Analysis
-
max time kernel
119s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22/01/2025, 16:59
Static task
static1
Behavioral task
behavioral1
Sample
bb4773c106ac654769bca2778273b3efc76226a93cee33cfa2c099fc9d0e44cbN.exe
Resource
win7-20240903-en
General
-
Target
bb4773c106ac654769bca2778273b3efc76226a93cee33cfa2c099fc9d0e44cbN.exe
-
Size
296KB
-
MD5
ca239e74778ea238c877d0a08ff014e0
-
SHA1
cd3cce3b44b9b21384b292add85ee800ca4a6166
-
SHA256
bb4773c106ac654769bca2778273b3efc76226a93cee33cfa2c099fc9d0e44cb
-
SHA512
5af6a0b7ac51b546bd9309c9a0bfcb6ace1fb12cc7ad288734483e02c478c9924bb39e117c13678856fbbc76aa04fe8570f7754e2aeb1c2935f6c82997feb4fb
-
SSDEEP
3072:tg6pbDIqOnD6rdKRMvXs+oCTZG9QBNctlVeFAnhPQ12uDefLFmLf9WL5Bcxw:5Ddrvv8O1Ga9qtH5mLfoA
Malware Config
Extracted
netwire
wealthyman.brasilia.me:39560
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
WEALTH
-
keylogger_dir
%AppData%\music\
-
lock_executable
false
-
offline_keylogger
true
-
password
sucess
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 4 IoCs
resource yara_rule behavioral2/memory/4360-431-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral2/memory/4360-432-0x0000000000400000-0x000000000044A000-memory.dmp netwire behavioral2/memory/4360-433-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral2/memory/4360-435-0x0000000000400000-0x000000000044A000-memory.dmp netwire -
Netwire family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation bb4773c106ac654769bca2778273b3efc76226a93cee33cfa2c099fc9d0e44cbN.exe -
Executes dropped EXE 1 IoCs
pid Process 4360 Haandevendingerne.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\win.ini bb4773c106ac654769bca2778273b3efc76226a93cee33cfa2c099fc9d0e44cbN.exe File opened for modification C:\Windows\win.ini Haandevendingerne.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bb4773c106ac654769bca2778273b3efc76226a93cee33cfa2c099fc9d0e44cbN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haandevendingerne.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4972 schtasks.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3064 bb4773c106ac654769bca2778273b3efc76226a93cee33cfa2c099fc9d0e44cbN.exe 4360 Haandevendingerne.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3064 wrote to memory of 4972 3064 bb4773c106ac654769bca2778273b3efc76226a93cee33cfa2c099fc9d0e44cbN.exe 87 PID 3064 wrote to memory of 4972 3064 bb4773c106ac654769bca2778273b3efc76226a93cee33cfa2c099fc9d0e44cbN.exe 87 PID 3064 wrote to memory of 4972 3064 bb4773c106ac654769bca2778273b3efc76226a93cee33cfa2c099fc9d0e44cbN.exe 87 PID 3064 wrote to memory of 5020 3064 bb4773c106ac654769bca2778273b3efc76226a93cee33cfa2c099fc9d0e44cbN.exe 89 PID 3064 wrote to memory of 5020 3064 bb4773c106ac654769bca2778273b3efc76226a93cee33cfa2c099fc9d0e44cbN.exe 89 PID 3064 wrote to memory of 5020 3064 bb4773c106ac654769bca2778273b3efc76226a93cee33cfa2c099fc9d0e44cbN.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb4773c106ac654769bca2778273b3efc76226a93cee33cfa2c099fc9d0e44cbN.exe"C:\Users\Admin\AppData\Local\Temp\bb4773c106ac654769bca2778273b3efc76226a93cee33cfa2c099fc9d0e44cbN.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN "Evakostumet1" /TR "C:\Users\Admin\AppData\Roaming\Haandevendingerne.exe"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4972
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /run /tn "Evakostumet1"2⤵
- System Location Discovery: System Language Discovery
PID:5020
-
-
C:\Users\Admin\AppData\Roaming\Haandevendingerne.exeC:\Users\Admin\AppData\Roaming\Haandevendingerne.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4360
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
296KB
MD54acfd830113a6da904c6397850610a72
SHA109a259a8f4ac047c3402238a5f852f333dd6f0d2
SHA2562c639ebd748cb27f6345c2bf5dc4ce0e5179b923b401cc7c392323266660d934
SHA512d45fc8351cee4a336e1d11e7ce19380571d1a54fdc79510e2a04d97aedb0fa5f6e50e500af5f6a25d2c053779af6d038b14c659afb326ce84480a74632a86f40
-
Filesize
111B
MD545fc085b156dff15d5472839a842a650
SHA170623f377b48c1a5a05866b675008851dc043c3b
SHA256a38c356a0ad92fdfa96d20675c979528ffd39d0449d0965d8a5cb7dca753b718
SHA5125e9b995e76800cbf5c3161d8d8c7fc81698ed90ffe3cf198c13e81b60b547e68493337f938e453cfb363b74e96e6615f8549bb6f1d826d02a62d2e2c992190aa