Analysis
-
max time kernel
153s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 16:33
Behavioral task
behavioral1
Sample
74fa65bdc2b30888cd6732f8ccf9c438.exe
Resource
win7-20231215-en
General
-
Target
74fa65bdc2b30888cd6732f8ccf9c438.exe
-
Size
397KB
-
MD5
74fa65bdc2b30888cd6732f8ccf9c438
-
SHA1
a2aa0495113e0f9db4153fc087048b53fdb1e18d
-
SHA256
8c3515df37a219842450dd3fb91bbade7cf8d8ec7fe17427f37cb4b83a3a237a
-
SHA512
95048ef938c046348cf420cf9da70c30a21a1bb4bb56b507a856a224c552e4eb08acd463e574b79eeef3e9bcc374cc11fd6f7331cac239f16b84bc856ab8b4d3
-
SSDEEP
6144:mZFV6YJoVLIW91ILonX9buxDNae0rMAZZV8mS2vS+44kgQj1nKh/AY6PuqjDobEH:0T6eoVH91nnX84vS+4qQNUhqjDoIYof
Malware Config
Extracted
netwire
155.94.198.169:9112
-
activex_autorun
false
-
copy_executable
true
-
delete_original
false
-
host_id
Corona-Virus
-
install_path
%AppData%\Install\offiice365.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
Pounds
-
registry_autorun
true
-
startup_name
officeii365
-
use_mutex
false
Signatures
-
NetWire RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3620-15-0x0000000000400000-0x0000000000434000-memory.dmp netwire behavioral2/memory/2736-17-0x0000000000400000-0x0000000000434000-memory.dmp netwire -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
test.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation test.exe -
Executes dropped EXE 2 IoCs
Processes:
test.exeoffiice365.exepid process 3620 test.exe 2736 offiice365.exe -
Processes:
resource yara_rule behavioral2/memory/4620-0-0x0000000000400000-0x00000000004E9000-memory.dmp upx behavioral2/memory/4620-2-0x0000000000400000-0x00000000004E9000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\test.exe upx behavioral2/memory/3620-5-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/3620-15-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/4620-16-0x0000000000400000-0x00000000004E9000-memory.dmp upx behavioral2/memory/2736-17-0x0000000000400000-0x0000000000434000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
offiice365.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\officeii365 = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\offiice365.exe" offiice365.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
74fa65bdc2b30888cd6732f8ccf9c438.execmd.exetest.exedescription pid process target process PID 4620 wrote to memory of 1248 4620 74fa65bdc2b30888cd6732f8ccf9c438.exe cmd.exe PID 4620 wrote to memory of 1248 4620 74fa65bdc2b30888cd6732f8ccf9c438.exe cmd.exe PID 4620 wrote to memory of 1248 4620 74fa65bdc2b30888cd6732f8ccf9c438.exe cmd.exe PID 1248 wrote to memory of 3620 1248 cmd.exe test.exe PID 1248 wrote to memory of 3620 1248 cmd.exe test.exe PID 1248 wrote to memory of 3620 1248 cmd.exe test.exe PID 3620 wrote to memory of 2736 3620 test.exe offiice365.exe PID 3620 wrote to memory of 2736 3620 test.exe offiice365.exe PID 3620 wrote to memory of 2736 3620 test.exe offiice365.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\74fa65bdc2b30888cd6732f8ccf9c438.exe"C:\Users\Admin\AppData\Local\Temp\74fa65bdc2b30888cd6732f8ccf9c438.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c test.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Users\Admin\AppData\Local\Temp\test.exetest.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Users\Admin\AppData\Roaming\Install\offiice365.exe"C:\Users\Admin\AppData\Roaming\Install\offiice365.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2736
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\test.exeFilesize
70KB
MD5eacc8434d9ddd4c93ea0cb0283db90a6
SHA1f60e1dc07f5238d688b22d8e46d9924b7a9d2872
SHA256696063cab6b63873c298a5033e5be6b3b8213cc06df33221238d37cddd3c7187
SHA512d96ba53db82185f00b787014fa12e45bb62f614f395b55354266499b9175a6710bcd312774cce41b6d7c4eab1361a4730b50ca5880cf82895be445821a0b5817
-
memory/2736-17-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/3620-5-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/3620-15-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/4620-0-0x0000000000400000-0x00000000004E9000-memory.dmpFilesize
932KB
-
memory/4620-2-0x0000000000400000-0x00000000004E9000-memory.dmpFilesize
932KB
-
memory/4620-16-0x0000000000400000-0x00000000004E9000-memory.dmpFilesize
932KB