Analysis
-
max time kernel
83s -
max time network
127s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
19-07-2021 15:14
Static task
static1
Behavioral task
behavioral1
Sample
491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe
Resource
win7v20210410
General
-
Target
491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe
-
Size
502KB
-
MD5
b49f739d1d6f51d71f075e9392946b2e
-
SHA1
0967c716434876e355a3127e55f629cc8b0cc238
-
SHA256
491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1
-
SHA512
c1fc947539b319ab73a9fa5436c9aa1f6792cdbe90e009ae52073c8ac7fbb54e3d864d8e3abf37d8f50b5a024368c7f535f66044268df7d37cca699a6e45a800
Malware Config
Signatures
-
NetWire RAT payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\tmp.exe netwire C:\Users\Admin\AppData\Roaming\tmp.exe netwire behavioral2/memory/1476-122-0x0000000000402BCB-mapping.dmp netwire behavioral2/memory/1476-124-0x00000000001C0000-0x00000000001EC000-memory.dmp netwire -
Executes dropped EXE 2 IoCs
Processes:
tmp.exesvhost.exepid process 204 tmp.exe 1476 svhost.exe -
Drops startup file 1 IoCs
Processes:
491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.exe.lnk 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exedescription pid process target process PID 3920 set thread context of 1476 3920 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3476 1476 WerFault.exe svhost.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3976 timeout.exe -
NTFS ADS 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\FolderN\name.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exeWerFault.exepid process 3920 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe 3920 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe 3920 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe 3920 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe 3920 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe 3920 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe 3920 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe 3920 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe 3920 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe 3920 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe 3920 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe 3920 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe 3920 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe 3920 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe 3920 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe 3920 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exeWerFault.exedescription pid process Token: SeDebugPrivilege 3920 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe Token: SeRestorePrivilege 3476 WerFault.exe Token: SeBackupPrivilege 3476 WerFault.exe Token: SeDebugPrivilege 3476 WerFault.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.execmd.execmd.exedescription pid process target process PID 3920 wrote to memory of 3108 3920 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe cmd.exe PID 3920 wrote to memory of 3108 3920 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe cmd.exe PID 3920 wrote to memory of 3108 3920 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe cmd.exe PID 3108 wrote to memory of 4060 3108 cmd.exe reg.exe PID 3108 wrote to memory of 4060 3108 cmd.exe reg.exe PID 3108 wrote to memory of 4060 3108 cmd.exe reg.exe PID 3920 wrote to memory of 204 3920 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe tmp.exe PID 3920 wrote to memory of 204 3920 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe tmp.exe PID 3920 wrote to memory of 204 3920 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe tmp.exe PID 3920 wrote to memory of 1476 3920 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe svhost.exe PID 3920 wrote to memory of 1476 3920 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe svhost.exe PID 3920 wrote to memory of 1476 3920 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe svhost.exe PID 3920 wrote to memory of 1476 3920 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe svhost.exe PID 3920 wrote to memory of 1476 3920 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe svhost.exe PID 3920 wrote to memory of 1476 3920 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe svhost.exe PID 3920 wrote to memory of 1476 3920 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe svhost.exe PID 3920 wrote to memory of 1476 3920 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe svhost.exe PID 3920 wrote to memory of 1476 3920 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe svhost.exe PID 3920 wrote to memory of 1476 3920 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe svhost.exe PID 3920 wrote to memory of 3760 3920 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe cmd.exe PID 3920 wrote to memory of 3760 3920 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe cmd.exe PID 3920 wrote to memory of 3760 3920 491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe cmd.exe PID 3760 wrote to memory of 3976 3760 cmd.exe timeout.exe PID 3760 wrote to memory of 3976 3760 cmd.exe timeout.exe PID 3760 wrote to memory of 3976 3760 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe"C:\Users\Admin\AppData\Local\Temp\491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1.bin.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderN\name.exe.lnk" /f3⤵
-
C:\Users\Admin\AppData\Roaming\tmp.exe"C:\Users\Admin\AppData\Roaming\tmp.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 5123⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FolderN\name.exe.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 3003⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeMD5
810be04867d847b702dd5fa163cb0a66
SHA1fb2a355f356660ba494e70af002d6a728fe64aa7
SHA256e83d07b6a965bcaf8502f7d869ff69a647b2fc68dc82bcf8be4a6b79e0e03f19
SHA512b6e38765a9ae433994ac9d5986049aa33ab7fe581a324ef647f0295617bb00ed0af83ffc6cb33890052393ac1d34898553a3b78cab259bd4e45c446230652981
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeMD5
810be04867d847b702dd5fa163cb0a66
SHA1fb2a355f356660ba494e70af002d6a728fe64aa7
SHA256e83d07b6a965bcaf8502f7d869ff69a647b2fc68dc82bcf8be4a6b79e0e03f19
SHA512b6e38765a9ae433994ac9d5986049aa33ab7fe581a324ef647f0295617bb00ed0af83ffc6cb33890052393ac1d34898553a3b78cab259bd4e45c446230652981
-
C:\Users\Admin\AppData\Roaming\FolderN\name.exeMD5
b49f739d1d6f51d71f075e9392946b2e
SHA10967c716434876e355a3127e55f629cc8b0cc238
SHA256491ec1161652070007f5205e8d7592271302324e28e58f006fb5a1e81d1d57f1
SHA512c1fc947539b319ab73a9fa5436c9aa1f6792cdbe90e009ae52073c8ac7fbb54e3d864d8e3abf37d8f50b5a024368c7f535f66044268df7d37cca699a6e45a800
-
C:\Users\Admin\AppData\Roaming\FolderN\name.exe.batMD5
dca86f6bec779bba1b58d992319e88db
SHA1844e656d3603d15ae56f36298f8031ad52935829
SHA256413b4ee68f5400fcd30ae5df957d723989b400637dbc7f5d158fa050bdc20743
SHA5124b9d532a777921543b3243020ea4b655a8b956c400b237ce714b5bd8e9a3ad7fdbcb11410e84e2e0ecc45e87dcd107385a487f5bb5b359aabd1322314ef2d24c
-
C:\Users\Admin\AppData\Roaming\tmp.exeMD5
9e9a9c00dec1b8e1c874fe0d8901588f
SHA1c31b41085691200ae82345a624b173263e7a071b
SHA25660f95b8cb87bf58697104d9d343270c6440370640a598e78ecaaacbd2d47f148
SHA51290c18b69c09417ac7a7a1f76ee4bbff888dce896e061eb414aa126ef81a2003d25c4ecc46b4d790b332ecf1737c13a1f69c0aa1f18cec69342caf7a5c488440f
-
C:\Users\Admin\AppData\Roaming\tmp.exeMD5
9e9a9c00dec1b8e1c874fe0d8901588f
SHA1c31b41085691200ae82345a624b173263e7a071b
SHA25660f95b8cb87bf58697104d9d343270c6440370640a598e78ecaaacbd2d47f148
SHA51290c18b69c09417ac7a7a1f76ee4bbff888dce896e061eb414aa126ef81a2003d25c4ecc46b4d790b332ecf1737c13a1f69c0aa1f18cec69342caf7a5c488440f
-
memory/204-118-0x0000000000000000-mapping.dmp
-
memory/1476-122-0x0000000000402BCB-mapping.dmp
-
memory/1476-124-0x00000000001C0000-0x00000000001EC000-memory.dmpFilesize
176KB
-
memory/3108-115-0x0000000000000000-mapping.dmp
-
memory/3760-128-0x0000000000000000-mapping.dmp
-
memory/3920-114-0x0000000002C60000-0x0000000002C61000-memory.dmpFilesize
4KB
-
memory/3976-130-0x0000000000000000-mapping.dmp
-
memory/4060-116-0x0000000000000000-mapping.dmp