Analysis
-
max time kernel
143s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2022 23:20
Static task
static1
Behavioral task
behavioral1
Sample
091377dc5c61d022795bf00d91bbffbfb250f854ea407e7e165a623dfed03fd3.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
091377dc5c61d022795bf00d91bbffbfb250f854ea407e7e165a623dfed03fd3.exe
Resource
win10v2004-20220812-en
General
-
Target
091377dc5c61d022795bf00d91bbffbfb250f854ea407e7e165a623dfed03fd3.exe
-
Size
788KB
-
MD5
fba4cfca681290f9c0615883dd498edc
-
SHA1
116124c7e38ba937363345e468f38c0519432c68
-
SHA256
091377dc5c61d022795bf00d91bbffbfb250f854ea407e7e165a623dfed03fd3
-
SHA512
392e83e324d64ecfc27998f5a02f7e7bed25613f3f8c011319801f0734a53e8d1892385d45a7b508e633d58bf921378e1f799276418fe0d88f0324e239f63eb7
-
SSDEEP
12288:KaWzgMg7v3qnCiMErQohh0F4CCJ8lny/QFvu0+u0BqM14C:laHMv6Corjqny/Q1u0+VUW4C
Malware Config
Signatures
-
NetWire RAT payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4900-138-0x0000000000400000-0x0000000000417000-memory.dmp netwire behavioral2/memory/1016-145-0x0000000000400000-0x0000000000417000-memory.dmp netwire behavioral2/memory/1016-146-0x0000000000400000-0x0000000000417000-memory.dmp netwire -
Executes dropped EXE 2 IoCs
Processes:
Host.exeHost.exepid process 3456 Host.exe 1016 Host.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
Host.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{GM456GE0-TSO8-487M-610R-68H772ST4V0X} Host.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{GM456GE0-TSO8-487M-610R-68H772ST4V0X}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe\"" Host.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
091377dc5c61d022795bf00d91bbffbfb250f854ea407e7e165a623dfed03fd3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 091377dc5c61d022795bf00d91bbffbfb250f854ea407e7e165a623dfed03fd3.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Host.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Host.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Powerload = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe" Host.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Install\Host.exe autoit_exe C:\Users\Admin\AppData\Roaming\Install\Host.exe autoit_exe C:\Users\Admin\AppData\Roaming\Install\Host.exe autoit_exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
091377dc5c61d022795bf00d91bbffbfb250f854ea407e7e165a623dfed03fd3.exeHost.exedescription pid process target process PID 1716 set thread context of 4900 1716 091377dc5c61d022795bf00d91bbffbfb250f854ea407e7e165a623dfed03fd3.exe 091377dc5c61d022795bf00d91bbffbfb250f854ea407e7e165a623dfed03fd3.exe PID 3456 set thread context of 1016 3456 Host.exe Host.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
091377dc5c61d022795bf00d91bbffbfb250f854ea407e7e165a623dfed03fd3.exeHost.exepid process 1716 091377dc5c61d022795bf00d91bbffbfb250f854ea407e7e165a623dfed03fd3.exe 1716 091377dc5c61d022795bf00d91bbffbfb250f854ea407e7e165a623dfed03fd3.exe 1716 091377dc5c61d022795bf00d91bbffbfb250f854ea407e7e165a623dfed03fd3.exe 3456 Host.exe 3456 Host.exe 3456 Host.exe -
Suspicious use of SendNotifyMessage 6 IoCs
Processes:
091377dc5c61d022795bf00d91bbffbfb250f854ea407e7e165a623dfed03fd3.exeHost.exepid process 1716 091377dc5c61d022795bf00d91bbffbfb250f854ea407e7e165a623dfed03fd3.exe 1716 091377dc5c61d022795bf00d91bbffbfb250f854ea407e7e165a623dfed03fd3.exe 1716 091377dc5c61d022795bf00d91bbffbfb250f854ea407e7e165a623dfed03fd3.exe 3456 Host.exe 3456 Host.exe 3456 Host.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
091377dc5c61d022795bf00d91bbffbfb250f854ea407e7e165a623dfed03fd3.exe091377dc5c61d022795bf00d91bbffbfb250f854ea407e7e165a623dfed03fd3.exeHost.exedescription pid process target process PID 1716 wrote to memory of 4900 1716 091377dc5c61d022795bf00d91bbffbfb250f854ea407e7e165a623dfed03fd3.exe 091377dc5c61d022795bf00d91bbffbfb250f854ea407e7e165a623dfed03fd3.exe PID 1716 wrote to memory of 4900 1716 091377dc5c61d022795bf00d91bbffbfb250f854ea407e7e165a623dfed03fd3.exe 091377dc5c61d022795bf00d91bbffbfb250f854ea407e7e165a623dfed03fd3.exe PID 1716 wrote to memory of 4900 1716 091377dc5c61d022795bf00d91bbffbfb250f854ea407e7e165a623dfed03fd3.exe 091377dc5c61d022795bf00d91bbffbfb250f854ea407e7e165a623dfed03fd3.exe PID 1716 wrote to memory of 4900 1716 091377dc5c61d022795bf00d91bbffbfb250f854ea407e7e165a623dfed03fd3.exe 091377dc5c61d022795bf00d91bbffbfb250f854ea407e7e165a623dfed03fd3.exe PID 1716 wrote to memory of 4900 1716 091377dc5c61d022795bf00d91bbffbfb250f854ea407e7e165a623dfed03fd3.exe 091377dc5c61d022795bf00d91bbffbfb250f854ea407e7e165a623dfed03fd3.exe PID 1716 wrote to memory of 4900 1716 091377dc5c61d022795bf00d91bbffbfb250f854ea407e7e165a623dfed03fd3.exe 091377dc5c61d022795bf00d91bbffbfb250f854ea407e7e165a623dfed03fd3.exe PID 1716 wrote to memory of 4900 1716 091377dc5c61d022795bf00d91bbffbfb250f854ea407e7e165a623dfed03fd3.exe 091377dc5c61d022795bf00d91bbffbfb250f854ea407e7e165a623dfed03fd3.exe PID 1716 wrote to memory of 4900 1716 091377dc5c61d022795bf00d91bbffbfb250f854ea407e7e165a623dfed03fd3.exe 091377dc5c61d022795bf00d91bbffbfb250f854ea407e7e165a623dfed03fd3.exe PID 4900 wrote to memory of 3456 4900 091377dc5c61d022795bf00d91bbffbfb250f854ea407e7e165a623dfed03fd3.exe Host.exe PID 4900 wrote to memory of 3456 4900 091377dc5c61d022795bf00d91bbffbfb250f854ea407e7e165a623dfed03fd3.exe Host.exe PID 4900 wrote to memory of 3456 4900 091377dc5c61d022795bf00d91bbffbfb250f854ea407e7e165a623dfed03fd3.exe Host.exe PID 3456 wrote to memory of 1016 3456 Host.exe Host.exe PID 3456 wrote to memory of 1016 3456 Host.exe Host.exe PID 3456 wrote to memory of 1016 3456 Host.exe Host.exe PID 3456 wrote to memory of 1016 3456 Host.exe Host.exe PID 3456 wrote to memory of 1016 3456 Host.exe Host.exe PID 3456 wrote to memory of 1016 3456 Host.exe Host.exe PID 3456 wrote to memory of 1016 3456 Host.exe Host.exe PID 3456 wrote to memory of 1016 3456 Host.exe Host.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\091377dc5c61d022795bf00d91bbffbfb250f854ea407e7e165a623dfed03fd3.exe"C:\Users\Admin\AppData\Local\Temp\091377dc5c61d022795bf00d91bbffbfb250f854ea407e7e165a623dfed03fd3.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\091377dc5c61d022795bf00d91bbffbfb250f854ea407e7e165a623dfed03fd3.exe"C:\Users\Admin\AppData\Local\Temp\091377dc5c61d022795bf00d91bbffbfb250f854ea407e7e165a623dfed03fd3.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"4⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
788KB
MD5fba4cfca681290f9c0615883dd498edc
SHA1116124c7e38ba937363345e468f38c0519432c68
SHA256091377dc5c61d022795bf00d91bbffbfb250f854ea407e7e165a623dfed03fd3
SHA512392e83e324d64ecfc27998f5a02f7e7bed25613f3f8c011319801f0734a53e8d1892385d45a7b508e633d58bf921378e1f799276418fe0d88f0324e239f63eb7
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
788KB
MD5fba4cfca681290f9c0615883dd498edc
SHA1116124c7e38ba937363345e468f38c0519432c68
SHA256091377dc5c61d022795bf00d91bbffbfb250f854ea407e7e165a623dfed03fd3
SHA512392e83e324d64ecfc27998f5a02f7e7bed25613f3f8c011319801f0734a53e8d1892385d45a7b508e633d58bf921378e1f799276418fe0d88f0324e239f63eb7
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
788KB
MD5fba4cfca681290f9c0615883dd498edc
SHA1116124c7e38ba937363345e468f38c0519432c68
SHA256091377dc5c61d022795bf00d91bbffbfb250f854ea407e7e165a623dfed03fd3
SHA512392e83e324d64ecfc27998f5a02f7e7bed25613f3f8c011319801f0734a53e8d1892385d45a7b508e633d58bf921378e1f799276418fe0d88f0324e239f63eb7
-
memory/1016-140-0x0000000000000000-mapping.dmp
-
memory/1016-145-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/1016-146-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/3456-136-0x0000000000000000-mapping.dmp
-
memory/4900-132-0x0000000000000000-mapping.dmp
-
memory/4900-133-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/4900-135-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/4900-138-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB