Analysis
-
max time kernel
90s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
05-01-2023 08:38
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.RATX-gen.8711.exe
Resource
win7-20220812-en
General
-
Target
SecuriteInfo.com.Win32.RATX-gen.8711.exe
-
Size
715KB
-
MD5
14a8ed4f4d833c20f775d254eb751f2d
-
SHA1
5c3282c4b919fb7d5a84a8026233fe358de5a022
-
SHA256
b3cd1a80df7ae1654da07a03006781c83240814dd6d99db27f1733ed8267661c
-
SHA512
5210cffe7b9b7fb2fa884a71ee599c9305df08270ffc766afa8a409fff9eab5597bd1c677312e8afb0c27caf0966e416e653b5d20b738aadece91e292de14f18
-
SSDEEP
12288:9zJs9gjEzcfWT+9FOcfx1HsAYaZAtpuxHJNp7lbheaiA/yQRq9CLQrx99s2z:U35Mx3Ya8ApbPeoyN9CWTs2
Malware Config
Extracted
netwire
212.193.30.230:7324
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
lock_executable
false
-
offline_keylogger
false
-
password
Password123
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/2820-144-0x0000000000400000-0x000000000044F000-memory.dmp netwire behavioral2/memory/2820-145-0x0000000000400000-0x000000000044F000-memory.dmp netwire behavioral2/memory/2820-146-0x0000000000400000-0x000000000044F000-memory.dmp netwire behavioral2/memory/2820-152-0x0000000000400000-0x000000000044F000-memory.dmp netwire -
Executes dropped EXE 1 IoCs
Processes:
Host.exepid process 4136 Host.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
SecuriteInfo.com.Win32.RATX-gen.8711.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation SecuriteInfo.com.Win32.RATX-gen.8711.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.Win32.RATX-gen.8711.exedescription pid process target process PID 4848 set thread context of 2820 4848 SecuriteInfo.com.Win32.RATX-gen.8711.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
SecuriteInfo.com.Win32.RATX-gen.8711.exepowershell.exepid process 4848 SecuriteInfo.com.Win32.RATX-gen.8711.exe 4848 SecuriteInfo.com.Win32.RATX-gen.8711.exe 4848 SecuriteInfo.com.Win32.RATX-gen.8711.exe 4848 SecuriteInfo.com.Win32.RATX-gen.8711.exe 4072 powershell.exe 4072 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
SecuriteInfo.com.Win32.RATX-gen.8711.exepowershell.exedescription pid process Token: SeDebugPrivilege 4848 SecuriteInfo.com.Win32.RATX-gen.8711.exe Token: SeDebugPrivilege 4072 powershell.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
SecuriteInfo.com.Win32.RATX-gen.8711.exeRegSvcs.exedescription pid process target process PID 4848 wrote to memory of 4072 4848 SecuriteInfo.com.Win32.RATX-gen.8711.exe powershell.exe PID 4848 wrote to memory of 4072 4848 SecuriteInfo.com.Win32.RATX-gen.8711.exe powershell.exe PID 4848 wrote to memory of 4072 4848 SecuriteInfo.com.Win32.RATX-gen.8711.exe powershell.exe PID 4848 wrote to memory of 1168 4848 SecuriteInfo.com.Win32.RATX-gen.8711.exe schtasks.exe PID 4848 wrote to memory of 1168 4848 SecuriteInfo.com.Win32.RATX-gen.8711.exe schtasks.exe PID 4848 wrote to memory of 1168 4848 SecuriteInfo.com.Win32.RATX-gen.8711.exe schtasks.exe PID 4848 wrote to memory of 1732 4848 SecuriteInfo.com.Win32.RATX-gen.8711.exe RegSvcs.exe PID 4848 wrote to memory of 1732 4848 SecuriteInfo.com.Win32.RATX-gen.8711.exe RegSvcs.exe PID 4848 wrote to memory of 1732 4848 SecuriteInfo.com.Win32.RATX-gen.8711.exe RegSvcs.exe PID 4848 wrote to memory of 2820 4848 SecuriteInfo.com.Win32.RATX-gen.8711.exe RegSvcs.exe PID 4848 wrote to memory of 2820 4848 SecuriteInfo.com.Win32.RATX-gen.8711.exe RegSvcs.exe PID 4848 wrote to memory of 2820 4848 SecuriteInfo.com.Win32.RATX-gen.8711.exe RegSvcs.exe PID 4848 wrote to memory of 2820 4848 SecuriteInfo.com.Win32.RATX-gen.8711.exe RegSvcs.exe PID 4848 wrote to memory of 2820 4848 SecuriteInfo.com.Win32.RATX-gen.8711.exe RegSvcs.exe PID 4848 wrote to memory of 2820 4848 SecuriteInfo.com.Win32.RATX-gen.8711.exe RegSvcs.exe PID 4848 wrote to memory of 2820 4848 SecuriteInfo.com.Win32.RATX-gen.8711.exe RegSvcs.exe PID 4848 wrote to memory of 2820 4848 SecuriteInfo.com.Win32.RATX-gen.8711.exe RegSvcs.exe PID 4848 wrote to memory of 2820 4848 SecuriteInfo.com.Win32.RATX-gen.8711.exe RegSvcs.exe PID 4848 wrote to memory of 2820 4848 SecuriteInfo.com.Win32.RATX-gen.8711.exe RegSvcs.exe PID 2820 wrote to memory of 4136 2820 RegSvcs.exe Host.exe PID 2820 wrote to memory of 4136 2820 RegSvcs.exe Host.exe PID 2820 wrote to memory of 4136 2820 RegSvcs.exe Host.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.8711.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.8711.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\abmJUJB.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4072 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\abmJUJB" /XML "C:\Users\Admin\AppData\Local\Temp\tmp612B.tmp"2⤵
- Creates scheduled task(s)
PID:1168 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵PID:1732
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"3⤵
- Executes dropped EXE
PID:4136
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp612B.tmpFilesize
1KB
MD53e5ec33740eccf5f62ca13008e8dc76d
SHA16b7f3f9ffb8301f1a69c9a680c8e07466b9c624e
SHA256c4cd025ed52813b884c8cb6bda8c17df690f9b14b99a478d58a535792f305b31
SHA5124948d8067600b97f1b75be2e3eb35cc757fe97d4c864f8a08ab5eccbabce0125150428e5f0e4bccee3d0a63f8357d3f27828421150515463a5f19ff14ec1e7f4
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
44KB
MD59d352bc46709f0cb5ec974633a0c3c94
SHA11969771b2f022f9a86d77ac4d4d239becdf08d07
SHA2562c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA51213c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
44KB
MD59d352bc46709f0cb5ec974633a0c3c94
SHA11969771b2f022f9a86d77ac4d4d239becdf08d07
SHA2562c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA51213c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b
-
memory/1168-138-0x0000000000000000-mapping.dmp
-
memory/1732-141-0x0000000000000000-mapping.dmp
-
memory/2820-152-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/2820-146-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/2820-145-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/2820-144-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/2820-143-0x0000000000000000-mapping.dmp
-
memory/4072-148-0x0000000005EA0000-0x0000000005F06000-memory.dmpFilesize
408KB
-
memory/4072-161-0x00000000078A0000-0x00000000078BA000-memory.dmpFilesize
104KB
-
memory/4072-140-0x0000000004FE0000-0x0000000005016000-memory.dmpFilesize
216KB
-
memory/4072-137-0x0000000000000000-mapping.dmp
-
memory/4072-166-0x0000000007BC0000-0x0000000007BC8000-memory.dmpFilesize
32KB
-
memory/4072-147-0x0000000005E00000-0x0000000005E22000-memory.dmpFilesize
136KB
-
memory/4072-165-0x0000000007BE0000-0x0000000007BFA000-memory.dmpFilesize
104KB
-
memory/4072-149-0x0000000005F80000-0x0000000005FE6000-memory.dmpFilesize
408KB
-
memory/4072-164-0x0000000007AD0000-0x0000000007ADE000-memory.dmpFilesize
56KB
-
memory/4072-163-0x0000000007B20000-0x0000000007BB6000-memory.dmpFilesize
600KB
-
memory/4072-162-0x0000000007910000-0x000000000791A000-memory.dmpFilesize
40KB
-
memory/4072-142-0x0000000005650000-0x0000000005C78000-memory.dmpFilesize
6.2MB
-
memory/4072-160-0x0000000007EF0000-0x000000000856A000-memory.dmpFilesize
6.5MB
-
memory/4072-159-0x0000000006B40000-0x0000000006B5E000-memory.dmpFilesize
120KB
-
memory/4072-156-0x0000000006590000-0x00000000065AE000-memory.dmpFilesize
120KB
-
memory/4072-157-0x0000000006B60000-0x0000000006B92000-memory.dmpFilesize
200KB
-
memory/4072-158-0x0000000073560000-0x00000000735AC000-memory.dmpFilesize
304KB
-
memory/4136-155-0x0000000005350000-0x000000000538C000-memory.dmpFilesize
240KB
-
memory/4136-154-0x0000000000BA0000-0x0000000000BAE000-memory.dmpFilesize
56KB
-
memory/4136-150-0x0000000000000000-mapping.dmp
-
memory/4848-133-0x0000000005B10000-0x00000000060B4000-memory.dmpFilesize
5.6MB
-
memory/4848-134-0x0000000005660000-0x00000000056F2000-memory.dmpFilesize
584KB
-
memory/4848-135-0x0000000005820000-0x000000000582A000-memory.dmpFilesize
40KB
-
memory/4848-132-0x0000000000C00000-0x0000000000CB8000-memory.dmpFilesize
736KB
-
memory/4848-136-0x0000000009340000-0x00000000093DC000-memory.dmpFilesize
624KB