Analysis
-
max time kernel
39s -
max time network
172s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
08-07-2021 19:57
Static task
static1
Behavioral task
behavioral1
Sample
6E6FFC38D9C88CA34562E0369AC22A75.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
6E6FFC38D9C88CA34562E0369AC22A75.exe
Resource
win10v20210410
General
-
Target
6E6FFC38D9C88CA34562E0369AC22A75.exe
-
Size
4.7MB
-
MD5
6e6ffc38d9c88ca34562e0369ac22a75
-
SHA1
b8788ca1f0102145580e6cffe8528aa82105092d
-
SHA256
9a9ddbcb74bc37b8eb71fc0d4e3840e2e6435f7c9deb51f7e8e7f0bbd0cee473
-
SHA512
8c89eade7a41d73151524fd01baaee77308271cfc3bd13160b9c25d8a33a57c9aa391cc438099970d9086cb3adf7403031242dc0185b538e97617baa119a7f67
Malware Config
Extracted
netwire
clients.enigmasolutions.xyz:54573
-
activex_autorun
false
- activex_key
-
copy_executable
true
-
delete_original
false
-
host_id
Cleint-%Rand%
-
install_path
%AppData%\Microsoft\MMC\ruj.exe
-
keylogger_dir
%AppData%\msr\
-
lock_executable
false
- mutex
-
offline_keylogger
true
-
password
\tx>N(6H`Om2k/cWJBp,""bUbAd1-0Mg
-
registry_autorun
true
-
startup_name
ruj
-
use_mutex
false
Signatures
-
NetWire RAT payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1784-61-0x000000000008242D-mapping.dmp netwire behavioral1/memory/1784-60-0x0000000000080000-0x00000000000B0000-memory.dmp netwire behavioral1/memory/1784-63-0x0000000000080000-0x00000000000B0000-memory.dmp netwire behavioral1/memory/1460-70-0x00000000000E0000-0x0000000000110000-memory.dmp netwire behavioral1/memory/1460-71-0x00000000000E242D-mapping.dmp netwire behavioral1/memory/1460-74-0x00000000000E0000-0x0000000000110000-memory.dmp netwire -
Executes dropped EXE 2 IoCs
Processes:
ruj.exeruj.exepid process 868 ruj.exe 1460 ruj.exe -
Loads dropped DLL 1 IoCs
Processes:
6E6FFC38D9C88CA34562E0369AC22A75.exepid process 1784 6E6FFC38D9C88CA34562E0369AC22A75.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ruj.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ ruj.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\MMC\\ruj.exe" ruj.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
6E6FFC38D9C88CA34562E0369AC22A75.exeruj.exedescription pid process target process PID 1984 set thread context of 1784 1984 6E6FFC38D9C88CA34562E0369AC22A75.exe 6E6FFC38D9C88CA34562E0369AC22A75.exe PID 868 set thread context of 1460 868 ruj.exe ruj.exe -
autoit_exe 4 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Microsoft\MMC\ruj.exe autoit_exe C:\Users\Admin\AppData\Roaming\Microsoft\MMC\ruj.exe autoit_exe C:\Users\Admin\AppData\Roaming\Microsoft\MMC\ruj.exe autoit_exe C:\Users\Admin\AppData\Roaming\Microsoft\MMC\ruj.exe autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
6E6FFC38D9C88CA34562E0369AC22A75.exe6E6FFC38D9C88CA34562E0369AC22A75.exeruj.exedescription pid process target process PID 1984 wrote to memory of 1784 1984 6E6FFC38D9C88CA34562E0369AC22A75.exe 6E6FFC38D9C88CA34562E0369AC22A75.exe PID 1984 wrote to memory of 1784 1984 6E6FFC38D9C88CA34562E0369AC22A75.exe 6E6FFC38D9C88CA34562E0369AC22A75.exe PID 1984 wrote to memory of 1784 1984 6E6FFC38D9C88CA34562E0369AC22A75.exe 6E6FFC38D9C88CA34562E0369AC22A75.exe PID 1984 wrote to memory of 1784 1984 6E6FFC38D9C88CA34562E0369AC22A75.exe 6E6FFC38D9C88CA34562E0369AC22A75.exe PID 1984 wrote to memory of 1784 1984 6E6FFC38D9C88CA34562E0369AC22A75.exe 6E6FFC38D9C88CA34562E0369AC22A75.exe PID 1984 wrote to memory of 1784 1984 6E6FFC38D9C88CA34562E0369AC22A75.exe 6E6FFC38D9C88CA34562E0369AC22A75.exe PID 1784 wrote to memory of 868 1784 6E6FFC38D9C88CA34562E0369AC22A75.exe ruj.exe PID 1784 wrote to memory of 868 1784 6E6FFC38D9C88CA34562E0369AC22A75.exe ruj.exe PID 1784 wrote to memory of 868 1784 6E6FFC38D9C88CA34562E0369AC22A75.exe ruj.exe PID 1784 wrote to memory of 868 1784 6E6FFC38D9C88CA34562E0369AC22A75.exe ruj.exe PID 868 wrote to memory of 1460 868 ruj.exe ruj.exe PID 868 wrote to memory of 1460 868 ruj.exe ruj.exe PID 868 wrote to memory of 1460 868 ruj.exe ruj.exe PID 868 wrote to memory of 1460 868 ruj.exe ruj.exe PID 868 wrote to memory of 1460 868 ruj.exe ruj.exe PID 868 wrote to memory of 1460 868 ruj.exe ruj.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6E6FFC38D9C88CA34562E0369AC22A75.exe"C:\Users\Admin\AppData\Local\Temp\6E6FFC38D9C88CA34562E0369AC22A75.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\6E6FFC38D9C88CA34562E0369AC22A75.exeC:\Users\Admin\AppData\Local\Temp\6E6FFC38D9C88CA34562E0369AC22A75.exe2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\MMC\ruj.exe"C:\Users\Admin\AppData\Roaming\Microsoft\MMC\ruj.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\MMC\ruj.exeC:\Users\Admin\AppData\Roaming\Microsoft\MMC\ruj.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\MMC\ruj.exeMD5
6e6ffc38d9c88ca34562e0369ac22a75
SHA1b8788ca1f0102145580e6cffe8528aa82105092d
SHA2569a9ddbcb74bc37b8eb71fc0d4e3840e2e6435f7c9deb51f7e8e7f0bbd0cee473
SHA5128c89eade7a41d73151524fd01baaee77308271cfc3bd13160b9c25d8a33a57c9aa391cc438099970d9086cb3adf7403031242dc0185b538e97617baa119a7f67
-
C:\Users\Admin\AppData\Roaming\Microsoft\MMC\ruj.exeMD5
6e6ffc38d9c88ca34562e0369ac22a75
SHA1b8788ca1f0102145580e6cffe8528aa82105092d
SHA2569a9ddbcb74bc37b8eb71fc0d4e3840e2e6435f7c9deb51f7e8e7f0bbd0cee473
SHA5128c89eade7a41d73151524fd01baaee77308271cfc3bd13160b9c25d8a33a57c9aa391cc438099970d9086cb3adf7403031242dc0185b538e97617baa119a7f67
-
C:\Users\Admin\AppData\Roaming\Microsoft\MMC\ruj.exeMD5
6e6ffc38d9c88ca34562e0369ac22a75
SHA1b8788ca1f0102145580e6cffe8528aa82105092d
SHA2569a9ddbcb74bc37b8eb71fc0d4e3840e2e6435f7c9deb51f7e8e7f0bbd0cee473
SHA5128c89eade7a41d73151524fd01baaee77308271cfc3bd13160b9c25d8a33a57c9aa391cc438099970d9086cb3adf7403031242dc0185b538e97617baa119a7f67
-
C:\Users\Admin\AppData\Roaming\rnwbdsbnhxgawywbawodncqsj20596.pngMD5
33b6af30035a8ab1c4814143a8aad65b
SHA150971cbbf169b38e32ffd445a4802296d4ee72c5
SHA256e380447d53029bb25e0bf687ecf8772a7726af889d0ef9a6e486691425735e7e
SHA5127e48a50ac3e79846d3f1343212fb323192466b4c1d9ea8cda1cad8bed54239136e542706ae44bf18f12a935bb1eb7b1e58e47d74ca7867363cc66aaa37b85395
-
\Users\Admin\AppData\Roaming\Microsoft\MMC\ruj.exeMD5
6e6ffc38d9c88ca34562e0369ac22a75
SHA1b8788ca1f0102145580e6cffe8528aa82105092d
SHA2569a9ddbcb74bc37b8eb71fc0d4e3840e2e6435f7c9deb51f7e8e7f0bbd0cee473
SHA5128c89eade7a41d73151524fd01baaee77308271cfc3bd13160b9c25d8a33a57c9aa391cc438099970d9086cb3adf7403031242dc0185b538e97617baa119a7f67
-
memory/868-65-0x0000000000000000-mapping.dmp
-
memory/1460-70-0x00000000000E0000-0x0000000000110000-memory.dmpFilesize
192KB
-
memory/1460-71-0x00000000000E242D-mapping.dmp
-
memory/1460-74-0x00000000000E0000-0x0000000000110000-memory.dmpFilesize
192KB
-
memory/1784-63-0x0000000000080000-0x00000000000B0000-memory.dmpFilesize
192KB
-
memory/1784-60-0x0000000000080000-0x00000000000B0000-memory.dmpFilesize
192KB
-
memory/1784-61-0x000000000008242D-mapping.dmp
-
memory/1984-59-0x00000000767B1000-0x00000000767B3000-memory.dmpFilesize
8KB