Analysis
-
max time kernel
138s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
07-02-2023 11:04
Static task
static1
Behavioral task
behavioral1
Sample
INVOICE000298372-23-98.exe
Resource
win7-20221111-en
General
-
Target
INVOICE000298372-23-98.exe
-
Size
1.3MB
-
MD5
b08e3670515eeb4c5a31b1a72a2c68c3
-
SHA1
d106b746e5dd6a813be502604938a748a76f6f1b
-
SHA256
caee3d5e6fc0673b26429c6521caa57b97693660d9e0cef3b6a746b97c53f550
-
SHA512
75ce9e7da8d3aacfc94a4f79ddf379fbb765223b96cf4245596a1f38d5bb53c9591ab0b4ec3274d686a776039ad62e7d3bff0901c040d600774b72e88d817713
-
SSDEEP
24576:FZ0V6sg5W4eiU2gqMxfzZBqNBk419jVKqrxN5IC54TWMvApxJWUMwQhrb:gYdWmnYloBk41955tgiHpxJxMwQhP
Malware Config
Extracted
netwire
reportss.duckdns.org:4411
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
lock_executable
false
-
offline_keylogger
false
-
password
Password
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 7 IoCs
Processes:
resource yara_rule behavioral1/memory/1096-69-0x0000000000400000-0x0000000000450000-memory.dmp netwire behavioral1/memory/1096-72-0x0000000000400000-0x0000000000450000-memory.dmp netwire behavioral1/memory/1096-73-0x0000000000400000-0x0000000000450000-memory.dmp netwire behavioral1/memory/1096-75-0x0000000000400000-0x0000000000450000-memory.dmp netwire behavioral1/memory/1096-76-0x000000000041AE7B-mapping.dmp netwire behavioral1/memory/1096-79-0x0000000000400000-0x0000000000450000-memory.dmp netwire behavioral1/memory/1096-80-0x0000000000400000-0x0000000000450000-memory.dmp netwire -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
INVOICE000298372-23-98.exedescription pid process target process PID 1320 set thread context of 1096 1320 INVOICE000298372-23-98.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
INVOICE000298372-23-98.exepowershell.exepid process 1320 INVOICE000298372-23-98.exe 1320 INVOICE000298372-23-98.exe 1320 INVOICE000298372-23-98.exe 1320 INVOICE000298372-23-98.exe 1320 INVOICE000298372-23-98.exe 1320 INVOICE000298372-23-98.exe 468 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
INVOICE000298372-23-98.exepowershell.exedescription pid process Token: SeDebugPrivilege 1320 INVOICE000298372-23-98.exe Token: SeDebugPrivilege 468 powershell.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
INVOICE000298372-23-98.exedescription pid process target process PID 1320 wrote to memory of 468 1320 INVOICE000298372-23-98.exe powershell.exe PID 1320 wrote to memory of 468 1320 INVOICE000298372-23-98.exe powershell.exe PID 1320 wrote to memory of 468 1320 INVOICE000298372-23-98.exe powershell.exe PID 1320 wrote to memory of 468 1320 INVOICE000298372-23-98.exe powershell.exe PID 1320 wrote to memory of 1364 1320 INVOICE000298372-23-98.exe schtasks.exe PID 1320 wrote to memory of 1364 1320 INVOICE000298372-23-98.exe schtasks.exe PID 1320 wrote to memory of 1364 1320 INVOICE000298372-23-98.exe schtasks.exe PID 1320 wrote to memory of 1364 1320 INVOICE000298372-23-98.exe schtasks.exe PID 1320 wrote to memory of 1096 1320 INVOICE000298372-23-98.exe vbc.exe PID 1320 wrote to memory of 1096 1320 INVOICE000298372-23-98.exe vbc.exe PID 1320 wrote to memory of 1096 1320 INVOICE000298372-23-98.exe vbc.exe PID 1320 wrote to memory of 1096 1320 INVOICE000298372-23-98.exe vbc.exe PID 1320 wrote to memory of 1096 1320 INVOICE000298372-23-98.exe vbc.exe PID 1320 wrote to memory of 1096 1320 INVOICE000298372-23-98.exe vbc.exe PID 1320 wrote to memory of 1096 1320 INVOICE000298372-23-98.exe vbc.exe PID 1320 wrote to memory of 1096 1320 INVOICE000298372-23-98.exe vbc.exe PID 1320 wrote to memory of 1096 1320 INVOICE000298372-23-98.exe vbc.exe PID 1320 wrote to memory of 1096 1320 INVOICE000298372-23-98.exe vbc.exe PID 1320 wrote to memory of 1096 1320 INVOICE000298372-23-98.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\INVOICE000298372-23-98.exe"C:\Users\Admin\AppData\Local\Temp\INVOICE000298372-23-98.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mpmNdvTDfoePl.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mpmNdvTDfoePl" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE476.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpE476.tmpFilesize
1KB
MD501ab108ad8e83992f0cc27350fb98269
SHA104df7e2ca2ba8277042c4e3a3ced0fe77c5d7190
SHA256b06b9a501c71a353f20485be9e10f834b8b8930feab704aee3e5cfb74ec65226
SHA512cd8e940d398459dfb31c4ebcb536d1e32d75d629f7cedac8b154b08633a65ebc10942380a2e930ab32aae35e04794b7fd808501e3cbbc34d82ba417ffb560a32
-
memory/468-59-0x0000000000000000-mapping.dmp
-
memory/468-81-0x000000006E340000-0x000000006E8EB000-memory.dmpFilesize
5.7MB
-
memory/468-70-0x000000006E340000-0x000000006E8EB000-memory.dmpFilesize
5.7MB
-
memory/1096-65-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1096-69-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1096-80-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1096-79-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1096-76-0x000000000041AE7B-mapping.dmp
-
memory/1096-64-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1096-75-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1096-67-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1096-73-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1096-72-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1320-58-0x0000000005DD0000-0x0000000005E76000-memory.dmpFilesize
664KB
-
memory/1320-56-0x00000000003C0000-0x00000000003D4000-memory.dmpFilesize
80KB
-
memory/1320-54-0x00000000010C0000-0x0000000001208000-memory.dmpFilesize
1.3MB
-
memory/1320-63-0x0000000005090000-0x00000000050DE000-memory.dmpFilesize
312KB
-
memory/1320-57-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1320-55-0x0000000075D01000-0x0000000075D03000-memory.dmpFilesize
8KB
-
memory/1364-60-0x0000000000000000-mapping.dmp