Analysis
-
max time kernel
72s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
04-01-2023 18:14
Static task
static1
Behavioral task
behavioral1
Sample
wbhmdn.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
wbhmdn.exe
Resource
win10v2004-20220901-en
General
-
Target
wbhmdn.exe
-
Size
753KB
-
MD5
6d5e7540cc8cb9593f0b0d355b7275a4
-
SHA1
dffcef6fbf66c16558c8a7fef4d8bc49fcbe224e
-
SHA256
2688204813e40e64d5451b87d7028267200caba846773f6b115c3d1dbc675032
-
SHA512
732ae3cde7dd5cfe36f2252232f8d36c918f84481a5cce467fbc676c60cb83c4cf863d88e0de62c58b6ca7723095f2c77cf51f811078490323bac871a52288d6
-
SSDEEP
12288:NRF268BfCbyuSwcLzXr0cyRmRxW0FPAQMIY5GCIdXKh1uFNuv:fE7CbR9cvoRoxfasY9qQuHuv
Malware Config
Extracted
netwire
pedrohjy.ddns.net:6655
pedrohjy1.ddns.net:6655
pedrohjy2.ddns.net:6655
pedrohjy3.ddns.net:6655
-
activex_autorun
false
-
copy_executable
true
-
delete_original
false
-
host_id
dec2022
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
1234
-
registry_autorun
false
-
use_mutex
false
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
NetWire RAT payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/4992-158-0x0000000000400000-0x0000000000434000-memory.dmp netwire behavioral2/memory/4992-160-0x0000000000400000-0x0000000000434000-memory.dmp netwire behavioral2/memory/4992-164-0x0000000000400000-0x0000000000433095-memory.dmp netwire behavioral2/memory/2988-175-0x0000000000400000-0x0000000000434000-memory.dmp netwire behavioral2/memory/2988-176-0x0000000000400000-0x0000000000433095-memory.dmp netwire -
ModiLoader Second Stage 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1652-132-0x00000000022D0000-0x00000000022FF000-memory.dmp modiloader_stage2 behavioral2/memory/3500-165-0x00000000006E0000-0x000000000070F000-memory.dmp modiloader_stage2 -
Executes dropped EXE 3 IoCs
Processes:
easinvoker.exeHost.exeHost.exepid process 3924 easinvoker.exe 3500 Host.exe 2988 Host.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wbhmdn.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation wbhmdn.exe -
Loads dropped DLL 1 IoCs
Processes:
easinvoker.exepid process 3924 easinvoker.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
wbhmdn.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hrvzponp = "C:\\Users\\Public\\Libraries\\pnopzvrH.url" wbhmdn.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
wbhmdn.exeHost.exedescription pid process target process PID 1652 set thread context of 4992 1652 wbhmdn.exe wbhmdn.exe PID 3500 set thread context of 2988 3500 Host.exe Host.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
xcopy.exexcopy.exexcopy.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 2348 powershell.exe 2348 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2348 powershell.exe -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
wbhmdn.execmd.exeeasinvoker.execmd.exewbhmdn.exeHost.exedescription pid process target process PID 1652 wrote to memory of 4936 1652 wbhmdn.exe cmd.exe PID 1652 wrote to memory of 4936 1652 wbhmdn.exe cmd.exe PID 1652 wrote to memory of 4936 1652 wbhmdn.exe cmd.exe PID 4936 wrote to memory of 4264 4936 cmd.exe cmd.exe PID 4936 wrote to memory of 4264 4936 cmd.exe cmd.exe PID 4936 wrote to memory of 4264 4936 cmd.exe cmd.exe PID 4936 wrote to memory of 2192 4936 cmd.exe xcopy.exe PID 4936 wrote to memory of 2192 4936 cmd.exe xcopy.exe PID 4936 wrote to memory of 2192 4936 cmd.exe xcopy.exe PID 4936 wrote to memory of 4148 4936 cmd.exe cmd.exe PID 4936 wrote to memory of 4148 4936 cmd.exe cmd.exe PID 4936 wrote to memory of 4148 4936 cmd.exe cmd.exe PID 4936 wrote to memory of 3060 4936 cmd.exe xcopy.exe PID 4936 wrote to memory of 3060 4936 cmd.exe xcopy.exe PID 4936 wrote to memory of 3060 4936 cmd.exe xcopy.exe PID 4936 wrote to memory of 1624 4936 cmd.exe cmd.exe PID 4936 wrote to memory of 1624 4936 cmd.exe cmd.exe PID 4936 wrote to memory of 1624 4936 cmd.exe cmd.exe PID 4936 wrote to memory of 4020 4936 cmd.exe xcopy.exe PID 4936 wrote to memory of 4020 4936 cmd.exe xcopy.exe PID 4936 wrote to memory of 4020 4936 cmd.exe xcopy.exe PID 4936 wrote to memory of 3924 4936 cmd.exe easinvoker.exe PID 4936 wrote to memory of 3924 4936 cmd.exe easinvoker.exe PID 3924 wrote to memory of 4536 3924 easinvoker.exe cmd.exe PID 3924 wrote to memory of 4536 3924 easinvoker.exe cmd.exe PID 4936 wrote to memory of 2996 4936 cmd.exe PING.EXE PID 4936 wrote to memory of 2996 4936 cmd.exe PING.EXE PID 4936 wrote to memory of 2996 4936 cmd.exe PING.EXE PID 4536 wrote to memory of 2348 4536 cmd.exe powershell.exe PID 4536 wrote to memory of 2348 4536 cmd.exe powershell.exe PID 1652 wrote to memory of 4992 1652 wbhmdn.exe wbhmdn.exe PID 1652 wrote to memory of 4992 1652 wbhmdn.exe wbhmdn.exe PID 1652 wrote to memory of 4992 1652 wbhmdn.exe wbhmdn.exe PID 1652 wrote to memory of 4992 1652 wbhmdn.exe wbhmdn.exe PID 4992 wrote to memory of 3500 4992 wbhmdn.exe Host.exe PID 4992 wrote to memory of 3500 4992 wbhmdn.exe Host.exe PID 4992 wrote to memory of 3500 4992 wbhmdn.exe Host.exe PID 3500 wrote to memory of 2988 3500 Host.exe Host.exe PID 3500 wrote to memory of 2988 3500 Host.exe Host.exe PID 3500 wrote to memory of 2988 3500 Host.exe Host.exe PID 3500 wrote to memory of 2988 3500 Host.exe Host.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\wbhmdn.exe"C:\Users\Admin\AppData\Local\Temp\wbhmdn.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\HrvzponpO.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO F"3⤵PID:4264
-
C:\Windows\SysWOW64\xcopy.exexcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y3⤵
- Enumerates system info in registry
PID:2192 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO F"3⤵PID:4148
-
C:\Windows\SysWOW64\xcopy.exexcopy "netutils.dll" "C:\Windows \System32\" /K /D /H /Y3⤵
- Enumerates system info in registry
PID:3060 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO F"3⤵PID:1624
-
C:\Windows\SysWOW64\xcopy.exexcopy "KDECO.bat" "C:\Windows \System32\" /K /D /H /Y3⤵
- Enumerates system info in registry
PID:4020 -
C:\Windows \System32\easinvoker.exe"C:\Windows \System32\easinvoker.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows \system32\KDECO.bat""4⤵
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2348 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 63⤵
- Runs ping.exe
PID:2996 -
C:\Users\Admin\AppData\Local\Temp\wbhmdn.exe"C:\Users\Admin\AppData\Local\Temp\wbhmdn.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"4⤵
- Executes dropped EXE
PID:2988
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868Filesize
471B
MD5754711319399d090fd83609c28768137
SHA19733fc959a8fe4bcb71d761e62e8eae9e3bb29a7
SHA256faa2fc7e8f87dc56ba6ba03f3f2d535277f2db38d561cfb67e103631c96287f7
SHA512106f3978e9e0a2edfac6a57c95c3a6cd99b0d7a9ea7d5aba6fa374a31693be33b99eaa80874a284d71eb03a5b8b4ef1dec542202c05116f5ef050f8f769de1d7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53Filesize
471B
MD5c136901c2a0696f7a5f4f45ba8725699
SHA1a319de4877fc337bf0d9e9366c4060e306e1be0d
SHA256d1fb0a203dfd0d3f900b66de6bc827fcefa90d39e291ef1a7c580ce83faef63d
SHA5123bf064914a874a96834c35e0859f4338c1422e9cecb913d591aa9ce341da2e4976ed428f3a00f985b699787f118d1558c881b8aa1d102e3da0adbdaf476f5c50
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868Filesize
442B
MD5302d74aa3072cf0839c4ae03bce6a54c
SHA17d85ec347eaefc3667cceae794cead4f1981b3b5
SHA2567e1556cf174d25b376d83b869862c7a69ec89fe55199c699c7e7d4949caf6a71
SHA51290f04272876ebaab8a7f296cd8ad15fba1a889612e5904a85e08d28c370a843db6bd427db824a7904c3360a7cdc9aa84362f3297d94ceaa491fee8a69744c866
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53Filesize
442B
MD5b23f36427e8e0b4c095fbda78dff1231
SHA13ce101f8c53e755c6e2acd61fa83eabfdbd0d557
SHA256640afd765c26fffaf8414e9c51ada149aef8fc9c74a4d5bb9de60870c8a6f681
SHA512c06e7d75ade08b0311e047439b90b734686695dea239e5c70106f109d41398cc755728b2a8a75e74184409eef5644e65f3e10472c60d8759db54a54e072172d6
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
753KB
MD56d5e7540cc8cb9593f0b0d355b7275a4
SHA1dffcef6fbf66c16558c8a7fef4d8bc49fcbe224e
SHA2562688204813e40e64d5451b87d7028267200caba846773f6b115c3d1dbc675032
SHA512732ae3cde7dd5cfe36f2252232f8d36c918f84481a5cce467fbc676c60cb83c4cf863d88e0de62c58b6ca7723095f2c77cf51f811078490323bac871a52288d6
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
753KB
MD56d5e7540cc8cb9593f0b0d355b7275a4
SHA1dffcef6fbf66c16558c8a7fef4d8bc49fcbe224e
SHA2562688204813e40e64d5451b87d7028267200caba846773f6b115c3d1dbc675032
SHA512732ae3cde7dd5cfe36f2252232f8d36c918f84481a5cce467fbc676c60cb83c4cf863d88e0de62c58b6ca7723095f2c77cf51f811078490323bac871a52288d6
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
753KB
MD56d5e7540cc8cb9593f0b0d355b7275a4
SHA1dffcef6fbf66c16558c8a7fef4d8bc49fcbe224e
SHA2562688204813e40e64d5451b87d7028267200caba846773f6b115c3d1dbc675032
SHA512732ae3cde7dd5cfe36f2252232f8d36c918f84481a5cce467fbc676c60cb83c4cf863d88e0de62c58b6ca7723095f2c77cf51f811078490323bac871a52288d6
-
C:\Users\Public\Libraries\HrvzponpO.batFilesize
411B
MD555aba243e88f6a6813c117ffe1fa5979
SHA1210b9b028a4b798c837a182321dbf2e50d112816
SHA2565a11c5641c476891aa30e7ecfa57c2639f6827d8640061f73e9afec0adbbd7d2
SHA51268009c4c9bbea75a3bfa9f79945d30957a95691ea405d031b4ca7f1cb47504bbc768fcae59173885743ad4d6cfdd2313c3fe0acb515e34e5c809ecdc7f45e307
-
C:\Users\Public\Libraries\KDECO.batFilesize
155B
MD5213c60adf1c9ef88dc3c9b2d579959d2
SHA1e4d2ad7b22b1a8b5b1f7a702b303c7364b0ee021
SHA25637c59c8398279916cfce45f8c5e3431058248f5e3bef4d9f5c0f44a7d564f82e
SHA512fe897d9caa306b0e761b2fd61bb5dc32a53bfaad1ce767c6860af4e3ad59c8f3257228a6e1072dab0f990cb51c59c648084ba419ac6bc5c0a99bdffa569217b7
-
C:\Users\Public\Libraries\easinvoker.exeFilesize
128KB
MD5231ce1e1d7d98b44371ffff407d68b59
SHA125510d0f6353dbf0c9f72fc880de7585e34b28ff
SHA25630951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96
SHA512520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612
-
C:\Users\Public\Libraries\netutils.dllFilesize
109KB
MD508aecbf3114e569921df32fb5c8a1dd6
SHA19e2fd6ba9b66844292fb49a79fc874ad52f5ecba
SHA2567c1a178a5629027a0bb19c743e8505b280a5b6dc22088cd1a6a0132e32d79fc2
SHA512e1895567460a4945690e4d88ada31a41ae7d499eb887108578027cde5aaaa2cfc28779a00fc66d01e49c3e4354caada18a14d61b57fbec40b38de23fd1c91d57
-
C:\Windows \System32\easinvoker.exeFilesize
128KB
MD5231ce1e1d7d98b44371ffff407d68b59
SHA125510d0f6353dbf0c9f72fc880de7585e34b28ff
SHA25630951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96
SHA512520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612
-
C:\Windows \System32\easinvoker.exeFilesize
128KB
MD5231ce1e1d7d98b44371ffff407d68b59
SHA125510d0f6353dbf0c9f72fc880de7585e34b28ff
SHA25630951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96
SHA512520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612
-
C:\Windows \System32\netutils.dllFilesize
109KB
MD508aecbf3114e569921df32fb5c8a1dd6
SHA19e2fd6ba9b66844292fb49a79fc874ad52f5ecba
SHA2567c1a178a5629027a0bb19c743e8505b280a5b6dc22088cd1a6a0132e32d79fc2
SHA512e1895567460a4945690e4d88ada31a41ae7d499eb887108578027cde5aaaa2cfc28779a00fc66d01e49c3e4354caada18a14d61b57fbec40b38de23fd1c91d57
-
C:\Windows \System32\netutils.dllFilesize
109KB
MD508aecbf3114e569921df32fb5c8a1dd6
SHA19e2fd6ba9b66844292fb49a79fc874ad52f5ecba
SHA2567c1a178a5629027a0bb19c743e8505b280a5b6dc22088cd1a6a0132e32d79fc2
SHA512e1895567460a4945690e4d88ada31a41ae7d499eb887108578027cde5aaaa2cfc28779a00fc66d01e49c3e4354caada18a14d61b57fbec40b38de23fd1c91d57
-
C:\windows \system32\KDECO.batFilesize
155B
MD5213c60adf1c9ef88dc3c9b2d579959d2
SHA1e4d2ad7b22b1a8b5b1f7a702b303c7364b0ee021
SHA25637c59c8398279916cfce45f8c5e3431058248f5e3bef4d9f5c0f44a7d564f82e
SHA512fe897d9caa306b0e761b2fd61bb5dc32a53bfaad1ce767c6860af4e3ad59c8f3257228a6e1072dab0f990cb51c59c648084ba419ac6bc5c0a99bdffa569217b7
-
memory/1624-142-0x0000000000000000-mapping.dmp
-
memory/1652-132-0x00000000022D0000-0x00000000022FF000-memory.dmpFilesize
188KB
-
memory/2192-137-0x0000000000000000-mapping.dmp
-
memory/2348-154-0x000001F451E70000-0x000001F451E92000-memory.dmpFilesize
136KB
-
memory/2348-153-0x0000000000000000-mapping.dmp
-
memory/2348-155-0x00007FFDB6170000-0x00007FFDB6C31000-memory.dmpFilesize
10.8MB
-
memory/2348-156-0x00007FFDB6170000-0x00007FFDB6C31000-memory.dmpFilesize
10.8MB
-
memory/2988-171-0x0000000000000000-mapping.dmp
-
memory/2988-175-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/2988-176-0x0000000000400000-0x0000000000433095-memory.dmpFilesize
204KB
-
memory/2996-151-0x0000000000000000-mapping.dmp
-
memory/3060-140-0x0000000000000000-mapping.dmp
-
memory/3500-165-0x00000000006E0000-0x000000000070F000-memory.dmpFilesize
188KB
-
memory/3500-161-0x0000000000000000-mapping.dmp
-
memory/3924-145-0x0000000000000000-mapping.dmp
-
memory/4020-143-0x0000000000000000-mapping.dmp
-
memory/4148-139-0x0000000000000000-mapping.dmp
-
memory/4264-136-0x0000000000000000-mapping.dmp
-
memory/4536-150-0x0000000000000000-mapping.dmp
-
memory/4936-134-0x0000000000000000-mapping.dmp
-
memory/4992-164-0x0000000000400000-0x0000000000433095-memory.dmpFilesize
204KB
-
memory/4992-160-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/4992-158-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/4992-157-0x0000000000000000-mapping.dmp