Analysis
-
max time kernel
77s -
max time network
116s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
29-06-2021 13:06
Static task
static1
Behavioral task
behavioral1
Sample
Purchase_Order.exe
Resource
win7v20210408
General
-
Target
Purchase_Order.exe
-
Size
337KB
-
MD5
39fcd8503fd2e6e2773a5b5176b5cfb0
-
SHA1
cbf286bec3ac50743352cdead151ca2be6bea121
-
SHA256
0d7f2b187239381646230ae6f03ce02a7bba8a95482df00f459904af60da902a
-
SHA512
fdb923a1639f27f74da659c635ab251e536fd75c7d05d2696e2e8d312c4a55f37bcd127b314d1606962335593713ae1cdfed129ba2d1bb7f3223b8d7d6926f95
Malware Config
Extracted
netwire
warin.hopto.org:4320
-
activex_autorun
false
- activex_key
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
- install_path
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
- mutex
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
- startup_name
-
use_mutex
false
Signatures
-
NetWire RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1544-116-0x000000000046242D-mapping.dmp netwire behavioral2/memory/1544-120-0x0000000000460000-0x0000000000493000-memory.dmp netwire -
Loads dropped DLL 1 IoCs
Processes:
Purchase_Order.exepid process 3172 Purchase_Order.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Purchase_Order.exedescription pid process target process PID 3172 set thread context of 1544 3172 Purchase_Order.exe Purchase_Order.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Purchase_Order.exedescription pid process target process PID 3172 wrote to memory of 1544 3172 Purchase_Order.exe Purchase_Order.exe PID 3172 wrote to memory of 1544 3172 Purchase_Order.exe Purchase_Order.exe PID 3172 wrote to memory of 1544 3172 Purchase_Order.exe Purchase_Order.exe PID 3172 wrote to memory of 1544 3172 Purchase_Order.exe Purchase_Order.exe PID 3172 wrote to memory of 1544 3172 Purchase_Order.exe Purchase_Order.exe PID 3172 wrote to memory of 1544 3172 Purchase_Order.exe Purchase_Order.exe PID 3172 wrote to memory of 1544 3172 Purchase_Order.exe Purchase_Order.exe PID 3172 wrote to memory of 1544 3172 Purchase_Order.exe Purchase_Order.exe PID 3172 wrote to memory of 1544 3172 Purchase_Order.exe Purchase_Order.exe PID 3172 wrote to memory of 1544 3172 Purchase_Order.exe Purchase_Order.exe PID 3172 wrote to memory of 1544 3172 Purchase_Order.exe Purchase_Order.exe PID 3172 wrote to memory of 1544 3172 Purchase_Order.exe Purchase_Order.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Purchase_Order.exe"C:\Users\Admin\AppData\Local\Temp\Purchase_Order.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Purchase_Order.exe"C:\Users\Admin\AppData\Local\Temp\Purchase_Order.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\diejc.dllMD5
5e72c6604a2ea57e6b311e3103c1e53f
SHA134f2287255ed04551a5da72659e663f123613f26
SHA25612f743c8c38d6f091300ca7b0dc380a88a3ceb5da025ed44b9a49991a47868b7
SHA512c293cb5bdc2665ac7d7d55d8faf23dd7e4da220132b41eb0793cb348eb91b65fce19167c802a5a6a19cb35671c4a180e5fed9efdd7d31ede46425872afd1cedd
-
memory/1544-116-0x000000000046242D-mapping.dmp
-
memory/1544-120-0x0000000000460000-0x0000000000493000-memory.dmpFilesize
204KB