Analysis
-
max time kernel
208s -
max time network
206s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2022 07:07
Static task
static1
Behavioral task
behavioral1
Sample
22120205463499.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
22120205463499.exe
Resource
win10v2004-20221111-en
General
-
Target
22120205463499.exe
-
Size
1.2MB
-
MD5
a001224289ecb113049b5582e9f57548
-
SHA1
b9b76a11d2c9a4a1dab03b182aa755b48a9a906c
-
SHA256
66612afe35db1f65371ffe8063c667ef486376d0939fd563422707714b6d6a96
-
SHA512
818215f11f3bb1fb62dbfed36b2ae889df9057b1cad4a467c7a4807a6ca9c3bf5319d516da17563a98635537ffc1987fcfa300b16a1ce9a92b4e0b54de2bc43b
-
SSDEEP
24576:CAOcZaPWlu0MnHO8rsLAeLDhPg6LgyVklRqRDmHxRAiYGWwKfU:ILJDrcAehPJ5VklqSrzhlF
Malware Config
Extracted
netwire
podzeye2.duckdns.org:4433
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
lock_executable
false
-
offline_keylogger
false
-
password
Password
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3572-143-0x0000000000900000-0x0000000000FBF000-memory.dmp netwire behavioral2/memory/3572-144-0x0000000000900000-0x0000000000FBF000-memory.dmp netwire behavioral2/memory/3572-145-0x0000000000900000-0x0000000000FBF000-memory.dmp netwire -
Executes dropped EXE 2 IoCs
Processes:
lkvdecp.exelkvdecp.exepid process 1768 lkvdecp.exe 1468 lkvdecp.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
lkvdecp.exeWScript.exe22120205463499.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation lkvdecp.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation 22120205463499.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation WScript.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
lkvdecp.exelkvdecp.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run lkvdecp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5_58\\lkvdecp.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\5_58\\qusdmqd.dll" lkvdecp.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run lkvdecp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5_58\\lkvdecp.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\5_58\\qusdmqd.dll" lkvdecp.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
lkvdecp.exedescription pid process target process PID 1468 set thread context of 3572 1468 lkvdecp.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 4 IoCs
Processes:
lkvdecp.exeWScript.exe22120205463499.exeWScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings lkvdecp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WScript.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings 22120205463499.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WScript.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
lkvdecp.exelkvdecp.exepid process 1768 lkvdecp.exe 1768 lkvdecp.exe 1768 lkvdecp.exe 1768 lkvdecp.exe 1768 lkvdecp.exe 1768 lkvdecp.exe 1768 lkvdecp.exe 1768 lkvdecp.exe 1768 lkvdecp.exe 1768 lkvdecp.exe 1768 lkvdecp.exe 1768 lkvdecp.exe 1468 lkvdecp.exe 1468 lkvdecp.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
22120205463499.exeWScript.exelkvdecp.exelkvdecp.exedescription pid process target process PID 3616 wrote to memory of 1100 3616 22120205463499.exe WScript.exe PID 3616 wrote to memory of 1100 3616 22120205463499.exe WScript.exe PID 3616 wrote to memory of 1100 3616 22120205463499.exe WScript.exe PID 1100 wrote to memory of 1768 1100 WScript.exe lkvdecp.exe PID 1100 wrote to memory of 1768 1100 WScript.exe lkvdecp.exe PID 1100 wrote to memory of 1768 1100 WScript.exe lkvdecp.exe PID 1768 wrote to memory of 4688 1768 lkvdecp.exe WScript.exe PID 1768 wrote to memory of 4688 1768 lkvdecp.exe WScript.exe PID 1768 wrote to memory of 4688 1768 lkvdecp.exe WScript.exe PID 1468 wrote to memory of 3572 1468 lkvdecp.exe RegSvcs.exe PID 1468 wrote to memory of 3572 1468 lkvdecp.exe RegSvcs.exe PID 1468 wrote to memory of 3572 1468 lkvdecp.exe RegSvcs.exe PID 1468 wrote to memory of 3572 1468 lkvdecp.exe RegSvcs.exe PID 1468 wrote to memory of 3572 1468 lkvdecp.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\22120205463499.exe"C:\Users\Admin\AppData\Local\Temp\22120205463499.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\5_58\rboktbei.dat.vbe"2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5_58\lkvdecp.exe"C:\Users\Admin\AppData\Local\Temp\5_58\lkvdecp.exe" qusdmqd.dll3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5_58\run.vbs"4⤵
- Checks computer location settings
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\5_58\lkvdecp.exe"C:\Users\Admin\AppData\Local\Temp\5_58\lkvdecp.exe" qusdmqd.dll5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"6⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\5_58\kxmdrgpe.xfnFilesize
545KB
MD5e19c9004a1d9565e5fd148f998c605ca
SHA127c29f5b4c28d794d09fc16e3c9b07cedf10caa7
SHA2563847173d3286a0668b8662747e38eb656ccf8cbe4bc0946a2967d515f1cabcf8
SHA512337fab9936bf2fd369151a68479f0efe4bef3db87c2cf2017ea917ec3a486ba85466be9b0571b1ca7fff5e829159a332074ae96ee4574fda2a06bc96e31eba03
-
C:\Users\Admin\AppData\Local\Temp\5_58\lkvdecp.exeFilesize
931KB
MD55feda44ac105db2d782680e78c8390f2
SHA1904af0b078fbe8abb3a301267c02c37eccc85717
SHA256e4299c4b0df873a4bbf97826ca26cb68ea53394e3a911ec27ae8c4a3a2b758df
SHA51247aebfa40a20621d20804dbeba662b9d9c7e7e082299db1e28839f264f98082d9f30adc13aeeb3b49dc0a33861577d3ea95aa3bafdaae748362b235fa686debc
-
C:\Users\Admin\AppData\Local\Temp\5_58\lkvdecp.exeFilesize
931KB
MD55feda44ac105db2d782680e78c8390f2
SHA1904af0b078fbe8abb3a301267c02c37eccc85717
SHA256e4299c4b0df873a4bbf97826ca26cb68ea53394e3a911ec27ae8c4a3a2b758df
SHA51247aebfa40a20621d20804dbeba662b9d9c7e7e082299db1e28839f264f98082d9f30adc13aeeb3b49dc0a33861577d3ea95aa3bafdaae748362b235fa686debc
-
C:\Users\Admin\AppData\Local\Temp\5_58\lkvdecp.exeFilesize
931KB
MD55feda44ac105db2d782680e78c8390f2
SHA1904af0b078fbe8abb3a301267c02c37eccc85717
SHA256e4299c4b0df873a4bbf97826ca26cb68ea53394e3a911ec27ae8c4a3a2b758df
SHA51247aebfa40a20621d20804dbeba662b9d9c7e7e082299db1e28839f264f98082d9f30adc13aeeb3b49dc0a33861577d3ea95aa3bafdaae748362b235fa686debc
-
C:\Users\Admin\AppData\Local\Temp\5_58\qusdmqd.dllFilesize
95.8MB
MD58460cda9993a5a79ae25842a09a2fe35
SHA1c2e5f5d9ebc0829d74ade1267c78915eda20ed82
SHA256c7ce343096182c58e072645c8ae19deb85699ca3cdb3d3f687738df98a3d398a
SHA512806606db880b6abf45d0fb0ddb90d74852398bbb0e9c400fe9a33eda00d993130edadde00e6146e9b092b6847719e5249cbc7d75939046b5b9cd6ca3ae146034
-
C:\Users\Admin\AppData\Local\Temp\5_58\sgevsc.jpgFilesize
62KB
MD582d5cd884e5d96c31cb2541a168cc027
SHA1a917e4830084510edd7129f720d6bf7b91c2fa79
SHA25680c6e66a22a42ae5fea975299a92c682a7c1008efcb49c713457cc8e5901a3f8
SHA512e26df3e9862a8e373ff28ad32342f8d7e8139a8d9e009951f42f0e89832a3417cabb051c0d83518ee93fb4608b92d6ca10a639328c4822d18613914cdbb4e141
-
C:\Users\Admin\AppData\Local\temp\5_58\rboktbei.dat.vbeFilesize
55KB
MD55c183d5ff5dfdca83728013dd38cf47b
SHA1c9a556554ffa603f58477fefcc556e3ecfc18a65
SHA2569be2a3c20e2b03deecf608ae7db40f2e783d1ee944f7e43233a84cbd20986f95
SHA51299fb112917f48a1194ab5f479263db48e1106ef2c32de4ea753043d165b3ed3362dc8aa8e4f91a3be5c67532bfb63646b8a0d81a4706e9961a99ef3e607aaff1
-
memory/1100-132-0x0000000000000000-mapping.dmp
-
memory/1768-135-0x0000000000000000-mapping.dmp
-
memory/3572-142-0x0000000000000000-mapping.dmp
-
memory/3572-143-0x0000000000900000-0x0000000000FBF000-memory.dmpFilesize
6.7MB
-
memory/3572-144-0x0000000000900000-0x0000000000FBF000-memory.dmpFilesize
6.7MB
-
memory/3572-145-0x0000000000900000-0x0000000000FBF000-memory.dmpFilesize
6.7MB
-
memory/4688-140-0x0000000000000000-mapping.dmp