 f95ca970fd36c1bd26cc1cb4a3906dcfce59ae7295853f474dc12256abb0afb4.exe 1380 f95ca970fd36c1bd26cc1cb4a3906dcfce59ae7295853f474dc12256abb0afb4.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
f95ca970fd36c1bd26cc1cb4a3906dcfce59ae7295853f474dc12256abb0afb4.exedescription pid process Token: SeDebugPrivilege 1380 f95ca970fd36c1bd26cc1cb4a3906dcfce59ae7295853f474dc12256abb0afb4.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
f95ca970fd36c1bd26cc1cb4a3906dcfce59ae7295853f474dc12256abb0afb4.execmd.execvtres.exedescription pid process target process PID 1380 wrote to memory of 3596 1380 f95ca970fd36c1bd26cc1cb4a3906dcfce59ae7295853f474dc12256abb0afb4.exe cmd.exe PID 1380 wrote to memory of 3596 1380 f95ca970fd36c1bd26cc1cb4a3906dcfce59ae7295853f474dc12256abb0afb4.exe cmd.exe PID 1380 wrote to memory of 3596 1380 f95ca970fd36c1bd26cc1cb4a3906dcfce59ae7295853f474dc12256abb0afb4.exe cmd.exe PID 3596 wrote to memory of 1264 3596 cmd.exe reg.exe PID 3596 wrote to memory of 1264 3596 cmd.exe reg.exe PID 3596 wrote to memory of 1264 3596 cmd.exe reg.exe PID 1380 wrote to memory of 1444 1380 f95ca970fd36c1bd26cc1cb4a3906dcfce59ae7295853f474dc12256abb0afb4.exe cvtres.exe PID 1380 wrote to memory of 1444 1380 f95ca970fd36c1bd26cc1cb4a3906dcfce59ae7295853f474dc12256abb0afb4.exe cvtres.exe PID 1380 wrote to memory of 1444 1380 f95ca970fd36c1bd26cc1cb4a3906dcfce59ae7295853f474dc12256abb0afb4.exe cvtres.exe PID 1380 wrote to memory of 1444 1380 f95ca970fd36c1bd26cc1cb4a3906dcfce59ae7295853f474dc12256abb0afb4.exe cvtres.exe PID 1380 wrote to memory of 1444 1380 f95ca970fd36c1bd26cc1cb4a3906dcfce59ae7295853f474dc12256abb0afb4.exe cvtres.exe PID 1380 wrote to memory of 1444 1380 f95ca970fd36c1bd26cc1cb4a3906dcfce59ae7295853f474dc12256abb0afb4.exe cvtres.exe PID 1380 wrote to memory of 1444 1380 f95ca970fd36c1bd26cc1cb4a3906dcfce59ae7295853f474dc12256abb0afb4.exe cvtres.exe PID 1380 wrote to memory of 1444 1380 f95ca970fd36c1bd26cc1cb4a3906dcfce59ae7295853f474dc12256abb0afb4.exe cvtres.exe PID 1444 wrote to memory of 1940 1444 cvtres.exe Host.exe PID 1444 wrote to memory of 1940 1444 cvtres.exe Host.exe PID 1444 wrote to memory of 1940 1444 cvtres.exe Host.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f95ca970fd36c1bd26cc1cb4a3906dcfce59ae7295853f474dc12256abb0afb4.exe"C:\Users\Admin\AppData\Local\Temp\f95ca970fd36c1bd26cc1cb4a3906dcfce59ae7295853f474dc12256abb0afb4.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "bVsS7o2nDI" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\eIOKfjAZ\qfc4rnO.exe.lnk"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "bVsS7o2nDI" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\eIOKfjAZ\qfc4rnO.exe.lnk"3⤵
- Adds Run key to start application
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
34KB
MD5e118330b4629b12368d91b9df6488be0
SHA1ce90218c7e3b90df2a3409ec253048bb6472c2fd
SHA2563a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9
SHA512ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
34KB
MD5e118330b4629b12368d91b9df6488be0
SHA1ce90218c7e3b90df2a3409ec253048bb6472c2fd
SHA2563a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9
SHA512ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0
-
memory/1264-134-0x0000000000000000-mapping.dmp
-
memory/1380-132-0x0000000074E40000-0x00000000753F1000-memory.dmpFilesize
5.7MB
-
memory/1380-139-0x0000000074E40000-0x00000000753F1000-memory.dmpFilesize
5.7MB
-
memory/1444-135-0x0000000000000000-mapping.dmp
-
memory/1444-136-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/1444-138-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/1444-142-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/1940-140-0x0000000000000000-mapping.dmp
-
memory/3596-133-0x0000000000000000-mapping.dmp