Analysis
-
max time kernel
41s -
max time network
115s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
08-07-2021 19:57
Static task
static1
Behavioral task
behavioral1
Sample
6E6FFC38D9C88CA34562E0369AC22A75.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
6E6FFC38D9C88CA34562E0369AC22A75.exe
Resource
win10v20210410
General
-
Target
6E6FFC38D9C88CA34562E0369AC22A75.exe
-
Size
4.7MB
-
MD5
6e6ffc38d9c88ca34562e0369ac22a75
-
SHA1
b8788ca1f0102145580e6cffe8528aa82105092d
-
SHA256
9a9ddbcb74bc37b8eb71fc0d4e3840e2e6435f7c9deb51f7e8e7f0bbd0cee473
-
SHA512
8c89eade7a41d73151524fd01baaee77308271cfc3bd13160b9c25d8a33a57c9aa391cc438099970d9086cb3adf7403031242dc0185b538e97617baa119a7f67
Malware Config
Extracted
netwire
clients.enigmasolutions.xyz:54573
-
activex_autorun
false
- activex_key
-
copy_executable
true
-
delete_original
false
-
host_id
Cleint-%Rand%
-
install_path
%AppData%\Microsoft\MMC\ruj.exe
-
keylogger_dir
%AppData%\msr\
-
lock_executable
false
- mutex
-
offline_keylogger
true
-
password
\tx>N(6H`Om2k/cWJBp,""bUbAd1-0Mg
-
registry_autorun
true
-
startup_name
ruj
-
use_mutex
false
Signatures
-
NetWire RAT payload 6 IoCs
Processes:
resource yara_rule behavioral2/memory/3836-114-0x0000000000D70000-0x0000000000DA0000-memory.dmp netwire behavioral2/memory/3836-115-0x0000000000D7242D-mapping.dmp netwire behavioral2/memory/3836-116-0x0000000000D70000-0x0000000000DA0000-memory.dmp netwire behavioral2/memory/1844-121-0x0000000000970000-0x00000000009A0000-memory.dmp netwire behavioral2/memory/1844-122-0x000000000097242D-mapping.dmp netwire behavioral2/memory/1844-124-0x0000000000970000-0x00000000009A0000-memory.dmp netwire -
Executes dropped EXE 2 IoCs
Processes:
ruj.exeruj.exepid process 1292 ruj.exe 1844 ruj.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ruj.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ ruj.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\MMC\\ruj.exe" ruj.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
6E6FFC38D9C88CA34562E0369AC22A75.exeruj.exedescription pid process target process PID 2208 set thread context of 3836 2208 6E6FFC38D9C88CA34562E0369AC22A75.exe 6E6FFC38D9C88CA34562E0369AC22A75.exe PID 1292 set thread context of 1844 1292 ruj.exe ruj.exe -
autoit_exe 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\MMC\ruj.exe autoit_exe C:\Users\Admin\AppData\Roaming\Microsoft\MMC\ruj.exe autoit_exe C:\Users\Admin\AppData\Roaming\Microsoft\MMC\ruj.exe autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
6E6FFC38D9C88CA34562E0369AC22A75.exe6E6FFC38D9C88CA34562E0369AC22A75.exeruj.exedescription pid process target process PID 2208 wrote to memory of 3836 2208 6E6FFC38D9C88CA34562E0369AC22A75.exe 6E6FFC38D9C88CA34562E0369AC22A75.exe PID 2208 wrote to memory of 3836 2208 6E6FFC38D9C88CA34562E0369AC22A75.exe 6E6FFC38D9C88CA34562E0369AC22A75.exe PID 2208 wrote to memory of 3836 2208 6E6FFC38D9C88CA34562E0369AC22A75.exe 6E6FFC38D9C88CA34562E0369AC22A75.exe PID 2208 wrote to memory of 3836 2208 6E6FFC38D9C88CA34562E0369AC22A75.exe 6E6FFC38D9C88CA34562E0369AC22A75.exe PID 2208 wrote to memory of 3836 2208 6E6FFC38D9C88CA34562E0369AC22A75.exe 6E6FFC38D9C88CA34562E0369AC22A75.exe PID 3836 wrote to memory of 1292 3836 6E6FFC38D9C88CA34562E0369AC22A75.exe ruj.exe PID 3836 wrote to memory of 1292 3836 6E6FFC38D9C88CA34562E0369AC22A75.exe ruj.exe PID 3836 wrote to memory of 1292 3836 6E6FFC38D9C88CA34562E0369AC22A75.exe ruj.exe PID 1292 wrote to memory of 1844 1292 ruj.exe ruj.exe PID 1292 wrote to memory of 1844 1292 ruj.exe ruj.exe PID 1292 wrote to memory of 1844 1292 ruj.exe ruj.exe PID 1292 wrote to memory of 1844 1292 ruj.exe ruj.exe PID 1292 wrote to memory of 1844 1292 ruj.exe ruj.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6E6FFC38D9C88CA34562E0369AC22A75.exe"C:\Users\Admin\AppData\Local\Temp\6E6FFC38D9C88CA34562E0369AC22A75.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\6E6FFC38D9C88CA34562E0369AC22A75.exeC:\Users\Admin\AppData\Local\Temp\6E6FFC38D9C88CA34562E0369AC22A75.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\MMC\ruj.exe"C:\Users\Admin\AppData\Roaming\Microsoft\MMC\ruj.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\MMC\ruj.exeC:\Users\Admin\AppData\Roaming\Microsoft\MMC\ruj.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\MMC\ruj.exeMD5
6e6ffc38d9c88ca34562e0369ac22a75
SHA1b8788ca1f0102145580e6cffe8528aa82105092d
SHA2569a9ddbcb74bc37b8eb71fc0d4e3840e2e6435f7c9deb51f7e8e7f0bbd0cee473
SHA5128c89eade7a41d73151524fd01baaee77308271cfc3bd13160b9c25d8a33a57c9aa391cc438099970d9086cb3adf7403031242dc0185b538e97617baa119a7f67
-
C:\Users\Admin\AppData\Roaming\Microsoft\MMC\ruj.exeMD5
6e6ffc38d9c88ca34562e0369ac22a75
SHA1b8788ca1f0102145580e6cffe8528aa82105092d
SHA2569a9ddbcb74bc37b8eb71fc0d4e3840e2e6435f7c9deb51f7e8e7f0bbd0cee473
SHA5128c89eade7a41d73151524fd01baaee77308271cfc3bd13160b9c25d8a33a57c9aa391cc438099970d9086cb3adf7403031242dc0185b538e97617baa119a7f67
-
C:\Users\Admin\AppData\Roaming\Microsoft\MMC\ruj.exeMD5
6e6ffc38d9c88ca34562e0369ac22a75
SHA1b8788ca1f0102145580e6cffe8528aa82105092d
SHA2569a9ddbcb74bc37b8eb71fc0d4e3840e2e6435f7c9deb51f7e8e7f0bbd0cee473
SHA5128c89eade7a41d73151524fd01baaee77308271cfc3bd13160b9c25d8a33a57c9aa391cc438099970d9086cb3adf7403031242dc0185b538e97617baa119a7f67
-
C:\Users\Admin\AppData\Roaming\rnwbdsbnhxgawywbawodncqsj20596.pngMD5
b1393c653b53c4e5f7c6b2644e4d6d00
SHA19b4d422c12c404c82453c8009999998de681b286
SHA256256c80483a0ed343ab233b3460ee1e24f837a682e160fc6c0c94b5ae6e0d058f
SHA51219066367a8559c941a31870c0c3839a44295c554bc2ced4ed170643d0a494a7a0e2517b252170dfdd1203409228b880e7860a62ba9337cd45a7b19bc7ebbaade
-
memory/1292-117-0x0000000000000000-mapping.dmp
-
memory/1844-121-0x0000000000970000-0x00000000009A0000-memory.dmpFilesize
192KB
-
memory/1844-122-0x000000000097242D-mapping.dmp
-
memory/1844-124-0x0000000000970000-0x00000000009A0000-memory.dmpFilesize
192KB
-
memory/3836-114-0x0000000000D70000-0x0000000000DA0000-memory.dmpFilesize
192KB
-
memory/3836-115-0x0000000000D7242D-mapping.dmp
-
memory/3836-116-0x0000000000D70000-0x0000000000DA0000-memory.dmpFilesize
192KB