Analysis
-
max time kernel
99s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
23-07-2021 23:11
Static task
static1
Behavioral task
behavioral1
Sample
D1682AA725C47B89C2066CFEAA8B3B55.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
D1682AA725C47B89C2066CFEAA8B3B55.exe
Resource
win10v20210408
General
-
Target
D1682AA725C47B89C2066CFEAA8B3B55.exe
-
Size
793KB
-
MD5
d1682aa725c47b89c2066cfeaa8b3b55
-
SHA1
c802cfd2f442200bafaf6a5fbeb70f52ee846bb2
-
SHA256
c539c08e04ef8ab4ee18e69ab3346214ffcbfd262679c558f7b5ca651767d61d
-
SHA512
f33216e03bbbb28c6238c903eec0871d6ed4cf7ebe15ebd5ac0dbfd9c468e661e1ec3a9010c571b45176a549f15055b7b85e98c5a35ece4a5f22ed311943b43f
Malware Config
Extracted
netwire
nozomi.takanome.io:9030
hikari.takanome.io:9030
-
activex_autorun
false
- activex_key
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
- install_path
-
keylogger_dir
%AppData%\Syslog\
-
lock_executable
false
- mutex
-
offline_keylogger
true
-
password
Jtenike70+
-
registry_autorun
false
- startup_name
-
use_mutex
false
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
D1682AA725C47B89C2066CFEAA8B3B55.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Certificate.exe\"," D1682AA725C47B89C2066CFEAA8B3B55.exe -
NetWire RAT payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2052-131-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/2052-132-0x000000000040242D-mapping.dmp netwire behavioral2/memory/2052-135-0x0000000000400000-0x0000000000433000-memory.dmp netwire -
Executes dropped EXE 1 IoCs
Processes:
aspnet_compiler.exepid process 2052 aspnet_compiler.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
D1682AA725C47B89C2066CFEAA8B3B55.exedescription pid process target process PID 992 set thread context of 2052 992 D1682AA725C47B89C2066CFEAA8B3B55.exe aspnet_compiler.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
D1682AA725C47B89C2066CFEAA8B3B55.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings D1682AA725C47B89C2066CFEAA8B3B55.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
D1682AA725C47B89C2066CFEAA8B3B55.exepowershell.exepid process 992 D1682AA725C47B89C2066CFEAA8B3B55.exe 992 D1682AA725C47B89C2066CFEAA8B3B55.exe 992 D1682AA725C47B89C2066CFEAA8B3B55.exe 992 D1682AA725C47B89C2066CFEAA8B3B55.exe 992 D1682AA725C47B89C2066CFEAA8B3B55.exe 992 D1682AA725C47B89C2066CFEAA8B3B55.exe 992 D1682AA725C47B89C2066CFEAA8B3B55.exe 992 D1682AA725C47B89C2066CFEAA8B3B55.exe 992 D1682AA725C47B89C2066CFEAA8B3B55.exe 992 D1682AA725C47B89C2066CFEAA8B3B55.exe 992 D1682AA725C47B89C2066CFEAA8B3B55.exe 992 D1682AA725C47B89C2066CFEAA8B3B55.exe 992 D1682AA725C47B89C2066CFEAA8B3B55.exe 992 D1682AA725C47B89C2066CFEAA8B3B55.exe 992 D1682AA725C47B89C2066CFEAA8B3B55.exe 4012 powershell.exe 4012 powershell.exe 4012 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
D1682AA725C47B89C2066CFEAA8B3B55.exepowershell.exedescription pid process Token: SeDebugPrivilege 992 D1682AA725C47B89C2066CFEAA8B3B55.exe Token: SeDebugPrivilege 4012 powershell.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
D1682AA725C47B89C2066CFEAA8B3B55.exeWScript.exedescription pid process target process PID 992 wrote to memory of 1004 992 D1682AA725C47B89C2066CFEAA8B3B55.exe WScript.exe PID 992 wrote to memory of 1004 992 D1682AA725C47B89C2066CFEAA8B3B55.exe WScript.exe PID 992 wrote to memory of 1004 992 D1682AA725C47B89C2066CFEAA8B3B55.exe WScript.exe PID 992 wrote to memory of 2052 992 D1682AA725C47B89C2066CFEAA8B3B55.exe aspnet_compiler.exe PID 992 wrote to memory of 2052 992 D1682AA725C47B89C2066CFEAA8B3B55.exe aspnet_compiler.exe PID 992 wrote to memory of 2052 992 D1682AA725C47B89C2066CFEAA8B3B55.exe aspnet_compiler.exe PID 992 wrote to memory of 2052 992 D1682AA725C47B89C2066CFEAA8B3B55.exe aspnet_compiler.exe PID 992 wrote to memory of 2052 992 D1682AA725C47B89C2066CFEAA8B3B55.exe aspnet_compiler.exe PID 992 wrote to memory of 2052 992 D1682AA725C47B89C2066CFEAA8B3B55.exe aspnet_compiler.exe PID 992 wrote to memory of 2052 992 D1682AA725C47B89C2066CFEAA8B3B55.exe aspnet_compiler.exe PID 992 wrote to memory of 2052 992 D1682AA725C47B89C2066CFEAA8B3B55.exe aspnet_compiler.exe PID 992 wrote to memory of 2052 992 D1682AA725C47B89C2066CFEAA8B3B55.exe aspnet_compiler.exe PID 992 wrote to memory of 2052 992 D1682AA725C47B89C2066CFEAA8B3B55.exe aspnet_compiler.exe PID 992 wrote to memory of 2052 992 D1682AA725C47B89C2066CFEAA8B3B55.exe aspnet_compiler.exe PID 1004 wrote to memory of 4012 1004 WScript.exe powershell.exe PID 1004 wrote to memory of 4012 1004 WScript.exe powershell.exe PID 1004 wrote to memory of 4012 1004 WScript.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\D1682AA725C47B89C2066CFEAA8B3B55.exe"C:\Users\Admin\AppData\Local\Temp\D1682AA725C47B89C2066CFEAA8B3B55.exe"1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Mmqcqapzpcejexxuxqnpv.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Certificate.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exeC:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\_Mmqcqapzpcejexxuxqnpv.vbsMD5
4731312425ffc6b6741d95c7ebcd43a3
SHA16a6c9e8827a83ed686e84f193f973ddccde0e317
SHA256888321ab0fde16b2849d4b8d6b57d69c4e3e645eabe3e286e7f5f36c56a8d3e2
SHA5126390e7b920765f5d951970ef323ca26cb8190725b30551a34b5725c3aec70324172e5d769d692b821d5e6f8b82b1ec13dddab0860176a20e5c674fe8029ae279
-
C:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exeMD5
1e98e92a982af948ee18ee819a2d8ad1
SHA16cb0bd87815118351e5e32c50b434079dfba255c
SHA256235d3f96a78ce2dad584e6eb1a25fc386b3ae5e332c4d3c56f03b0a4978be778
SHA5126711de2e00462c49852cee03fd8ef720310c4ffa5b3a653c08f2913a6146974f28b8a3b3ff38b3097310852a5aa3b964b77945bcefef3856911eb9acd0e42c6f
-
memory/992-121-0x0000000006A30000-0x0000000006A31000-memory.dmpFilesize
4KB
-
memory/992-118-0x0000000004950000-0x0000000004E4E000-memory.dmpFilesize
5.0MB
-
memory/992-119-0x00000000049A0000-0x00000000049A1000-memory.dmpFilesize
4KB
-
memory/992-120-0x0000000006950000-0x00000000069A4000-memory.dmpFilesize
336KB
-
memory/992-117-0x00000000049F0000-0x00000000049F1000-memory.dmpFilesize
4KB
-
memory/992-126-0x00000000084A0000-0x000000000850E000-memory.dmpFilesize
440KB
-
memory/992-127-0x00000000086A0000-0x00000000086A1000-memory.dmpFilesize
4KB
-
memory/992-128-0x0000000004950000-0x0000000004E4E000-memory.dmpFilesize
5.0MB
-
memory/992-129-0x0000000000990000-0x0000000000991000-memory.dmpFilesize
4KB
-
memory/992-114-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB
-
memory/992-116-0x0000000004E50000-0x0000000004E51000-memory.dmpFilesize
4KB
-
memory/1004-130-0x0000000000000000-mapping.dmp
-
memory/2052-135-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/2052-132-0x000000000040242D-mapping.dmp
-
memory/2052-131-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/4012-147-0x0000000008240000-0x0000000008241000-memory.dmpFilesize
4KB
-
memory/4012-148-0x0000000008D20000-0x0000000008D21000-memory.dmpFilesize
4KB
-
memory/4012-140-0x0000000007AE0000-0x0000000007AE1000-memory.dmpFilesize
4KB
-
memory/4012-141-0x0000000007A00000-0x0000000007A01000-memory.dmpFilesize
4KB
-
memory/4012-142-0x0000000008110000-0x0000000008111000-memory.dmpFilesize
4KB
-
memory/4012-144-0x00000000084E0000-0x00000000084E1000-memory.dmpFilesize
4KB
-
memory/4012-145-0x00000000074A0000-0x00000000074A1000-memory.dmpFilesize
4KB
-
memory/4012-146-0x00000000074A2000-0x00000000074A3000-memory.dmpFilesize
4KB
-
memory/4012-136-0x0000000000000000-mapping.dmp
-
memory/4012-139-0x00000000072D0000-0x00000000072D1000-memory.dmpFilesize
4KB
-
memory/4012-157-0x0000000009A40000-0x0000000009A73000-memory.dmpFilesize
204KB
-
memory/4012-164-0x0000000009A20000-0x0000000009A21000-memory.dmpFilesize
4KB
-
memory/4012-169-0x0000000009B70000-0x0000000009B71000-memory.dmpFilesize
4KB
-
memory/4012-170-0x0000000009D90000-0x0000000009D91000-memory.dmpFilesize
4KB
-
memory/4012-172-0x00000000074A3000-0x00000000074A4000-memory.dmpFilesize
4KB
-
memory/4012-171-0x000000007E860000-0x000000007E861000-memory.dmpFilesize
4KB
-
memory/4012-365-0x00000000075F0000-0x00000000075F1000-memory.dmpFilesize
4KB
-
memory/4012-371-0x00000000075E0000-0x00000000075E1000-memory.dmpFilesize
4KB