Analysis
-
max time kernel
124s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 03:50
Static task
static1
Behavioral task
behavioral1
Sample
f1796f21deed0f3b6b6d48632e95a67a3c677ebb4a5c170cfa39b7ce6c92c83c.exe
Resource
win7-20220901-en
General
-
Target
f1796f21deed0f3b6b6d48632e95a67a3c677ebb4a5c170cfa39b7ce6c92c83c.exe
-
Size
916KB
-
MD5
7cf3347c350a02b5631ff0897746a7f6
-
SHA1
839d21fe675706bf1e0e4baa8ecc824c857a3a75
-
SHA256
f1796f21deed0f3b6b6d48632e95a67a3c677ebb4a5c170cfa39b7ce6c92c83c
-
SHA512
235b3162ceb0768b19f77ceaf8db0065d15943ff4ba138bb3991872528640f9a9e3a937b4060bba76a3f29bb2caa98f0f5c632c206add828a2c96702fffb6c42
-
SSDEEP
12288:mK2mhAMJ/cPlDXXFEh8h7UZYE82Y5UKUL4n4y3Xp3SbSlEeG7:H2O/GlDF77g6zwm4m53Sb2Ez
Malware Config
Signatures
-
NetWire RAT payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4068-139-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral2/memory/4068-141-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral2/memory/4068-142-0x0000000000400000-0x000000000041E000-memory.dmp netwire -
Executes dropped EXE 1 IoCs
Processes:
neubw.exepid process 2236 neubw.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f1796f21deed0f3b6b6d48632e95a67a3c677ebb4a5c170cfa39b7ce6c92c83c.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation f1796f21deed0f3b6b6d48632e95a67a3c677ebb4a5c170cfa39b7ce6c92c83c.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
neubw.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce neubw.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\C:\Users\Admin\DF8UCB~1 = "C:\\Users\\Admin\\DF8UCB~1\\ummrrxv.vbs" neubw.exe -
Processes:
neubw.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA neubw.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
neubw.exedescription pid process target process PID 2236 set thread context of 4068 2236 neubw.exe RegSvcs.exe -
Drops file in Windows directory 2 IoCs
Processes:
RegSvcs.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\.Identifier RegSvcs.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\.Identifier RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
neubw.exepid process 2236 neubw.exe 2236 neubw.exe 2236 neubw.exe 2236 neubw.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
neubw.exedescription pid process Token: SeDebugPrivilege 2236 neubw.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
f1796f21deed0f3b6b6d48632e95a67a3c677ebb4a5c170cfa39b7ce6c92c83c.exeneubw.exedescription pid process target process PID 4316 wrote to memory of 2236 4316 f1796f21deed0f3b6b6d48632e95a67a3c677ebb4a5c170cfa39b7ce6c92c83c.exe neubw.exe PID 4316 wrote to memory of 2236 4316 f1796f21deed0f3b6b6d48632e95a67a3c677ebb4a5c170cfa39b7ce6c92c83c.exe neubw.exe PID 4316 wrote to memory of 2236 4316 f1796f21deed0f3b6b6d48632e95a67a3c677ebb4a5c170cfa39b7ce6c92c83c.exe neubw.exe PID 2236 wrote to memory of 4068 2236 neubw.exe RegSvcs.exe PID 2236 wrote to memory of 4068 2236 neubw.exe RegSvcs.exe PID 2236 wrote to memory of 4068 2236 neubw.exe RegSvcs.exe PID 2236 wrote to memory of 4068 2236 neubw.exe RegSvcs.exe PID 2236 wrote to memory of 4068 2236 neubw.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1796f21deed0f3b6b6d48632e95a67a3c677ebb4a5c170cfa39b7ce6c92c83c.exe"C:\Users\Admin\AppData\Local\Temp\f1796f21deed0f3b6b6d48632e95a67a3c677ebb4a5c170cfa39b7ce6c92c83c.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\df8ucb46rmz4lh\neubw.exe"C:\Users\Admin\df8ucb46rmz4lh\neubw.exe" wqzyoarxjf2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Drops file in Windows directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\DF8UCB~1\pxzqzi.ATFFilesize
81KB
MD52c0b467468b1aeb65902d21e19886af9
SHA1adda0360e356b11dcbace9587154d8968f7cf2c4
SHA2563ebc2407ea3a3b8544e70b5f5af54d78ae8a7508b70213d4965613d27daa9ab9
SHA512b40f0c7a9107787e1560d081d1168e41a13e56acedf72b6cd9fbb51a12d9cfdbb051308bd8410b9a07e99e79ac3402eb76dfe9818d88f2d729f997fdc87e000d
-
C:\Users\Admin\DF8UCB~1\vrsdpsva.ZJQFilesize
63B
MD5a5c44e1b6f674a570a02269650e1bac0
SHA10ee8df733ab6731e1be122aea678921c02fed849
SHA256df2f082929dac898d57f29e4ac5f8f1eb902e0f9c5ada145d6abe3756b52481e
SHA5122762c468e8263c8d5dce609650ea565e79e5371a71ece2faf8a87c78c4522bff9813f4398aa07a6a90cff4e05f2b37404f56903b09d04c6b553c798e28db97db
-
C:\Users\Admin\df8ucb46rmz4lh\neubw.exeFilesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
C:\Users\Admin\df8ucb46rmz4lh\neubw.exeFilesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
C:\Users\Admin\df8ucb46rmz4lh\wqzyoarxjfFilesize
646.7MB
MD5fd4ca3c05864f14d08b583e91a4cc2c2
SHA146c75f7ec58aa2f44e4d89f387311e05dfa9e2f6
SHA2567b0138926f849d43d127b45aa5aaeb7764cbe9e61a3532488c8aa68c3d913759
SHA5122827fca40c39f7e281cbf445a7483451e037d77f724805987645df08d3b7f8d661844d3f875338e9e7e2a7de71c89571471a21209266cfe7da04116d071d9bca
-
memory/2236-132-0x0000000000000000-mapping.dmp
-
memory/4068-138-0x0000000000000000-mapping.dmp
-
memory/4068-139-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/4068-141-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/4068-142-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB