Analysis
-
max time kernel
44s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
05-01-2023 08:37
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.RATX-gen.8711.15068.exe
Resource
win7-20221111-en
General
-
Target
SecuriteInfo.com.Win32.RATX-gen.8711.15068.exe
-
Size
715KB
-
MD5
14a8ed4f4d833c20f775d254eb751f2d
-
SHA1
5c3282c4b919fb7d5a84a8026233fe358de5a022
-
SHA256
b3cd1a80df7ae1654da07a03006781c83240814dd6d99db27f1733ed8267661c
-
SHA512
5210cffe7b9b7fb2fa884a71ee599c9305df08270ffc766afa8a409fff9eab5597bd1c677312e8afb0c27caf0966e416e653b5d20b738aadece91e292de14f18
-
SSDEEP
12288:9zJs9gjEzcfWT+9FOcfx1HsAYaZAtpuxHJNp7lbheaiA/yQRq9CLQrx99s2z:U35Mx3Ya8ApbPeoyN9CWTs2
Malware Config
Extracted
netwire
212.193.30.230:7324
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
lock_executable
false
-
offline_keylogger
false
-
password
Password123
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 7 IoCs
Processes:
resource yara_rule behavioral1/memory/1124-69-0x0000000000400000-0x000000000044F000-memory.dmp netwire behavioral1/memory/1124-71-0x0000000000400000-0x000000000044F000-memory.dmp netwire behavioral1/memory/1124-72-0x0000000000400000-0x000000000044F000-memory.dmp netwire behavioral1/memory/1124-74-0x0000000000400000-0x000000000044F000-memory.dmp netwire behavioral1/memory/1124-75-0x000000000041AD7B-mapping.dmp netwire behavioral1/memory/1124-78-0x0000000000400000-0x000000000044F000-memory.dmp netwire behavioral1/memory/1124-82-0x0000000000400000-0x000000000044F000-memory.dmp netwire -
Executes dropped EXE 1 IoCs
Processes:
Host.exepid process 1760 Host.exe -
Loads dropped DLL 1 IoCs
Processes:
RegSvcs.exepid process 1124 RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.Win32.RATX-gen.8711.15068.exedescription pid process target process PID 1696 set thread context of 1124 1696 SecuriteInfo.com.Win32.RATX-gen.8711.15068.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
SecuriteInfo.com.Win32.RATX-gen.8711.15068.exepowershell.exepid process 1696 SecuriteInfo.com.Win32.RATX-gen.8711.15068.exe 1696 SecuriteInfo.com.Win32.RATX-gen.8711.15068.exe 784 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
SecuriteInfo.com.Win32.RATX-gen.8711.15068.exepowershell.exedescription pid process Token: SeDebugPrivilege 1696 SecuriteInfo.com.Win32.RATX-gen.8711.15068.exe Token: SeDebugPrivilege 784 powershell.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
SecuriteInfo.com.Win32.RATX-gen.8711.15068.exeRegSvcs.exedescription pid process target process PID 1696 wrote to memory of 784 1696 SecuriteInfo.com.Win32.RATX-gen.8711.15068.exe powershell.exe PID 1696 wrote to memory of 784 1696 SecuriteInfo.com.Win32.RATX-gen.8711.15068.exe powershell.exe PID 1696 wrote to memory of 784 1696 SecuriteInfo.com.Win32.RATX-gen.8711.15068.exe powershell.exe PID 1696 wrote to memory of 784 1696 SecuriteInfo.com.Win32.RATX-gen.8711.15068.exe powershell.exe PID 1696 wrote to memory of 1324 1696 SecuriteInfo.com.Win32.RATX-gen.8711.15068.exe schtasks.exe PID 1696 wrote to memory of 1324 1696 SecuriteInfo.com.Win32.RATX-gen.8711.15068.exe schtasks.exe PID 1696 wrote to memory of 1324 1696 SecuriteInfo.com.Win32.RATX-gen.8711.15068.exe schtasks.exe PID 1696 wrote to memory of 1324 1696 SecuriteInfo.com.Win32.RATX-gen.8711.15068.exe schtasks.exe PID 1696 wrote to memory of 1124 1696 SecuriteInfo.com.Win32.RATX-gen.8711.15068.exe RegSvcs.exe PID 1696 wrote to memory of 1124 1696 SecuriteInfo.com.Win32.RATX-gen.8711.15068.exe RegSvcs.exe PID 1696 wrote to memory of 1124 1696 SecuriteInfo.com.Win32.RATX-gen.8711.15068.exe RegSvcs.exe PID 1696 wrote to memory of 1124 1696 SecuriteInfo.com.Win32.RATX-gen.8711.15068.exe RegSvcs.exe PID 1696 wrote to memory of 1124 1696 SecuriteInfo.com.Win32.RATX-gen.8711.15068.exe RegSvcs.exe PID 1696 wrote to memory of 1124 1696 SecuriteInfo.com.Win32.RATX-gen.8711.15068.exe RegSvcs.exe PID 1696 wrote to memory of 1124 1696 SecuriteInfo.com.Win32.RATX-gen.8711.15068.exe RegSvcs.exe PID 1696 wrote to memory of 1124 1696 SecuriteInfo.com.Win32.RATX-gen.8711.15068.exe RegSvcs.exe PID 1696 wrote to memory of 1124 1696 SecuriteInfo.com.Win32.RATX-gen.8711.15068.exe RegSvcs.exe PID 1696 wrote to memory of 1124 1696 SecuriteInfo.com.Win32.RATX-gen.8711.15068.exe RegSvcs.exe PID 1696 wrote to memory of 1124 1696 SecuriteInfo.com.Win32.RATX-gen.8711.15068.exe RegSvcs.exe PID 1696 wrote to memory of 1124 1696 SecuriteInfo.com.Win32.RATX-gen.8711.15068.exe RegSvcs.exe PID 1696 wrote to memory of 1124 1696 SecuriteInfo.com.Win32.RATX-gen.8711.15068.exe RegSvcs.exe PID 1696 wrote to memory of 1124 1696 SecuriteInfo.com.Win32.RATX-gen.8711.15068.exe RegSvcs.exe PID 1124 wrote to memory of 1760 1124 RegSvcs.exe Host.exe PID 1124 wrote to memory of 1760 1124 RegSvcs.exe Host.exe PID 1124 wrote to memory of 1760 1124 RegSvcs.exe Host.exe PID 1124 wrote to memory of 1760 1124 RegSvcs.exe Host.exe PID 1124 wrote to memory of 1760 1124 RegSvcs.exe Host.exe PID 1124 wrote to memory of 1760 1124 RegSvcs.exe Host.exe PID 1124 wrote to memory of 1760 1124 RegSvcs.exe Host.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.8711.15068.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.8711.15068.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\abmJUJB.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:784 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\abmJUJB" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9F2D.tmp"2⤵
- Creates scheduled task(s)
PID:1324 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"3⤵
- Executes dropped EXE
PID:1760
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp9F2D.tmpFilesize
1KB
MD50111c411f50b2510fa894573b827af23
SHA131f43a58f16a7061af367def476a675e75a2c815
SHA25670396855e8ff46dc348ee1e3f4d102211db6ac376596f02d9b4616be0388376b
SHA51285abffd1c9b53b9323fd31719f51ad4c95bd3d4f0d421a43ab20d19f913db2f67807fe8861bc317524e035e318a7c3282bafa9219940cc8a33e2ded0094f2775
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
44KB
MD50e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
44KB
MD50e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
44KB
MD50e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
memory/784-87-0x000000006EA30000-0x000000006EFDB000-memory.dmpFilesize
5.7MB
-
memory/784-86-0x000000006EA30000-0x000000006EFDB000-memory.dmpFilesize
5.7MB
-
memory/784-59-0x0000000000000000-mapping.dmp
-
memory/1124-69-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/1124-64-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/1124-65-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/1124-67-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/1124-82-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/1124-71-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/1124-72-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/1124-74-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/1124-75-0x000000000041AD7B-mapping.dmp
-
memory/1124-78-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/1324-60-0x0000000000000000-mapping.dmp
-
memory/1696-54-0x0000000000090000-0x0000000000148000-memory.dmpFilesize
736KB
-
memory/1696-58-0x0000000007ED0000-0x0000000007F54000-memory.dmpFilesize
528KB
-
memory/1696-63-0x0000000005DB0000-0x0000000005DFC000-memory.dmpFilesize
304KB
-
memory/1696-57-0x00000000004D0000-0x00000000004DA000-memory.dmpFilesize
40KB
-
memory/1696-56-0x00000000003A0000-0x00000000003B6000-memory.dmpFilesize
88KB
-
memory/1696-55-0x00000000757C1000-0x00000000757C3000-memory.dmpFilesize
8KB
-
memory/1760-80-0x0000000000000000-mapping.dmp
-
memory/1760-84-0x0000000000DC0000-0x0000000000DCE000-memory.dmpFilesize
56KB
-
memory/1760-85-0x0000000000380000-0x00000000003A0000-memory.dmpFilesize
128KB