Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2022 23:19
Static task
static1
Behavioral task
behavioral1
Sample
f176551008ead792dc4d981c0b1c2ad48f3f2bab30fb76fb62264c096f11739d.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
f176551008ead792dc4d981c0b1c2ad48f3f2bab30fb76fb62264c096f11739d.exe
Resource
win10v2004-20220901-en
General
-
Target
f176551008ead792dc4d981c0b1c2ad48f3f2bab30fb76fb62264c096f11739d.exe
-
Size
875KB
-
MD5
9e31a336dd9e73df1cabf3d3b8e3d489
-
SHA1
349253da2192e6c146631bbf9566d06430b015bf
-
SHA256
f176551008ead792dc4d981c0b1c2ad48f3f2bab30fb76fb62264c096f11739d
-
SHA512
0e25b7ada6d67c4c98a4105c959b6888adda10fe123f35d720364ccb361efa5ca8e863700ee9aaa86bd3536306396ec13fa61d2885ff8f84957e85a11a9ba6cd
-
SSDEEP
12288:caWzgMg7v3qnCiMErQohh0F4CCJ8lny/QswI0+u0DrvssN8q:jaHMv6Corjqny/QNI0+VXssKq
Malware Config
Signatures
-
NetWire RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4868-139-0x0000000000400000-0x0000000000417000-memory.dmp netwire behavioral2/memory/5084-145-0x0000000000400000-0x0000000000417000-memory.dmp netwire -
Executes dropped EXE 2 IoCs
Processes:
Host.exeHost.exepid process 848 Host.exe 5084 Host.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
Host.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{XTV2TOCI-0048-CP6U-0UC5-5FV14W0LO46U} Host.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{XTV2TOCI-0048-CP6U-0UC5-5FV14W0LO46U}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe\"" Host.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f176551008ead792dc4d981c0b1c2ad48f3f2bab30fb76fb62264c096f11739d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation f176551008ead792dc4d981c0b1c2ad48f3f2bab30fb76fb62264c096f11739d.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Host.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Host.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe" Host.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Install\Host.exe autoit_exe C:\Users\Admin\AppData\Roaming\Install\Host.exe autoit_exe C:\Users\Admin\AppData\Roaming\Install\Host.exe autoit_exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
f176551008ead792dc4d981c0b1c2ad48f3f2bab30fb76fb62264c096f11739d.exeHost.exedescription pid process target process PID 1616 set thread context of 4868 1616 f176551008ead792dc4d981c0b1c2ad48f3f2bab30fb76fb62264c096f11739d.exe f176551008ead792dc4d981c0b1c2ad48f3f2bab30fb76fb62264c096f11739d.exe PID 848 set thread context of 5084 848 Host.exe Host.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
f176551008ead792dc4d981c0b1c2ad48f3f2bab30fb76fb62264c096f11739d.exeHost.exepid process 1616 f176551008ead792dc4d981c0b1c2ad48f3f2bab30fb76fb62264c096f11739d.exe 1616 f176551008ead792dc4d981c0b1c2ad48f3f2bab30fb76fb62264c096f11739d.exe 1616 f176551008ead792dc4d981c0b1c2ad48f3f2bab30fb76fb62264c096f11739d.exe 848 Host.exe 848 Host.exe 848 Host.exe -
Suspicious use of SendNotifyMessage 6 IoCs
Processes:
f176551008ead792dc4d981c0b1c2ad48f3f2bab30fb76fb62264c096f11739d.exeHost.exepid process 1616 f176551008ead792dc4d981c0b1c2ad48f3f2bab30fb76fb62264c096f11739d.exe 1616 f176551008ead792dc4d981c0b1c2ad48f3f2bab30fb76fb62264c096f11739d.exe 1616 f176551008ead792dc4d981c0b1c2ad48f3f2bab30fb76fb62264c096f11739d.exe 848 Host.exe 848 Host.exe 848 Host.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
f176551008ead792dc4d981c0b1c2ad48f3f2bab30fb76fb62264c096f11739d.exef176551008ead792dc4d981c0b1c2ad48f3f2bab30fb76fb62264c096f11739d.exeHost.exedescription pid process target process PID 1616 wrote to memory of 4868 1616 f176551008ead792dc4d981c0b1c2ad48f3f2bab30fb76fb62264c096f11739d.exe f176551008ead792dc4d981c0b1c2ad48f3f2bab30fb76fb62264c096f11739d.exe PID 1616 wrote to memory of 4868 1616 f176551008ead792dc4d981c0b1c2ad48f3f2bab30fb76fb62264c096f11739d.exe f176551008ead792dc4d981c0b1c2ad48f3f2bab30fb76fb62264c096f11739d.exe PID 1616 wrote to memory of 4868 1616 f176551008ead792dc4d981c0b1c2ad48f3f2bab30fb76fb62264c096f11739d.exe f176551008ead792dc4d981c0b1c2ad48f3f2bab30fb76fb62264c096f11739d.exe PID 1616 wrote to memory of 4868 1616 f176551008ead792dc4d981c0b1c2ad48f3f2bab30fb76fb62264c096f11739d.exe f176551008ead792dc4d981c0b1c2ad48f3f2bab30fb76fb62264c096f11739d.exe PID 1616 wrote to memory of 4868 1616 f176551008ead792dc4d981c0b1c2ad48f3f2bab30fb76fb62264c096f11739d.exe f176551008ead792dc4d981c0b1c2ad48f3f2bab30fb76fb62264c096f11739d.exe PID 1616 wrote to memory of 4868 1616 f176551008ead792dc4d981c0b1c2ad48f3f2bab30fb76fb62264c096f11739d.exe f176551008ead792dc4d981c0b1c2ad48f3f2bab30fb76fb62264c096f11739d.exe PID 1616 wrote to memory of 4868 1616 f176551008ead792dc4d981c0b1c2ad48f3f2bab30fb76fb62264c096f11739d.exe f176551008ead792dc4d981c0b1c2ad48f3f2bab30fb76fb62264c096f11739d.exe PID 1616 wrote to memory of 4868 1616 f176551008ead792dc4d981c0b1c2ad48f3f2bab30fb76fb62264c096f11739d.exe f176551008ead792dc4d981c0b1c2ad48f3f2bab30fb76fb62264c096f11739d.exe PID 4868 wrote to memory of 848 4868 f176551008ead792dc4d981c0b1c2ad48f3f2bab30fb76fb62264c096f11739d.exe Host.exe PID 4868 wrote to memory of 848 4868 f176551008ead792dc4d981c0b1c2ad48f3f2bab30fb76fb62264c096f11739d.exe Host.exe PID 4868 wrote to memory of 848 4868 f176551008ead792dc4d981c0b1c2ad48f3f2bab30fb76fb62264c096f11739d.exe Host.exe PID 848 wrote to memory of 5084 848 Host.exe Host.exe PID 848 wrote to memory of 5084 848 Host.exe Host.exe PID 848 wrote to memory of 5084 848 Host.exe Host.exe PID 848 wrote to memory of 5084 848 Host.exe Host.exe PID 848 wrote to memory of 5084 848 Host.exe Host.exe PID 848 wrote to memory of 5084 848 Host.exe Host.exe PID 848 wrote to memory of 5084 848 Host.exe Host.exe PID 848 wrote to memory of 5084 848 Host.exe Host.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f176551008ead792dc4d981c0b1c2ad48f3f2bab30fb76fb62264c096f11739d.exe"C:\Users\Admin\AppData\Local\Temp\f176551008ead792dc4d981c0b1c2ad48f3f2bab30fb76fb62264c096f11739d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f176551008ead792dc4d981c0b1c2ad48f3f2bab30fb76fb62264c096f11739d.exe"C:\Users\Admin\AppData\Local\Temp\f176551008ead792dc4d981c0b1c2ad48f3f2bab30fb76fb62264c096f11739d.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe" -m C:\Users\Admin\AppData\Local\Temp\f176551008ead792dc4d981c0b1c2ad48f3f2bab30fb76fb62264c096f11739d.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"4⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
875KB
MD59e31a336dd9e73df1cabf3d3b8e3d489
SHA1349253da2192e6c146631bbf9566d06430b015bf
SHA256f176551008ead792dc4d981c0b1c2ad48f3f2bab30fb76fb62264c096f11739d
SHA5120e25b7ada6d67c4c98a4105c959b6888adda10fe123f35d720364ccb361efa5ca8e863700ee9aaa86bd3536306396ec13fa61d2885ff8f84957e85a11a9ba6cd
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
875KB
MD59e31a336dd9e73df1cabf3d3b8e3d489
SHA1349253da2192e6c146631bbf9566d06430b015bf
SHA256f176551008ead792dc4d981c0b1c2ad48f3f2bab30fb76fb62264c096f11739d
SHA5120e25b7ada6d67c4c98a4105c959b6888adda10fe123f35d720364ccb361efa5ca8e863700ee9aaa86bd3536306396ec13fa61d2885ff8f84957e85a11a9ba6cd
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
875KB
MD59e31a336dd9e73df1cabf3d3b8e3d489
SHA1349253da2192e6c146631bbf9566d06430b015bf
SHA256f176551008ead792dc4d981c0b1c2ad48f3f2bab30fb76fb62264c096f11739d
SHA5120e25b7ada6d67c4c98a4105c959b6888adda10fe123f35d720364ccb361efa5ca8e863700ee9aaa86bd3536306396ec13fa61d2885ff8f84957e85a11a9ba6cd
-
memory/848-136-0x0000000000000000-mapping.dmp
-
memory/4868-132-0x0000000000000000-mapping.dmp
-
memory/4868-133-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/4868-135-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/4868-139-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/5084-140-0x0000000000000000-mapping.dmp
-
memory/5084-145-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB