Analysis
-
max time kernel
82s -
max time network
107s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
19-07-2021 15:14
Static task
static1
Behavioral task
behavioral1
Sample
491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe
Resource
win7v20210410
General
-
Target
491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe
-
Size
502KB
-
MD5
b49f739d1d6f51d71f075e9392946b2e
-
SHA1
0967c716434876e355a3127e55f629cc8b0cc238
-
SHA256
491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1
-
SHA512
c1fc947539b319ab73a9fa5436c9aa1f6792cdbe90e009ae52073c8ac7fbb54e3d864d8e3abf37d8f50b5a024368c7f535f66044268df7d37cca699a6e45a800
Malware Config
Signatures
-
NetWire RAT payload 6 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\tmp.exe netwire \Users\Admin\AppData\Roaming\tmp.exe netwire C:\Users\Admin\AppData\Roaming\tmp.exe netwire behavioral1/memory/368-73-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral1/memory/368-74-0x0000000000402BCB-mapping.dmp netwire behavioral1/memory/368-80-0x0000000000400000-0x000000000042C000-memory.dmp netwire -
Executes dropped EXE 2 IoCs
Processes:
tmp.exesvhost.exepid process 880 tmp.exe 368 svhost.exe -
Drops startup file 1 IoCs
Processes:
491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.exe.lnk 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe -
Loads dropped DLL 5 IoCs
Processes:
491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exepid process 916 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe 916 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe 916 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe 916 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe 916 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exedescription pid process target process PID 916 set thread context of 368 916 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1832 timeout.exe -
NTFS ADS 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\FolderN\name.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exepid process 916 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe 916 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe 916 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe 916 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe 916 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe 916 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe 916 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe 916 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe 916 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe 916 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe 916 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe 916 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe 916 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe 916 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exedescription pid process Token: SeDebugPrivilege 916 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.execmd.execmd.exedescription pid process target process PID 916 wrote to memory of 2040 916 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe cmd.exe PID 916 wrote to memory of 2040 916 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe cmd.exe PID 916 wrote to memory of 2040 916 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe cmd.exe PID 916 wrote to memory of 2040 916 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe cmd.exe PID 2040 wrote to memory of 908 2040 cmd.exe reg.exe PID 2040 wrote to memory of 908 2040 cmd.exe reg.exe PID 2040 wrote to memory of 908 2040 cmd.exe reg.exe PID 2040 wrote to memory of 908 2040 cmd.exe reg.exe PID 916 wrote to memory of 880 916 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe tmp.exe PID 916 wrote to memory of 880 916 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe tmp.exe PID 916 wrote to memory of 880 916 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe tmp.exe PID 916 wrote to memory of 880 916 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe tmp.exe PID 916 wrote to memory of 368 916 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe svhost.exe PID 916 wrote to memory of 368 916 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe svhost.exe PID 916 wrote to memory of 368 916 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe svhost.exe PID 916 wrote to memory of 368 916 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe svhost.exe PID 916 wrote to memory of 368 916 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe svhost.exe PID 916 wrote to memory of 368 916 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe svhost.exe PID 916 wrote to memory of 368 916 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe svhost.exe PID 916 wrote to memory of 368 916 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe svhost.exe PID 916 wrote to memory of 368 916 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe svhost.exe PID 916 wrote to memory of 368 916 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe svhost.exe PID 916 wrote to memory of 368 916 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe svhost.exe PID 916 wrote to memory of 1500 916 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe cmd.exe PID 916 wrote to memory of 1500 916 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe cmd.exe PID 916 wrote to memory of 1500 916 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe cmd.exe PID 916 wrote to memory of 1500 916 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe cmd.exe PID 1500 wrote to memory of 1832 1500 cmd.exe timeout.exe PID 1500 wrote to memory of 1832 1500 cmd.exe timeout.exe PID 1500 wrote to memory of 1832 1500 cmd.exe timeout.exe PID 1500 wrote to memory of 1832 1500 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe"C:\Users\Admin\AppData\Local\Temp\491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderN\name.exe.lnk" /f3⤵
-
C:\Users\Admin\AppData\Roaming\tmp.exe"C:\Users\Admin\AppData\Roaming\tmp.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\FolderN\name.exe.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 3003⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeMD5
2e5f1cf69f92392f8829fc9c9263ae9b
SHA197b9ca766bbbdaa8c9ec960dc41b598f7fad82a5
SHA25651985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b
SHA512f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883
-
C:\Users\Admin\AppData\Roaming\FolderN\name.exeMD5
b49f739d1d6f51d71f075e9392946b2e
SHA10967c716434876e355a3127e55f629cc8b0cc238
SHA256491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1
SHA512c1fc947539b319ab73a9fa5436c9aa1f6792cdbe90e009ae52073c8ac7fbb54e3d864d8e3abf37d8f50b5a024368c7f535f66044268df7d37cca699a6e45a800
-
C:\Users\Admin\AppData\Roaming\FolderN\name.exe.batMD5
dca86f6bec779bba1b58d992319e88db
SHA1844e656d3603d15ae56f36298f8031ad52935829
SHA256413b4ee68f5400fcd30ae5df957d723989b400637dbc7f5d158fa050bdc20743
SHA5124b9d532a777921543b3243020ea4b655a8b956c400b237ce714b5bd8e9a3ad7fdbcb11410e84e2e0ecc45e87dcd107385a487f5bb5b359aabd1322314ef2d24c
-
C:\Users\Admin\AppData\Roaming\tmp.exeMD5
9e9a9c00dec1b8e1c874fe0d8901588f
SHA1c31b41085691200ae82345a624b173263e7a071b
SHA25660f95b8cb87bf58697104d9d343270c6440370640a598e78ecaaacbd2d47f148
SHA51290c18b69c09417ac7a7a1f76ee4bbff888dce896e061eb414aa126ef81a2003d25c4ecc46b4d790b332ecf1737c13a1f69c0aa1f18cec69342caf7a5c488440f
-
\Users\Admin\AppData\Local\Temp\svhost.exeMD5
2e5f1cf69f92392f8829fc9c9263ae9b
SHA197b9ca766bbbdaa8c9ec960dc41b598f7fad82a5
SHA25651985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b
SHA512f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883
-
\Users\Admin\AppData\Roaming\FolderN\name.exeMD5
b49f739d1d6f51d71f075e9392946b2e
SHA10967c716434876e355a3127e55f629cc8b0cc238
SHA256491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1
SHA512c1fc947539b319ab73a9fa5436c9aa1f6792cdbe90e009ae52073c8ac7fbb54e3d864d8e3abf37d8f50b5a024368c7f535f66044268df7d37cca699a6e45a800
-
\Users\Admin\AppData\Roaming\FolderN\name.exeMD5
b49f739d1d6f51d71f075e9392946b2e
SHA10967c716434876e355a3127e55f629cc8b0cc238
SHA256491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1
SHA512c1fc947539b319ab73a9fa5436c9aa1f6792cdbe90e009ae52073c8ac7fbb54e3d864d8e3abf37d8f50b5a024368c7f535f66044268df7d37cca699a6e45a800
-
\Users\Admin\AppData\Roaming\tmp.exeMD5
9e9a9c00dec1b8e1c874fe0d8901588f
SHA1c31b41085691200ae82345a624b173263e7a071b
SHA25660f95b8cb87bf58697104d9d343270c6440370640a598e78ecaaacbd2d47f148
SHA51290c18b69c09417ac7a7a1f76ee4bbff888dce896e061eb414aa126ef81a2003d25c4ecc46b4d790b332ecf1737c13a1f69c0aa1f18cec69342caf7a5c488440f
-
\Users\Admin\AppData\Roaming\tmp.exeMD5
9e9a9c00dec1b8e1c874fe0d8901588f
SHA1c31b41085691200ae82345a624b173263e7a071b
SHA25660f95b8cb87bf58697104d9d343270c6440370640a598e78ecaaacbd2d47f148
SHA51290c18b69c09417ac7a7a1f76ee4bbff888dce896e061eb414aa126ef81a2003d25c4ecc46b4d790b332ecf1737c13a1f69c0aa1f18cec69342caf7a5c488440f
-
memory/368-73-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/368-74-0x0000000000402BCB-mapping.dmp
-
memory/368-80-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/880-69-0x0000000000000000-mapping.dmp
-
memory/908-63-0x0000000000000000-mapping.dmp
-
memory/916-60-0x0000000075011000-0x0000000075013000-memory.dmpFilesize
8KB
-
memory/916-61-0x0000000002220000-0x0000000002221000-memory.dmpFilesize
4KB
-
memory/1500-77-0x0000000000000000-mapping.dmp
-
memory/1832-79-0x0000000000000000-mapping.dmp
-
memory/2040-62-0x0000000000000000-mapping.dmp