Analysis
-
max time kernel
225s -
max time network
294s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2022 14:39
Static task
static1
Behavioral task
behavioral1
Sample
00356e79e7a08ebf31b17e50182868d721e250858eb143e3b31e5c4d05e8a25b.exe
Resource
win7-20220812-en
General
-
Target
00356e79e7a08ebf31b17e50182868d721e250858eb143e3b31e5c4d05e8a25b.exe
-
Size
950KB
-
MD5
5e0194f52714555150f5a255b41c1f45
-
SHA1
1da2e3af983e08dbeec3931c796cc6c22d7ab67f
-
SHA256
00356e79e7a08ebf31b17e50182868d721e250858eb143e3b31e5c4d05e8a25b
-
SHA512
e2d61183e260a093d36e2c4b4a1394197790ed4622bb4c87191fb9e1ab53e548d79e8845adf275ed7faa8d89bbcf1237e909c9de1365448adadbf927f6175585
-
SSDEEP
24576:W4lavt0LkLL9IMixoEgeaqbQ9N/q9MmCS:hkwkn9IMHeaqbiaPCS
Malware Config
Signatures
-
NetWire RAT payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\3944\3944.exe netwire C:\Users\Admin\AppData\Local\Temp\3944\3944.exe netwire C:\Users\Admin\AppData\Roaming\Install\Host.exe netwire C:\Users\Admin\AppData\Roaming\Install\Host.exe netwire -
Executes dropped EXE 2 IoCs
Processes:
3944.exeHost.exepid process 4052 3944.exe 4952 Host.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
00356e79e7a08ebf31b17e50182868d721e250858eb143e3b31e5c4d05e8a25b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation 00356e79e7a08ebf31b17e50182868d721e250858eb143e3b31e5c4d05e8a25b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
00356e79e7a08ebf31b17e50182868d721e250858eb143e3b31e5c4d05e8a25b.exe3944.exedescription pid process target process PID 4540 wrote to memory of 4052 4540 00356e79e7a08ebf31b17e50182868d721e250858eb143e3b31e5c4d05e8a25b.exe 3944.exe PID 4540 wrote to memory of 4052 4540 00356e79e7a08ebf31b17e50182868d721e250858eb143e3b31e5c4d05e8a25b.exe 3944.exe PID 4540 wrote to memory of 4052 4540 00356e79e7a08ebf31b17e50182868d721e250858eb143e3b31e5c4d05e8a25b.exe 3944.exe PID 4052 wrote to memory of 4952 4052 3944.exe Host.exe PID 4052 wrote to memory of 4952 4052 3944.exe Host.exe PID 4052 wrote to memory of 4952 4052 3944.exe Host.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\00356e79e7a08ebf31b17e50182868d721e250858eb143e3b31e5c4d05e8a25b.exe"C:\Users\Admin\AppData\Local\Temp\00356e79e7a08ebf31b17e50182868d721e250858eb143e3b31e5c4d05e8a25b.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3944\3944.exe"C:\Users\Admin\AppData\Local\Temp\3944\3944.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3944\3944.exeFilesize
81KB
MD5a727bf4a943b54b94109e90b91517313
SHA17cbbaf0c1f08003e3133b1ba78292b4f07ccd314
SHA2562fd2c2d91bb345f187e54d3b75dc08678ae0effff6d0e385c84f823e3ca4374a
SHA512c85d6155f2e95a7cde387b7a88249fe40113e301823636aeb9dda02d03f2a8c7cac8cc6b1cd6b6f5302f900282c9ed0e34c3d0da617832ce064c4e1d258817a2
-
C:\Users\Admin\AppData\Local\Temp\3944\3944.exeFilesize
81KB
MD5a727bf4a943b54b94109e90b91517313
SHA17cbbaf0c1f08003e3133b1ba78292b4f07ccd314
SHA2562fd2c2d91bb345f187e54d3b75dc08678ae0effff6d0e385c84f823e3ca4374a
SHA512c85d6155f2e95a7cde387b7a88249fe40113e301823636aeb9dda02d03f2a8c7cac8cc6b1cd6b6f5302f900282c9ed0e34c3d0da617832ce064c4e1d258817a2
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
81KB
MD5a727bf4a943b54b94109e90b91517313
SHA17cbbaf0c1f08003e3133b1ba78292b4f07ccd314
SHA2562fd2c2d91bb345f187e54d3b75dc08678ae0effff6d0e385c84f823e3ca4374a
SHA512c85d6155f2e95a7cde387b7a88249fe40113e301823636aeb9dda02d03f2a8c7cac8cc6b1cd6b6f5302f900282c9ed0e34c3d0da617832ce064c4e1d258817a2
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
81KB
MD5a727bf4a943b54b94109e90b91517313
SHA17cbbaf0c1f08003e3133b1ba78292b4f07ccd314
SHA2562fd2c2d91bb345f187e54d3b75dc08678ae0effff6d0e385c84f823e3ca4374a
SHA512c85d6155f2e95a7cde387b7a88249fe40113e301823636aeb9dda02d03f2a8c7cac8cc6b1cd6b6f5302f900282c9ed0e34c3d0da617832ce064c4e1d258817a2
-
memory/4052-132-0x0000000000000000-mapping.dmp
-
memory/4952-135-0x0000000000000000-mapping.dmp