Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
05-03-2021 13:00
Static task
static1
Behavioral task
behavioral1
Sample
307e257292be5d47304c1712c8bd1342.exe
Resource
win7v20201028
General
-
Target
307e257292be5d47304c1712c8bd1342.exe
-
Size
386KB
-
MD5
307e257292be5d47304c1712c8bd1342
-
SHA1
b22e2b425e3a663f7404579ebf03507713b45959
-
SHA256
31a804fddf5f1ed1d5c1a69772bc92026f90696a6903a3a7ebaf7aef6dfa9478
-
SHA512
8496a01a16daa648eb802d3b5ad5e06fb431202f6681afe53f6ab4c7876018169d86963574b7202e7c8653e586df64f280a21432fd4cc3ad82a97b4825db522f
Malware Config
Signatures
-
NetWire RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2044-6-0x0000000000400000-0x0000000000433000-memory.dmp netwire -
Loads dropped DLL 1 IoCs
Processes:
307e257292be5d47304c1712c8bd1342.exepid process 1596 307e257292be5d47304c1712c8bd1342.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
307e257292be5d47304c1712c8bd1342.exedescription pid process target process PID 1596 set thread context of 2044 1596 307e257292be5d47304c1712c8bd1342.exe 307e257292be5d47304c1712c8bd1342.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
307e257292be5d47304c1712c8bd1342.exepid process 1596 307e257292be5d47304c1712c8bd1342.exe 1596 307e257292be5d47304c1712c8bd1342.exe 1596 307e257292be5d47304c1712c8bd1342.exe 1596 307e257292be5d47304c1712c8bd1342.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
307e257292be5d47304c1712c8bd1342.exepid process 1596 307e257292be5d47304c1712c8bd1342.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
307e257292be5d47304c1712c8bd1342.exedescription pid process target process PID 1596 wrote to memory of 2044 1596 307e257292be5d47304c1712c8bd1342.exe 307e257292be5d47304c1712c8bd1342.exe PID 1596 wrote to memory of 2044 1596 307e257292be5d47304c1712c8bd1342.exe 307e257292be5d47304c1712c8bd1342.exe PID 1596 wrote to memory of 2044 1596 307e257292be5d47304c1712c8bd1342.exe 307e257292be5d47304c1712c8bd1342.exe PID 1596 wrote to memory of 2044 1596 307e257292be5d47304c1712c8bd1342.exe 307e257292be5d47304c1712c8bd1342.exe PID 1596 wrote to memory of 2044 1596 307e257292be5d47304c1712c8bd1342.exe 307e257292be5d47304c1712c8bd1342.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\307e257292be5d47304c1712c8bd1342.exe"C:\Users\Admin\AppData\Local\Temp\307e257292be5d47304c1712c8bd1342.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\307e257292be5d47304c1712c8bd1342.exe"C:\Users\Admin\AppData\Local\Temp\307e257292be5d47304c1712c8bd1342.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsn6E4E.tmp\abxq191c.dllMD5
ba26ab4b2985a5af1ac235659010c85e
SHA106c00b2bb76b1cbe07b0708ca34a3084aec48eb5
SHA256aedf7b32123d8b8a6a2bf5a5c58b02aef9adee2a88bc0fb070bc1d034200ae07
SHA5120121feb31715a882d0ad283aef6258436c8d31d79ebd4a163135f0bcfba6ec51c5c4164b7fad8425f1a64365b67a75b59118a5a7be2e0ee655c7f5e4bb6c2081
-
memory/1596-2-0x0000000075781000-0x0000000075783000-memory.dmpFilesize
8KB
-
memory/2044-4-0x000000000040242D-mapping.dmp
-
memory/2044-6-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB