Analysis
-
max time kernel
89s -
max time network
135s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
23-07-2021 23:11
Static task
static1
Behavioral task
behavioral1
Sample
D1682AA725C47B89C2066CFEAA8B3B55.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
D1682AA725C47B89C2066CFEAA8B3B55.exe
Resource
win10v20210408
General
-
Target
D1682AA725C47B89C2066CFEAA8B3B55.exe
-
Size
793KB
-
MD5
d1682aa725c47b89c2066cfeaa8b3b55
-
SHA1
c802cfd2f442200bafaf6a5fbeb70f52ee846bb2
-
SHA256
c539c08e04ef8ab4ee18e69ab3346214ffcbfd262679c558f7b5ca651767d61d
-
SHA512
f33216e03bbbb28c6238c903eec0871d6ed4cf7ebe15ebd5ac0dbfd9c468e661e1ec3a9010c571b45176a549f15055b7b85e98c5a35ece4a5f22ed311943b43f
Malware Config
Extracted
netwire
nozomi.takanome.io:9030
hikari.takanome.io:9030
-
activex_autorun
false
- activex_key
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
- install_path
-
keylogger_dir
%AppData%\Syslog\
-
lock_executable
false
- mutex
-
offline_keylogger
true
-
password
Jtenike70+
-
registry_autorun
false
- startup_name
-
use_mutex
false
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
D1682AA725C47B89C2066CFEAA8B3B55.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Certificate.exe\"," D1682AA725C47B89C2066CFEAA8B3B55.exe -
NetWire RAT payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/432-75-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/432-76-0x000000000040242D-mapping.dmp netwire behavioral1/memory/432-79-0x0000000000400000-0x0000000000433000-memory.dmp netwire -
Executes dropped EXE 2 IoCs
Processes:
aspnet_compiler.exeaspnet_compiler.exepid process 836 aspnet_compiler.exe 432 aspnet_compiler.exe -
Loads dropped DLL 2 IoCs
Processes:
D1682AA725C47B89C2066CFEAA8B3B55.exepid process 1104 D1682AA725C47B89C2066CFEAA8B3B55.exe 1104 D1682AA725C47B89C2066CFEAA8B3B55.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
D1682AA725C47B89C2066CFEAA8B3B55.exedescription pid process target process PID 1104 set thread context of 432 1104 D1682AA725C47B89C2066CFEAA8B3B55.exe aspnet_compiler.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
D1682AA725C47B89C2066CFEAA8B3B55.exepowershell.exepid process 1104 D1682AA725C47B89C2066CFEAA8B3B55.exe 1104 D1682AA725C47B89C2066CFEAA8B3B55.exe 1104 D1682AA725C47B89C2066CFEAA8B3B55.exe 1104 D1682AA725C47B89C2066CFEAA8B3B55.exe 1104 D1682AA725C47B89C2066CFEAA8B3B55.exe 1104 D1682AA725C47B89C2066CFEAA8B3B55.exe 1104 D1682AA725C47B89C2066CFEAA8B3B55.exe 276 powershell.exe 276 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
D1682AA725C47B89C2066CFEAA8B3B55.exepowershell.exedescription pid process Token: SeDebugPrivilege 1104 D1682AA725C47B89C2066CFEAA8B3B55.exe Token: SeDebugPrivilege 276 powershell.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
D1682AA725C47B89C2066CFEAA8B3B55.exeWScript.exedescription pid process target process PID 1104 wrote to memory of 1460 1104 D1682AA725C47B89C2066CFEAA8B3B55.exe WScript.exe PID 1104 wrote to memory of 1460 1104 D1682AA725C47B89C2066CFEAA8B3B55.exe WScript.exe PID 1104 wrote to memory of 1460 1104 D1682AA725C47B89C2066CFEAA8B3B55.exe WScript.exe PID 1104 wrote to memory of 1460 1104 D1682AA725C47B89C2066CFEAA8B3B55.exe WScript.exe PID 1104 wrote to memory of 836 1104 D1682AA725C47B89C2066CFEAA8B3B55.exe aspnet_compiler.exe PID 1104 wrote to memory of 836 1104 D1682AA725C47B89C2066CFEAA8B3B55.exe aspnet_compiler.exe PID 1104 wrote to memory of 836 1104 D1682AA725C47B89C2066CFEAA8B3B55.exe aspnet_compiler.exe PID 1104 wrote to memory of 836 1104 D1682AA725C47B89C2066CFEAA8B3B55.exe aspnet_compiler.exe PID 1104 wrote to memory of 432 1104 D1682AA725C47B89C2066CFEAA8B3B55.exe aspnet_compiler.exe PID 1104 wrote to memory of 432 1104 D1682AA725C47B89C2066CFEAA8B3B55.exe aspnet_compiler.exe PID 1104 wrote to memory of 432 1104 D1682AA725C47B89C2066CFEAA8B3B55.exe aspnet_compiler.exe PID 1104 wrote to memory of 432 1104 D1682AA725C47B89C2066CFEAA8B3B55.exe aspnet_compiler.exe PID 1104 wrote to memory of 432 1104 D1682AA725C47B89C2066CFEAA8B3B55.exe aspnet_compiler.exe PID 1104 wrote to memory of 432 1104 D1682AA725C47B89C2066CFEAA8B3B55.exe aspnet_compiler.exe PID 1104 wrote to memory of 432 1104 D1682AA725C47B89C2066CFEAA8B3B55.exe aspnet_compiler.exe PID 1104 wrote to memory of 432 1104 D1682AA725C47B89C2066CFEAA8B3B55.exe aspnet_compiler.exe PID 1104 wrote to memory of 432 1104 D1682AA725C47B89C2066CFEAA8B3B55.exe aspnet_compiler.exe PID 1104 wrote to memory of 432 1104 D1682AA725C47B89C2066CFEAA8B3B55.exe aspnet_compiler.exe PID 1104 wrote to memory of 432 1104 D1682AA725C47B89C2066CFEAA8B3B55.exe aspnet_compiler.exe PID 1104 wrote to memory of 432 1104 D1682AA725C47B89C2066CFEAA8B3B55.exe aspnet_compiler.exe PID 1460 wrote to memory of 276 1460 WScript.exe powershell.exe PID 1460 wrote to memory of 276 1460 WScript.exe powershell.exe PID 1460 wrote to memory of 276 1460 WScript.exe powershell.exe PID 1460 wrote to memory of 276 1460 WScript.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\D1682AA725C47B89C2066CFEAA8B3B55.exe"C:\Users\Admin\AppData\Local\Temp\D1682AA725C47B89C2066CFEAA8B3B55.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Mmqcqapzpcejexxuxqnpv.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Certificate.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exeC:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exeC:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\_Mmqcqapzpcejexxuxqnpv.vbsMD5
4731312425ffc6b6741d95c7ebcd43a3
SHA16a6c9e8827a83ed686e84f193f973ddccde0e317
SHA256888321ab0fde16b2849d4b8d6b57d69c4e3e645eabe3e286e7f5f36c56a8d3e2
SHA5126390e7b920765f5d951970ef323ca26cb8190725b30551a34b5725c3aec70324172e5d769d692b821d5e6f8b82b1ec13dddab0860176a20e5c674fe8029ae279
-
C:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exeMD5
1e98e92a982af948ee18ee819a2d8ad1
SHA16cb0bd87815118351e5e32c50b434079dfba255c
SHA256235d3f96a78ce2dad584e6eb1a25fc386b3ae5e332c4d3c56f03b0a4978be778
SHA5126711de2e00462c49852cee03fd8ef720310c4ffa5b3a653c08f2913a6146974f28b8a3b3ff38b3097310852a5aa3b964b77945bcefef3856911eb9acd0e42c6f
-
C:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exeMD5
1e98e92a982af948ee18ee819a2d8ad1
SHA16cb0bd87815118351e5e32c50b434079dfba255c
SHA256235d3f96a78ce2dad584e6eb1a25fc386b3ae5e332c4d3c56f03b0a4978be778
SHA5126711de2e00462c49852cee03fd8ef720310c4ffa5b3a653c08f2913a6146974f28b8a3b3ff38b3097310852a5aa3b964b77945bcefef3856911eb9acd0e42c6f
-
\Users\Admin\AppData\Local\Temp\aspnet_compiler.exeMD5
1e98e92a982af948ee18ee819a2d8ad1
SHA16cb0bd87815118351e5e32c50b434079dfba255c
SHA256235d3f96a78ce2dad584e6eb1a25fc386b3ae5e332c4d3c56f03b0a4978be778
SHA5126711de2e00462c49852cee03fd8ef720310c4ffa5b3a653c08f2913a6146974f28b8a3b3ff38b3097310852a5aa3b964b77945bcefef3856911eb9acd0e42c6f
-
\Users\Admin\AppData\Local\Temp\aspnet_compiler.exeMD5
1e98e92a982af948ee18ee819a2d8ad1
SHA16cb0bd87815118351e5e32c50b434079dfba255c
SHA256235d3f96a78ce2dad584e6eb1a25fc386b3ae5e332c4d3c56f03b0a4978be778
SHA5126711de2e00462c49852cee03fd8ef720310c4ffa5b3a653c08f2913a6146974f28b8a3b3ff38b3097310852a5aa3b964b77945bcefef3856911eb9acd0e42c6f
-
memory/276-87-0x0000000002750000-0x0000000002751000-memory.dmpFilesize
4KB
-
memory/276-96-0x0000000005720000-0x0000000005721000-memory.dmpFilesize
4KB
-
memory/276-120-0x00000000062D0000-0x00000000062D1000-memory.dmpFilesize
4KB
-
memory/276-119-0x00000000062C0000-0x00000000062C1000-memory.dmpFilesize
4KB
-
memory/276-105-0x0000000006180000-0x0000000006181000-memory.dmpFilesize
4KB
-
memory/276-104-0x0000000006260000-0x0000000006261000-memory.dmpFilesize
4KB
-
memory/276-97-0x000000007EF30000-0x000000007EF31000-memory.dmpFilesize
4KB
-
memory/276-95-0x0000000005670000-0x0000000005671000-memory.dmpFilesize
4KB
-
memory/276-90-0x0000000005620000-0x0000000005621000-memory.dmpFilesize
4KB
-
memory/276-85-0x0000000002370000-0x0000000002FBA000-memory.dmpFilesize
12.3MB
-
memory/276-80-0x0000000000000000-mapping.dmp
-
memory/276-82-0x0000000000A10000-0x0000000000A11000-memory.dmpFilesize
4KB
-
memory/276-83-0x0000000004810000-0x0000000004811000-memory.dmpFilesize
4KB
-
memory/276-84-0x00000000024F0000-0x00000000024F1000-memory.dmpFilesize
4KB
-
memory/276-86-0x0000000002370000-0x0000000002FBA000-memory.dmpFilesize
12.3MB
-
memory/432-79-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/432-76-0x000000000040242D-mapping.dmp
-
memory/432-75-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1104-59-0x00000000012F0000-0x00000000012F1000-memory.dmpFilesize
4KB
-
memory/1104-61-0x0000000004C50000-0x0000000004C51000-memory.dmpFilesize
4KB
-
memory/1104-62-0x0000000004C55000-0x0000000004C66000-memory.dmpFilesize
68KB
-
memory/1104-63-0x0000000001290000-0x00000000012E4000-memory.dmpFilesize
336KB
-
memory/1104-68-0x0000000006040000-0x00000000060AE000-memory.dmpFilesize
440KB
-
memory/1460-69-0x0000000000000000-mapping.dmp
-
memory/1460-72-0x00000000753E1000-0x00000000753E3000-memory.dmpFilesize
8KB