Analysis
-
max time kernel
325s -
max time network
361s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 14:27
Static task
static1
Behavioral task
behavioral1
Sample
36b03b59bcc2eff7658e359576bd23f7f52b9237317addec566f6af09ec2054f.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
36b03b59bcc2eff7658e359576bd23f7f52b9237317addec566f6af09ec2054f.exe
Resource
win10v2004-20221111-en
General
-
Target
36b03b59bcc2eff7658e359576bd23f7f52b9237317addec566f6af09ec2054f.exe
-
Size
468KB
-
MD5
3468e9349c0de79b3e5f926b8bb4974b
-
SHA1
0d02135533d8529d4971a01c97304fb6a5e093c2
-
SHA256
36b03b59bcc2eff7658e359576bd23f7f52b9237317addec566f6af09ec2054f
-
SHA512
11ff9e2dde64154dfc676fd2ddffafd1d83e91772f8d1de616402d51462db495db3e90644d076f61178dc1ed4bb7b0e3aaae65ca6c5c23b89b782a7e47878505
-
SSDEEP
3072:pB84GtuVJRTutkZYITusCSfjyQwnJtgi2OYPOnmT7UPt+lfEPHe1oVvMV1:I4GgVfuoNjyQ6Jt7QdTfdc
Malware Config
Extracted
netwire
extensions14718.sytes.net:3324
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
lock_executable
false
-
mutex
pjtcCJSh
-
offline_keylogger
false
-
password
Password
-
registry_autorun
false
-
use_mutex
true
Signatures
-
NetWire RAT payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/3164-142-0x0000000000000000-mapping.dmp netwire behavioral2/memory/3164-143-0x0000000000400000-0x0000000000420000-memory.dmp netwire behavioral2/memory/3164-146-0x0000000000400000-0x0000000000420000-memory.dmp netwire behavioral2/memory/3164-147-0x0000000000400000-0x0000000000420000-memory.dmp netwire -
Executes dropped EXE 2 IoCs
Processes:
adobe.exeadobe.exepid process 2256 adobe.exe 3164 adobe.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
36b03b59bcc2eff7658e359576bd23f7f52b9237317addec566f6af09ec2054f.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation 36b03b59bcc2eff7658e359576bd23f7f52b9237317addec566f6af09ec2054f.exe Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation WScript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Acrobat = "C:\\Users\\Admin\\AppData\\Local\\Temp\\subfolder\\adobe.vbs" WScript.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
adobe.exedescription pid process target process PID 2256 set thread context of 3164 2256 adobe.exe adobe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
36b03b59bcc2eff7658e359576bd23f7f52b9237317addec566f6af09ec2054f.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings 36b03b59bcc2eff7658e359576bd23f7f52b9237317addec566f6af09ec2054f.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
36b03b59bcc2eff7658e359576bd23f7f52b9237317addec566f6af09ec2054f.exeadobe.exepid process 1112 36b03b59bcc2eff7658e359576bd23f7f52b9237317addec566f6af09ec2054f.exe 2256 adobe.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
36b03b59bcc2eff7658e359576bd23f7f52b9237317addec566f6af09ec2054f.exeWScript.exeadobe.exedescription pid process target process PID 1112 wrote to memory of 2672 1112 36b03b59bcc2eff7658e359576bd23f7f52b9237317addec566f6af09ec2054f.exe WScript.exe PID 1112 wrote to memory of 2672 1112 36b03b59bcc2eff7658e359576bd23f7f52b9237317addec566f6af09ec2054f.exe WScript.exe PID 1112 wrote to memory of 2672 1112 36b03b59bcc2eff7658e359576bd23f7f52b9237317addec566f6af09ec2054f.exe WScript.exe PID 2672 wrote to memory of 2256 2672 WScript.exe adobe.exe PID 2672 wrote to memory of 2256 2672 WScript.exe adobe.exe PID 2672 wrote to memory of 2256 2672 WScript.exe adobe.exe PID 2256 wrote to memory of 3164 2256 adobe.exe adobe.exe PID 2256 wrote to memory of 3164 2256 adobe.exe adobe.exe PID 2256 wrote to memory of 3164 2256 adobe.exe adobe.exe PID 2256 wrote to memory of 3164 2256 adobe.exe adobe.exe PID 2256 wrote to memory of 3164 2256 adobe.exe adobe.exe PID 2256 wrote to memory of 3164 2256 adobe.exe adobe.exe PID 2256 wrote to memory of 3164 2256 adobe.exe adobe.exe PID 2256 wrote to memory of 3164 2256 adobe.exe adobe.exe PID 2256 wrote to memory of 3164 2256 adobe.exe adobe.exe PID 2256 wrote to memory of 3164 2256 adobe.exe adobe.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\36b03b59bcc2eff7658e359576bd23f7f52b9237317addec566f6af09ec2054f.exe"C:\Users\Admin\AppData\Local\Temp\36b03b59bcc2eff7658e359576bd23f7f52b9237317addec566f6af09ec2054f.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\subfolder\adobe.vbs"2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\subfolder\adobe.exe"C:\Users\Admin\AppData\Local\Temp\subfolder\adobe.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\subfolder\adobe.exe"C:\Users\Admin\AppData\Local\Temp\subfolder\adobe.exe"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\subfolder\adobe.exeFilesize
468KB
MD522e03070f57232c62d33a43f15790957
SHA14b2f5d80bb6b84778fc244b0d6a091eb4701749a
SHA25668f84625ed99f05e2c84b67b30239855b9d2c1cc0a3aa26b0389bb23423571d6
SHA512e8cc0787f2d19493fc9351d0928926aeedd1e76176fdf030d00b94d0aea35fcc145146704be5d0e62810f77635eafaac16a04c7eb989fb373447e35879468210
-
C:\Users\Admin\AppData\Local\Temp\subfolder\adobe.exeFilesize
468KB
MD522e03070f57232c62d33a43f15790957
SHA14b2f5d80bb6b84778fc244b0d6a091eb4701749a
SHA25668f84625ed99f05e2c84b67b30239855b9d2c1cc0a3aa26b0389bb23423571d6
SHA512e8cc0787f2d19493fc9351d0928926aeedd1e76176fdf030d00b94d0aea35fcc145146704be5d0e62810f77635eafaac16a04c7eb989fb373447e35879468210
-
C:\Users\Admin\AppData\Local\Temp\subfolder\adobe.exeFilesize
468KB
MD522e03070f57232c62d33a43f15790957
SHA14b2f5d80bb6b84778fc244b0d6a091eb4701749a
SHA25668f84625ed99f05e2c84b67b30239855b9d2c1cc0a3aa26b0389bb23423571d6
SHA512e8cc0787f2d19493fc9351d0928926aeedd1e76176fdf030d00b94d0aea35fcc145146704be5d0e62810f77635eafaac16a04c7eb989fb373447e35879468210
-
C:\Users\Admin\AppData\Local\Temp\subfolder\adobe.vbsFilesize
1024B
MD5a0e046dacee6d1108914629dc2e001bf
SHA1aa32ade6bd44a0a364f8e708bd91c8f35679bfe2
SHA2561b31c781bdbcbb14ec3d21536e89a000a95f451de6877d4e19dd9fe3c6e20e3c
SHA512ee69de477f3fd47ea54c97f972f31248ccfa772bb4b80a194640935090b98a5205024cea8b63ff51f48f5ffb22f5b01efc79d1ce3e9802a5a47dd736849518d2
-
memory/1112-134-0x00000000022F0000-0x00000000022F7000-memory.dmpFilesize
28KB
-
memory/2256-138-0x0000000000000000-mapping.dmp
-
memory/2672-135-0x0000000000000000-mapping.dmp
-
memory/3164-142-0x0000000000000000-mapping.dmp
-
memory/3164-143-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3164-146-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3164-147-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB