Analysis
-
max time kernel
3s -
max time network
135s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
23-07-2021 11:11
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Dropped.Trojan.GenericKD.37247948.2936.30980.exe
Resource
win7v20210410
General
-
Target
SecuriteInfo.com.Dropped.Trojan.GenericKD.37247948.2936.30980.exe
-
Size
339KB
-
MD5
959be976070ea4820a2e24dcce3d0bdf
-
SHA1
7ec0c6d7d9b75ef8f078383a15d977b45dc434c1
-
SHA256
6b4dd13ea6241a6c8ad2c967d88f3336798dc1e30dd24cfa3377f9b363d70b2e
-
SHA512
de3ed25149af67a28cd5659bfeb895e323bbd9e79bb791bfbe972f448ca1012d4872b4478bd321a8baefd5813dd69fb19d73ff02d078f5b99ab6618946d4455e
Malware Config
Extracted
netwire
finerthings.duckdns.org:3021
-
activex_autorun
false
- activex_key
-
copy_executable
false
-
delete_original
false
-
host_id
H23053OIGS
- install_path
- keylogger_dir
-
lock_executable
false
- mutex
-
offline_keylogger
false
-
password
finerthings@963
-
registry_autorun
false
- startup_name
-
use_mutex
false
Signatures
-
NetWire RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2036-63-0x0000000000400000-0x0000000000433000-memory.dmp netwire -
Loads dropped DLL 1 IoCs
Processes:
SecuriteInfo.com.Dropped.Trojan.GenericKD.37247948.2936.30980.exepid process 1728 SecuriteInfo.com.Dropped.Trojan.GenericKD.37247948.2936.30980.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.Dropped.Trojan.GenericKD.37247948.2936.30980.exedescription pid process target process PID 1728 set thread context of 2036 1728 SecuriteInfo.com.Dropped.Trojan.GenericKD.37247948.2936.30980.exe SecuriteInfo.com.Dropped.Trojan.GenericKD.37247948.2936.30980.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
SecuriteInfo.com.Dropped.Trojan.GenericKD.37247948.2936.30980.exepid process 1728 SecuriteInfo.com.Dropped.Trojan.GenericKD.37247948.2936.30980.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
SecuriteInfo.com.Dropped.Trojan.GenericKD.37247948.2936.30980.exedescription pid process target process PID 1728 wrote to memory of 2036 1728 SecuriteInfo.com.Dropped.Trojan.GenericKD.37247948.2936.30980.exe SecuriteInfo.com.Dropped.Trojan.GenericKD.37247948.2936.30980.exe PID 1728 wrote to memory of 2036 1728 SecuriteInfo.com.Dropped.Trojan.GenericKD.37247948.2936.30980.exe SecuriteInfo.com.Dropped.Trojan.GenericKD.37247948.2936.30980.exe PID 1728 wrote to memory of 2036 1728 SecuriteInfo.com.Dropped.Trojan.GenericKD.37247948.2936.30980.exe SecuriteInfo.com.Dropped.Trojan.GenericKD.37247948.2936.30980.exe PID 1728 wrote to memory of 2036 1728 SecuriteInfo.com.Dropped.Trojan.GenericKD.37247948.2936.30980.exe SecuriteInfo.com.Dropped.Trojan.GenericKD.37247948.2936.30980.exe PID 1728 wrote to memory of 2036 1728 SecuriteInfo.com.Dropped.Trojan.GenericKD.37247948.2936.30980.exe SecuriteInfo.com.Dropped.Trojan.GenericKD.37247948.2936.30980.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Dropped.Trojan.GenericKD.37247948.2936.30980.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Dropped.Trojan.GenericKD.37247948.2936.30980.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Dropped.Trojan.GenericKD.37247948.2936.30980.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Dropped.Trojan.GenericKD.37247948.2936.30980.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\kxtmnugf.dllMD5
c6740f343d8777430307336fcb50d504
SHA154e4bafc84ab18dab87731ee3b3647d923af7fd7
SHA25603d53a25652bbf853ab65f0428ebc68db0497654206b95bb86f0d45f0b0ebd70
SHA512ae4e1919d94a23d522996ac86c920aaf7d05b1aa7d3596521c9b7fcfcee5a890249ab825b0cc5d4a3dc75ac54db5248500c1c11b676caebf49811f6eed887ff2
-
memory/1728-59-0x00000000753E1000-0x00000000753E3000-memory.dmpFilesize
8KB
-
memory/2036-61-0x000000000040242D-mapping.dmp
-
memory/2036-63-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB