Analysis
-
max time kernel
39s -
max time network
50s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11-10-2023 11:08
Static task
static1
Behavioral task
behavioral1
Sample
3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe
Resource
win7-20230831-en
Errors
General
-
Target
3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe
-
Size
15.2MB
-
MD5
38be94769e4f59d9a90e551e505c2e07
-
SHA1
cac71ca2dd32cbe99614870ef01851e0d54bff84
-
SHA256
3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956
-
SHA512
47ef669a5be744235e10ba65d7deb8bdd46544cd6dc4532fa4b43fdc3b5d9b6b49febbef8906870b321281c47ca45f9b679e65eabfeffbf6deffc96fa27e24a5
-
SSDEEP
393216:J8/uxLqG0/kfQslis6SAVDfINRPcji3Zhtnh0:Bv0/kr8s6SA5QUji3ZhtnK
Malware Config
Extracted
netwire
qayshaija.ddns.net:1515
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 3 IoCs
resource yara_rule behavioral2/memory/216-50-0x0000000000400000-0x000000000042B000-memory.dmp netwire behavioral2/memory/216-53-0x0000000000400000-0x000000000042B000-memory.dmp netwire behavioral2/memory/216-55-0x0000000000400000-0x000000000042B000-memory.dmp netwire -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion install.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation 3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe -
Executes dropped EXE 3 IoCs
pid Process 332 OInstall.exe 4800 install.exe 3248 files.dat -
resource yara_rule behavioral2/files/0x0009000000023170-4.dat upx behavioral2/files/0x0009000000023170-9.dat upx behavioral2/files/0x0009000000023170-10.dat upx behavioral2/memory/332-22-0x0000000000400000-0x0000000001701000-memory.dmp upx behavioral2/memory/332-45-0x0000000000400000-0x0000000001701000-memory.dmp upx behavioral2/memory/332-57-0x0000000000400000-0x0000000001701000-memory.dmp upx -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4800 set thread context of 216 4800 install.exe 108 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4480 216 WerFault.exe 108 -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer install.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "117" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 4800 install.exe 4800 install.exe 4800 install.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4184 WMIC.exe Token: SeSecurityPrivilege 4184 WMIC.exe Token: SeTakeOwnershipPrivilege 4184 WMIC.exe Token: SeLoadDriverPrivilege 4184 WMIC.exe Token: SeSystemProfilePrivilege 4184 WMIC.exe Token: SeSystemtimePrivilege 4184 WMIC.exe Token: SeProfSingleProcessPrivilege 4184 WMIC.exe Token: SeIncBasePriorityPrivilege 4184 WMIC.exe Token: SeCreatePagefilePrivilege 4184 WMIC.exe Token: SeBackupPrivilege 4184 WMIC.exe Token: SeRestorePrivilege 4184 WMIC.exe Token: SeShutdownPrivilege 4184 WMIC.exe Token: SeDebugPrivilege 4184 WMIC.exe Token: SeSystemEnvironmentPrivilege 4184 WMIC.exe Token: SeRemoteShutdownPrivilege 4184 WMIC.exe Token: SeUndockPrivilege 4184 WMIC.exe Token: SeManageVolumePrivilege 4184 WMIC.exe Token: 33 4184 WMIC.exe Token: 34 4184 WMIC.exe Token: 35 4184 WMIC.exe Token: 36 4184 WMIC.exe Token: SeIncreaseQuotaPrivilege 4184 WMIC.exe Token: SeSecurityPrivilege 4184 WMIC.exe Token: SeTakeOwnershipPrivilege 4184 WMIC.exe Token: SeLoadDriverPrivilege 4184 WMIC.exe Token: SeSystemProfilePrivilege 4184 WMIC.exe Token: SeSystemtimePrivilege 4184 WMIC.exe Token: SeProfSingleProcessPrivilege 4184 WMIC.exe Token: SeIncBasePriorityPrivilege 4184 WMIC.exe Token: SeCreatePagefilePrivilege 4184 WMIC.exe Token: SeBackupPrivilege 4184 WMIC.exe Token: SeRestorePrivilege 4184 WMIC.exe Token: SeShutdownPrivilege 4184 WMIC.exe Token: SeDebugPrivilege 4184 WMIC.exe Token: SeSystemEnvironmentPrivilege 4184 WMIC.exe Token: SeRemoteShutdownPrivilege 4184 WMIC.exe Token: SeUndockPrivilege 4184 WMIC.exe Token: SeManageVolumePrivilege 4184 WMIC.exe Token: 33 4184 WMIC.exe Token: 34 4184 WMIC.exe Token: 35 4184 WMIC.exe Token: 36 4184 WMIC.exe Token: SeIncreaseQuotaPrivilege 4928 WMIC.exe Token: SeSecurityPrivilege 4928 WMIC.exe Token: SeTakeOwnershipPrivilege 4928 WMIC.exe Token: SeLoadDriverPrivilege 4928 WMIC.exe Token: SeSystemProfilePrivilege 4928 WMIC.exe Token: SeSystemtimePrivilege 4928 WMIC.exe Token: SeProfSingleProcessPrivilege 4928 WMIC.exe Token: SeIncBasePriorityPrivilege 4928 WMIC.exe Token: SeCreatePagefilePrivilege 4928 WMIC.exe Token: SeBackupPrivilege 4928 WMIC.exe Token: SeRestorePrivilege 4928 WMIC.exe Token: SeShutdownPrivilege 4928 WMIC.exe Token: SeDebugPrivilege 4928 WMIC.exe Token: SeSystemEnvironmentPrivilege 4928 WMIC.exe Token: SeRemoteShutdownPrivilege 4928 WMIC.exe Token: SeUndockPrivilege 4928 WMIC.exe Token: SeManageVolumePrivilege 4928 WMIC.exe Token: 33 4928 WMIC.exe Token: 34 4928 WMIC.exe Token: 35 4928 WMIC.exe Token: 36 4928 WMIC.exe Token: SeIncreaseQuotaPrivilege 4928 WMIC.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 1500 3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe 1500 3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe 1500 3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe 1500 3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe 1500 3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe 1500 3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe -
Suspicious use of SendNotifyMessage 6 IoCs
pid Process 1500 3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe 1500 3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe 1500 3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe 1500 3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe 1500 3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe 1500 3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 332 OInstall.exe 3248 files.dat 508 LogonUI.exe -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 1500 wrote to memory of 332 1500 3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe 87 PID 1500 wrote to memory of 332 1500 3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe 87 PID 1500 wrote to memory of 332 1500 3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe 87 PID 1500 wrote to memory of 4800 1500 3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe 90 PID 1500 wrote to memory of 4800 1500 3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe 90 PID 1500 wrote to memory of 4800 1500 3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe 90 PID 332 wrote to memory of 1168 332 OInstall.exe 91 PID 332 wrote to memory of 1168 332 OInstall.exe 91 PID 1168 wrote to memory of 4184 1168 cmd.exe 93 PID 1168 wrote to memory of 4184 1168 cmd.exe 93 PID 332 wrote to memory of 3428 332 OInstall.exe 96 PID 332 wrote to memory of 3428 332 OInstall.exe 96 PID 3428 wrote to memory of 4928 3428 cmd.exe 97 PID 3428 wrote to memory of 4928 3428 cmd.exe 97 PID 332 wrote to memory of 1388 332 OInstall.exe 99 PID 332 wrote to memory of 1388 332 OInstall.exe 99 PID 332 wrote to memory of 3100 332 OInstall.exe 102 PID 332 wrote to memory of 3100 332 OInstall.exe 102 PID 3100 wrote to memory of 3248 3100 cmd.exe 103 PID 3100 wrote to memory of 3248 3100 cmd.exe 103 PID 3100 wrote to memory of 3248 3100 cmd.exe 103 PID 4800 wrote to memory of 3396 4800 install.exe 106 PID 4800 wrote to memory of 3396 4800 install.exe 106 PID 4800 wrote to memory of 3396 4800 install.exe 106 PID 4800 wrote to memory of 5004 4800 install.exe 107 PID 4800 wrote to memory of 5004 4800 install.exe 107 PID 4800 wrote to memory of 5004 4800 install.exe 107 PID 4800 wrote to memory of 216 4800 install.exe 108 PID 4800 wrote to memory of 216 4800 install.exe 108 PID 4800 wrote to memory of 216 4800 install.exe 108 PID 4800 wrote to memory of 216 4800 install.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe"C:\Users\Admin\AppData\Local\Temp\3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956 (1).exe"1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Users\Admin\AppData\Local\Temp\OInstall.exe"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:332 -
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\OInstall.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\OInstall.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4184
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\files"3⤵
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\files"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4928
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /D /c copy C:\Windows\system32\Tasks\OInstall "C:\Windows\Temp\OInstall.tmp" /Y3⤵PID:1388
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /D /c files.dat -y -pkmsauto3⤵
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Users\Admin\AppData\Local\Temp\files\files.datfiles.dat -y -pkmsauto4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3248
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"2⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"3⤵PID:3396
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"3⤵PID:5004
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"3⤵PID:216
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 5844⤵
- Program crash
PID:4480
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 216 -ip 2161⤵PID:2780
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3996855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:508
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.8MB
MD578ffd4acc57558d2b0e6b89fff8930f4
SHA14513925109addb215d1004399302fb076fefdd43
SHA2560c0a89c18afc28ffaf49d10153e4b81178c511cfb5594d893c9510c24c193e7e
SHA51276685f2cf94bd8d15288696205a38033942f21def78c1d6fe503b94764fcbf46bfb01f7d9cf3d9adfe4136fc0b1eb395e071a3691bce0762038975eec259d566
-
Filesize
9.8MB
MD578ffd4acc57558d2b0e6b89fff8930f4
SHA14513925109addb215d1004399302fb076fefdd43
SHA2560c0a89c18afc28ffaf49d10153e4b81178c511cfb5594d893c9510c24c193e7e
SHA51276685f2cf94bd8d15288696205a38033942f21def78c1d6fe503b94764fcbf46bfb01f7d9cf3d9adfe4136fc0b1eb395e071a3691bce0762038975eec259d566
-
Filesize
9.8MB
MD578ffd4acc57558d2b0e6b89fff8930f4
SHA14513925109addb215d1004399302fb076fefdd43
SHA2560c0a89c18afc28ffaf49d10153e4b81178c511cfb5594d893c9510c24c193e7e
SHA51276685f2cf94bd8d15288696205a38033942f21def78c1d6fe503b94764fcbf46bfb01f7d9cf3d9adfe4136fc0b1eb395e071a3691bce0762038975eec259d566
-
Filesize
707KB
MD555d21b2c272a5d6b9f54fa9ed82bf9eb
SHA132464cba823cd9b7e94e4fa1a32a8f2344b0f33b
SHA2567a1c82e264258470d14ca345ea1a9b6fc34fa19b393a92077a01be5f1ad08f47
SHA5121b68d0c61367717529be4a3aa347bb69d3e21de7a89b10e8b0aa54d40af988cc0cc8e63298ba595a93c3372aca3770ace1eee2780a59238d0948499dbb4be725
-
Filesize
707KB
MD555d21b2c272a5d6b9f54fa9ed82bf9eb
SHA132464cba823cd9b7e94e4fa1a32a8f2344b0f33b
SHA2567a1c82e264258470d14ca345ea1a9b6fc34fa19b393a92077a01be5f1ad08f47
SHA5121b68d0c61367717529be4a3aa347bb69d3e21de7a89b10e8b0aa54d40af988cc0cc8e63298ba595a93c3372aca3770ace1eee2780a59238d0948499dbb4be725
-
Filesize
304KB
MD56037361243f8c390326debbea5b85ac2
SHA1654fca850890949bbbd41a7e4c481ab89e10839a
SHA256b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5
SHA512434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929
-
Filesize
304KB
MD56037361243f8c390326debbea5b85ac2
SHA1654fca850890949bbbd41a7e4c481ab89e10839a
SHA256b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5
SHA512434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929
-
Filesize
304KB
MD56037361243f8c390326debbea5b85ac2
SHA1654fca850890949bbbd41a7e4c481ab89e10839a
SHA256b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5
SHA512434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929