Analysis
-
max time kernel
171s -
max time network
212s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
29-01-2023 16:33
Static task
static1
Behavioral task
behavioral1
Sample
Quotation CTT5684.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Quotation CTT5684.exe
Resource
win10v2004-20221111-en
General
-
Target
Quotation CTT5684.exe
-
Size
577KB
-
MD5
870937bfc582473b8b55263cdd9de6c2
-
SHA1
53ef5972b622a434b1fe5e4697445a54e8b387b1
-
SHA256
5e9b3af8cce827e801b56da7dcacf0453baeea54f5df0c66607d9cffa2e76886
-
SHA512
9b883059a465f8d4d468bbb1b17b1020f7fc5874d42176f3ce1682a29ff1841709dcd44502ef8bd411807b12084ead57e02f12db01b151cbf5c7d012acb250d6
-
SSDEEP
12288:vUWcNPJg+MO3/vSLDrw32Zl1zLbHWEpPmB+Rm4mXN4HJUCePad0VL6lwP0FzWSgk:/cJArl1zLbHWEpPmB+Q4mXKHKCePad0w
Malware Config
Extracted
netwire
iammrjeff00.duckdns.org:1181
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
MR-J
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
Password1
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2384-156-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral2/memory/2384-155-0x0000000000400000-0x0000000000495000-memory.dmp netwire -
Executes dropped EXE 2 IoCs
Processes:
svchost64.exesvchost64.exepid process 4448 svchost64.exe 2384 svchost64.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Quotation CTT5684.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation Quotation CTT5684.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Intel (r) = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tem64\\svchost64.vbs -rb" WScript.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
svchost64.exedescription pid process target process PID 4448 set thread context of 2384 4448 svchost64.exe svchost64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
Quotation CTT5684.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings Quotation CTT5684.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Quotation CTT5684.exesvchost64.exepid process 1836 Quotation CTT5684.exe 4448 svchost64.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Quotation CTT5684.exesvchost64.exedescription pid process target process PID 1836 wrote to memory of 816 1836 Quotation CTT5684.exe WScript.exe PID 1836 wrote to memory of 816 1836 Quotation CTT5684.exe WScript.exe PID 1836 wrote to memory of 816 1836 Quotation CTT5684.exe WScript.exe PID 1836 wrote to memory of 4448 1836 Quotation CTT5684.exe svchost64.exe PID 1836 wrote to memory of 4448 1836 Quotation CTT5684.exe svchost64.exe PID 1836 wrote to memory of 4448 1836 Quotation CTT5684.exe svchost64.exe PID 4448 wrote to memory of 2384 4448 svchost64.exe svchost64.exe PID 4448 wrote to memory of 2384 4448 svchost64.exe svchost64.exe PID 4448 wrote to memory of 2384 4448 svchost64.exe svchost64.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quotation CTT5684.exe"C:\Users\Admin\AppData\Local\Temp\Quotation CTT5684.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem64\svchost64.vbs"2⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\tem64\svchost64.exe"C:\Users\Admin\AppData\Local\Temp\tem64\svchost64.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tem64\svchost64.exeC:\Users\Admin\AppData\Local\Temp\tem64\svchost64.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tem64\svchost64.exeFilesize
577KB
MD5870937bfc582473b8b55263cdd9de6c2
SHA153ef5972b622a434b1fe5e4697445a54e8b387b1
SHA2565e9b3af8cce827e801b56da7dcacf0453baeea54f5df0c66607d9cffa2e76886
SHA5129b883059a465f8d4d468bbb1b17b1020f7fc5874d42176f3ce1682a29ff1841709dcd44502ef8bd411807b12084ead57e02f12db01b151cbf5c7d012acb250d6
-
C:\Users\Admin\AppData\Local\Temp\tem64\svchost64.exeFilesize
577KB
MD5870937bfc582473b8b55263cdd9de6c2
SHA153ef5972b622a434b1fe5e4697445a54e8b387b1
SHA2565e9b3af8cce827e801b56da7dcacf0453baeea54f5df0c66607d9cffa2e76886
SHA5129b883059a465f8d4d468bbb1b17b1020f7fc5874d42176f3ce1682a29ff1841709dcd44502ef8bd411807b12084ead57e02f12db01b151cbf5c7d012acb250d6
-
C:\Users\Admin\AppData\Local\Temp\tem64\svchost64.exeFilesize
577KB
MD5870937bfc582473b8b55263cdd9de6c2
SHA153ef5972b622a434b1fe5e4697445a54e8b387b1
SHA2565e9b3af8cce827e801b56da7dcacf0453baeea54f5df0c66607d9cffa2e76886
SHA5129b883059a465f8d4d468bbb1b17b1020f7fc5874d42176f3ce1682a29ff1841709dcd44502ef8bd411807b12084ead57e02f12db01b151cbf5c7d012acb250d6
-
C:\Users\Admin\AppData\Local\Temp\tem64\svchost64.vbsFilesize
1024B
MD52d3de8adf3832d6c998e092032247281
SHA193a20449e135b41abe7d46b7501483137d28d27b
SHA256d6caced3aa684b19a440facdb71f93777aad35e43cb44e252597a9db8243ec30
SHA512a362410b958687437b636876fb36f71065f9ab4949ed3b18d7ecfeca95dfc65dd7f2091253d3c62f8e0132efdd6b593f22a23f4db520ba70e4b388614e11da5d
-
memory/816-137-0x0000000000000000-mapping.dmp
-
memory/1836-142-0x0000000002130000-0x0000000002137000-memory.dmpFilesize
28KB
-
memory/1836-136-0x0000000077110000-0x00000000772B3000-memory.dmpFilesize
1.6MB
-
memory/1836-135-0x00007FFD25FB0000-0x00007FFD261A5000-memory.dmpFilesize
2.0MB
-
memory/1836-134-0x0000000002130000-0x0000000002137000-memory.dmpFilesize
28KB
-
memory/1836-144-0x0000000077110000-0x00000000772B3000-memory.dmpFilesize
1.6MB
-
memory/2384-164-0x0000000077110000-0x00000000772B3000-memory.dmpFilesize
1.6MB
-
memory/2384-147-0x0000000000000000-mapping.dmp
-
memory/2384-156-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2384-163-0x00007FFD25FB0000-0x00007FFD261A5000-memory.dmpFilesize
2.0MB
-
memory/2384-162-0x00000000005B0000-0x00000000005B7000-memory.dmpFilesize
28KB
-
memory/2384-155-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/2384-152-0x00000000005B0000-0x00000000005B7000-memory.dmpFilesize
28KB
-
memory/2384-153-0x00007FFD25FB0000-0x00007FFD261A5000-memory.dmpFilesize
2.0MB
-
memory/2384-154-0x0000000077110000-0x00000000772B3000-memory.dmpFilesize
1.6MB
-
memory/4448-150-0x00007FFD25FB0000-0x00007FFD261A5000-memory.dmpFilesize
2.0MB
-
memory/4448-151-0x0000000077110000-0x00000000772B3000-memory.dmpFilesize
1.6MB
-
memory/4448-146-0x0000000000710000-0x0000000000717000-memory.dmpFilesize
28KB
-
memory/4448-149-0x0000000000710000-0x0000000000717000-memory.dmpFilesize
28KB
-
memory/4448-139-0x0000000000000000-mapping.dmp