Analysis
-
max time kernel
150s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 15:25
Static task
static1
Behavioral task
behavioral1
Sample
5f5e8fca6ab9657c82efdc33fe9084c8bf1c3f71dff22879700d7b0a3ec87995.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
5f5e8fca6ab9657c82efdc33fe9084c8bf1c3f71dff22879700d7b0a3ec87995.exe
Resource
win10v2004-20220812-en
General
-
Target
5f5e8fca6ab9657c82efdc33fe9084c8bf1c3f71dff22879700d7b0a3ec87995.exe
-
Size
824KB
-
MD5
601eac781876bbe44d59f1cd2e6f38b0
-
SHA1
d4467be6a1db3962cf9287d27245ec7ae03641f3
-
SHA256
5f5e8fca6ab9657c82efdc33fe9084c8bf1c3f71dff22879700d7b0a3ec87995
-
SHA512
3b46e954a871852f9f124bebffeef9d46616e7f463fd54675fbf256f11853c056acb7fa1f291667bd528d899aeb0c271fa2a8397dd5ab66a20a620cda0804232
-
SSDEEP
24576:f2O/GlKzBmrxcuUoXJ4yzwmxhKbH3rUO46GnZp0:c+yCSwmxUT3ivZp0
Malware Config
Extracted
netwire
185.244.29.116:4066
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
Nov12345
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/888-142-0x0000000000000000-mapping.dmp netwire behavioral2/memory/888-143-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral2/memory/888-147-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral2/memory/888-149-0x0000000000400000-0x000000000042C000-memory.dmp netwire -
Executes dropped EXE 3 IoCs
Processes:
fke.exefke.exeRegSvcs.exepid process 4596 fke.exe 3056 fke.exe 888 RegSvcs.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5f5e8fca6ab9657c82efdc33fe9084c8bf1c3f71dff22879700d7b0a3ec87995.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 5f5e8fca6ab9657c82efdc33fe9084c8bf1c3f71dff22879700d7b0a3ec87995.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
fke.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run fke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81913139\\fke.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\81913139\\LEL_VC~1" fke.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
fke.exedescription pid process target process PID 3056 set thread context of 888 3056 fke.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
fke.exepid process 4596 fke.exe 4596 fke.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
5f5e8fca6ab9657c82efdc33fe9084c8bf1c3f71dff22879700d7b0a3ec87995.exefke.exefke.exedescription pid process target process PID 988 wrote to memory of 4596 988 5f5e8fca6ab9657c82efdc33fe9084c8bf1c3f71dff22879700d7b0a3ec87995.exe fke.exe PID 988 wrote to memory of 4596 988 5f5e8fca6ab9657c82efdc33fe9084c8bf1c3f71dff22879700d7b0a3ec87995.exe fke.exe PID 988 wrote to memory of 4596 988 5f5e8fca6ab9657c82efdc33fe9084c8bf1c3f71dff22879700d7b0a3ec87995.exe fke.exe PID 4596 wrote to memory of 3056 4596 fke.exe fke.exe PID 4596 wrote to memory of 3056 4596 fke.exe fke.exe PID 4596 wrote to memory of 3056 4596 fke.exe fke.exe PID 3056 wrote to memory of 888 3056 fke.exe RegSvcs.exe PID 3056 wrote to memory of 888 3056 fke.exe RegSvcs.exe PID 3056 wrote to memory of 888 3056 fke.exe RegSvcs.exe PID 3056 wrote to memory of 888 3056 fke.exe RegSvcs.exe PID 3056 wrote to memory of 888 3056 fke.exe RegSvcs.exe PID 3056 wrote to memory of 888 3056 fke.exe RegSvcs.exe PID 3056 wrote to memory of 888 3056 fke.exe RegSvcs.exe PID 3056 wrote to memory of 888 3056 fke.exe RegSvcs.exe PID 3056 wrote to memory of 888 3056 fke.exe RegSvcs.exe PID 3056 wrote to memory of 888 3056 fke.exe RegSvcs.exe PID 3056 wrote to memory of 888 3056 fke.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f5e8fca6ab9657c82efdc33fe9084c8bf1c3f71dff22879700d7b0a3ec87995.exe"C:\Users\Admin\AppData\Local\Temp\5f5e8fca6ab9657c82efdc33fe9084c8bf1c3f71dff22879700d7b0a3ec87995.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\81913139\fke.exe"C:\Users\Admin\AppData\Local\Temp\81913139\fke.exe" lel=vcc2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\81913139\fke.exeC:\Users\Admin\AppData\Local\Temp\81913139\fke.exe C:\Users\Admin\AppData\Local\Temp\81913139\YEHKG3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\81913139\BorderConstants.docxFilesize
133B
MD588e49f064d3a64a665d1aacec00412f4
SHA1452ed82da9ba84aeab1a769234c44322106dda43
SHA256ff35a9dec7311443eb46f398c4a1ae5b7e1e0d461783e07cec082384bf17958b
SHA512953019ebe9f69e5e1c2468b364c373059f5ee0b738e22a20d5e77fc17882679622eca9cd5c040b04a5183e192cbe39898d89ec712bc8b3ddc0f1fddcab517cf2
-
C:\Users\Admin\AppData\Local\Temp\81913139\TreeViewConstants.mp4Filesize
36B
MD5ca93714441a8d3ef16a7774a3298074c
SHA15140b2d0a3a2c36f9ec413cad1ae614fc56d977d
SHA2569afbd1a569a66aaea4429582a0e9f795ccaec874c9a98b75de620b825db1eba7
SHA512425e85387f51334eca6f997b041c49ffb1977f19a87704a6336ec2c3350418e9f64158f0f4e495b21ec06a46d6e3381a38071e525f4c5332c0ac0714db02afa9
-
C:\Users\Admin\AppData\Local\Temp\81913139\YEHKGFilesize
87KB
MD5f619d1c321f994280318e4899808f579
SHA1966c6c06a68c53bb21cebd289cc50de7e88dfd7b
SHA256f933a5a03de01e9a488c4cb71285bee17baba1a0684d08ce49094ae01cfd2c96
SHA5128aa70b965fc37292aba22e452dca20291cde7ca71cf791214bbc534da8f003fd282ab50c7ffba7c3a631bdb2358a1948a2de65ae31bca36405415e18b7d6a75b
-
C:\Users\Admin\AppData\Local\Temp\81913139\fke.exeFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\81913139\fke.exeFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\81913139\fke.exeFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\81913139\fxl.xlFilesize
491KB
MD5462f4d1de916f644cdb5ea29c8c51f8f
SHA17ac2072c4e3d9ad0b8d2336dd3c52eb48ff93a00
SHA25602b3a0ccc1716ca0d5be2dff72e715f80bff2fbb11784bdf44449746bb37884b
SHA512b63dca754b19c080825e55a76e46d753f0207595e3a0c20aace55b86e63c1501002ca3ee78c3c9c2821c6b7b8f0eb570acb1ea4d65a73d203f1229a7edbd175c
-
C:\Users\Admin\AppData\Local\Temp\81913139\lel=vccFilesize
303KB
MD5b9dd6356f3e9b1281d047ab42650944a
SHA115765fee1d0ba347e13037bdac59e7a684ba2be8
SHA25646df4ccddef86332d56ae5cac26dccac4fc3fb84cbc8a9d297dbacf79af04ce7
SHA512cdde822cfa1d736409d23b374932adc3bbbe02a060ba9496d8f97b3a7027e19a0f714d138dcea2594a95d1884325f3fae228c598520173ccc3d5843a8b29c956
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeFilesize
44KB
MD59d352bc46709f0cb5ec974633a0c3c94
SHA11969771b2f022f9a86d77ac4d4d239becdf08d07
SHA2562c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA51213c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeFilesize
44KB
MD59d352bc46709f0cb5ec974633a0c3c94
SHA11969771b2f022f9a86d77ac4d4d239becdf08d07
SHA2562c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA51213c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b
-
memory/888-142-0x0000000000000000-mapping.dmp
-
memory/888-143-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/888-147-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/888-149-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/3056-139-0x0000000000000000-mapping.dmp
-
memory/4596-132-0x0000000000000000-mapping.dmp