Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01-04-2023 05:02
Behavioral task
behavioral1
Sample
r.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
r.exe
Resource
win10v2004-20230220-en
General
-
Target
r.exe
-
Size
160KB
-
MD5
fb8441287cef7a3c0a67a24830a648f3
-
SHA1
6fef02a3793b481a2603da3d5051698ea752f4ab
-
SHA256
10a9942365cfd73d8c11b5b8e46763a53c642e5ddd9577a21c2388e7bc99d910
-
SHA512
660a630c200f34808deba9484d416a8292176f18516a33d9af7c0ec3e5764f41c9a77d8fbf42dd123b8cdbe71e7537a2f63ccc675b2271c85b7a4164c0b4ad0e
-
SSDEEP
3072:jOzPcXa+ND32eioGHlz8rnAE0HCXh0edLv1YMjMqqDvFf:jOTcK+NrRioGHlz8rz0i/1zQqqDvFf
Malware Config
Extracted
netwire
wire.universitynetservice1979.info:8888
167.179.102.70:8888
62.234.24.30:8888
-
activex_autorun
false
-
copy_executable
true
-
delete_original
true
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\svchost.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
olflQfiP
-
offline_keylogger
true
-
password
win
-
registry_autorun
true
-
startup_name
netloading
-
use_mutex
true
Signatures
-
NetWire RAT payload 11 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Install\svchost.exe netwire C:\Users\Admin\AppData\Roaming\Install\svchost.exe netwire C:\Users\Admin\AppData\Roaming\Install\svchost.exe netwire behavioral2/memory/3408-141-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/4116-142-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/4116-144-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/4116-151-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/4116-152-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/4116-153-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/4116-154-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/4116-155-0x0000000000400000-0x0000000000433000-memory.dmp netwire -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
r.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation r.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 4116 svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\netloading = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\svchost.exe" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
r.exedescription pid process target process PID 3408 wrote to memory of 4116 3408 r.exe svchost.exe PID 3408 wrote to memory of 4116 3408 r.exe svchost.exe PID 3408 wrote to memory of 4116 3408 r.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\r.exe"C:\Users\Admin\AppData\Local\Temp\r.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\svchost.exe"C:\Users\Admin\AppData\Roaming\Install\svchost.exe" -m "C:\Users\Admin\AppData\Local\Temp\r.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Install\svchost.exeFilesize
160KB
MD5fb8441287cef7a3c0a67a24830a648f3
SHA16fef02a3793b481a2603da3d5051698ea752f4ab
SHA25610a9942365cfd73d8c11b5b8e46763a53c642e5ddd9577a21c2388e7bc99d910
SHA512660a630c200f34808deba9484d416a8292176f18516a33d9af7c0ec3e5764f41c9a77d8fbf42dd123b8cdbe71e7537a2f63ccc675b2271c85b7a4164c0b4ad0e
-
C:\Users\Admin\AppData\Roaming\Install\svchost.exeFilesize
160KB
MD5fb8441287cef7a3c0a67a24830a648f3
SHA16fef02a3793b481a2603da3d5051698ea752f4ab
SHA25610a9942365cfd73d8c11b5b8e46763a53c642e5ddd9577a21c2388e7bc99d910
SHA512660a630c200f34808deba9484d416a8292176f18516a33d9af7c0ec3e5764f41c9a77d8fbf42dd123b8cdbe71e7537a2f63ccc675b2271c85b7a4164c0b4ad0e
-
C:\Users\Admin\AppData\Roaming\Install\svchost.exeFilesize
160KB
MD5fb8441287cef7a3c0a67a24830a648f3
SHA16fef02a3793b481a2603da3d5051698ea752f4ab
SHA25610a9942365cfd73d8c11b5b8e46763a53c642e5ddd9577a21c2388e7bc99d910
SHA512660a630c200f34808deba9484d416a8292176f18516a33d9af7c0ec3e5764f41c9a77d8fbf42dd123b8cdbe71e7537a2f63ccc675b2271c85b7a4164c0b4ad0e
-
memory/3408-141-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/4116-142-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/4116-144-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/4116-151-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/4116-152-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/4116-153-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/4116-154-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/4116-155-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB