Analysis
-
max time kernel
50s -
max time network
41s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
05-01-2023 08:38
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.RATX-gen.8711.exe
Resource
win7-20220812-en
General
-
Target
SecuriteInfo.com.Win32.RATX-gen.8711.exe
-
Size
715KB
-
MD5
14a8ed4f4d833c20f775d254eb751f2d
-
SHA1
5c3282c4b919fb7d5a84a8026233fe358de5a022
-
SHA256
b3cd1a80df7ae1654da07a03006781c83240814dd6d99db27f1733ed8267661c
-
SHA512
5210cffe7b9b7fb2fa884a71ee599c9305df08270ffc766afa8a409fff9eab5597bd1c677312e8afb0c27caf0966e416e653b5d20b738aadece91e292de14f18
-
SSDEEP
12288:9zJs9gjEzcfWT+9FOcfx1HsAYaZAtpuxHJNp7lbheaiA/yQRq9CLQrx99s2z:U35Mx3Ya8ApbPeoyN9CWTs2
Malware Config
Extracted
netwire
212.193.30.230:7324
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
lock_executable
false
-
offline_keylogger
false
-
password
Password123
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 7 IoCs
Processes:
resource yara_rule behavioral1/memory/1056-69-0x0000000000400000-0x000000000044F000-memory.dmp netwire behavioral1/memory/1056-71-0x0000000000400000-0x000000000044F000-memory.dmp netwire behavioral1/memory/1056-72-0x0000000000400000-0x000000000044F000-memory.dmp netwire behavioral1/memory/1056-74-0x0000000000400000-0x000000000044F000-memory.dmp netwire behavioral1/memory/1056-75-0x000000000041AD7B-mapping.dmp netwire behavioral1/memory/1056-78-0x0000000000400000-0x000000000044F000-memory.dmp netwire behavioral1/memory/1056-82-0x0000000000400000-0x000000000044F000-memory.dmp netwire -
Executes dropped EXE 1 IoCs
Processes:
Host.exepid process 816 Host.exe -
Loads dropped DLL 1 IoCs
Processes:
RegSvcs.exepid process 1056 RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.Win32.RATX-gen.8711.exedescription pid process target process PID 788 set thread context of 1056 788 SecuriteInfo.com.Win32.RATX-gen.8711.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
SecuriteInfo.com.Win32.RATX-gen.8711.exepowershell.exepid process 788 SecuriteInfo.com.Win32.RATX-gen.8711.exe 788 SecuriteInfo.com.Win32.RATX-gen.8711.exe 940 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
SecuriteInfo.com.Win32.RATX-gen.8711.exepowershell.exedescription pid process Token: SeDebugPrivilege 788 SecuriteInfo.com.Win32.RATX-gen.8711.exe Token: SeDebugPrivilege 940 powershell.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
SecuriteInfo.com.Win32.RATX-gen.8711.exeRegSvcs.exedescription pid process target process PID 788 wrote to memory of 940 788 SecuriteInfo.com.Win32.RATX-gen.8711.exe powershell.exe PID 788 wrote to memory of 940 788 SecuriteInfo.com.Win32.RATX-gen.8711.exe powershell.exe PID 788 wrote to memory of 940 788 SecuriteInfo.com.Win32.RATX-gen.8711.exe powershell.exe PID 788 wrote to memory of 940 788 SecuriteInfo.com.Win32.RATX-gen.8711.exe powershell.exe PID 788 wrote to memory of 1448 788 SecuriteInfo.com.Win32.RATX-gen.8711.exe schtasks.exe PID 788 wrote to memory of 1448 788 SecuriteInfo.com.Win32.RATX-gen.8711.exe schtasks.exe PID 788 wrote to memory of 1448 788 SecuriteInfo.com.Win32.RATX-gen.8711.exe schtasks.exe PID 788 wrote to memory of 1448 788 SecuriteInfo.com.Win32.RATX-gen.8711.exe schtasks.exe PID 788 wrote to memory of 1056 788 SecuriteInfo.com.Win32.RATX-gen.8711.exe RegSvcs.exe PID 788 wrote to memory of 1056 788 SecuriteInfo.com.Win32.RATX-gen.8711.exe RegSvcs.exe PID 788 wrote to memory of 1056 788 SecuriteInfo.com.Win32.RATX-gen.8711.exe RegSvcs.exe PID 788 wrote to memory of 1056 788 SecuriteInfo.com.Win32.RATX-gen.8711.exe RegSvcs.exe PID 788 wrote to memory of 1056 788 SecuriteInfo.com.Win32.RATX-gen.8711.exe RegSvcs.exe PID 788 wrote to memory of 1056 788 SecuriteInfo.com.Win32.RATX-gen.8711.exe RegSvcs.exe PID 788 wrote to memory of 1056 788 SecuriteInfo.com.Win32.RATX-gen.8711.exe RegSvcs.exe PID 788 wrote to memory of 1056 788 SecuriteInfo.com.Win32.RATX-gen.8711.exe RegSvcs.exe PID 788 wrote to memory of 1056 788 SecuriteInfo.com.Win32.RATX-gen.8711.exe RegSvcs.exe PID 788 wrote to memory of 1056 788 SecuriteInfo.com.Win32.RATX-gen.8711.exe RegSvcs.exe PID 788 wrote to memory of 1056 788 SecuriteInfo.com.Win32.RATX-gen.8711.exe RegSvcs.exe PID 788 wrote to memory of 1056 788 SecuriteInfo.com.Win32.RATX-gen.8711.exe RegSvcs.exe PID 788 wrote to memory of 1056 788 SecuriteInfo.com.Win32.RATX-gen.8711.exe RegSvcs.exe PID 788 wrote to memory of 1056 788 SecuriteInfo.com.Win32.RATX-gen.8711.exe RegSvcs.exe PID 1056 wrote to memory of 816 1056 RegSvcs.exe Host.exe PID 1056 wrote to memory of 816 1056 RegSvcs.exe Host.exe PID 1056 wrote to memory of 816 1056 RegSvcs.exe Host.exe PID 1056 wrote to memory of 816 1056 RegSvcs.exe Host.exe PID 1056 wrote to memory of 816 1056 RegSvcs.exe Host.exe PID 1056 wrote to memory of 816 1056 RegSvcs.exe Host.exe PID 1056 wrote to memory of 816 1056 RegSvcs.exe Host.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.8711.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.8711.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\abmJUJB.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:940 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\abmJUJB" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1C77.tmp"2⤵
- Creates scheduled task(s)
PID:1448 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"3⤵
- Executes dropped EXE
PID:816
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp1C77.tmpFilesize
1KB
MD580b73735c81cb09791d7983f8d3dff46
SHA14444b228cc997afa6e0d3b33222bcfe353107d76
SHA256393e06a5c646d1312781716a3f659d8395491324988fcfdb0e9c15c34c4e00de
SHA512810e9a443b56e35ca3675828edbe806a35cdc111b009aa822a09dcc1e5ffbe6203bf91096616d95865a8599267efaa71ef9b12cec003b92096b0744047807da7
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
44KB
MD50e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
44KB
MD50e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
44KB
MD50e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
memory/788-63-0x0000000005BC0000-0x0000000005C0C000-memory.dmpFilesize
304KB
-
memory/788-58-0x0000000005ED0000-0x0000000005F54000-memory.dmpFilesize
528KB
-
memory/788-57-0x0000000000670000-0x000000000067A000-memory.dmpFilesize
40KB
-
memory/788-54-0x00000000001D0000-0x0000000000288000-memory.dmpFilesize
736KB
-
memory/788-56-0x0000000000640000-0x0000000000656000-memory.dmpFilesize
88KB
-
memory/788-55-0x0000000076681000-0x0000000076683000-memory.dmpFilesize
8KB
-
memory/816-85-0x0000000000310000-0x0000000000330000-memory.dmpFilesize
128KB
-
memory/816-84-0x0000000000E90000-0x0000000000E9E000-memory.dmpFilesize
56KB
-
memory/816-80-0x0000000000000000-mapping.dmp
-
memory/940-59-0x0000000000000000-mapping.dmp
-
memory/940-87-0x000000006EB10000-0x000000006F0BB000-memory.dmpFilesize
5.7MB
-
memory/940-86-0x000000006EB10000-0x000000006F0BB000-memory.dmpFilesize
5.7MB
-
memory/1056-69-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/1056-78-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/1056-75-0x000000000041AD7B-mapping.dmp
-
memory/1056-74-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/1056-72-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/1056-82-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/1056-71-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/1056-67-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/1056-65-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/1056-64-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/1448-60-0x0000000000000000-mapping.dmp