Overview
overview
10Static
static
Woxy 3.0 [...to.dll
windows7_x64
1Woxy 3.0 [...to.dll
windows10_x64
1Woxy 3.0 [...le.dll
windows7_x64
1Woxy 3.0 [...le.dll
windows10_x64
1Woxy 3.0 [...es.dll
windows7_x64
1Woxy 3.0 [...es.dll
windows10_x64
1Woxy 3.0 [...it.dll
windows7_x64
1Woxy 3.0 [...it.dll
windows10_x64
1Woxy 3.0 [...it.dll
windows7_x64
1Woxy 3.0 [...it.dll
windows10_x64
1Woxy 3.0 [...on.dll
windows7_x64
1Woxy 3.0 [...on.dll
windows10_x64
1Woxy 3.0 [...x].exe
windows7_x64
10Woxy 3.0 [...x].exe
windows10_x64
10Analysis
-
max time kernel
179s -
max time network
164s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
18-10-2021 10:00
Static task
static1
Behavioral task
behavioral1
Sample
Woxy 3.0 [Crack.sx]/BouncyCastle.Crypto.dll
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
Woxy 3.0 [Crack.sx]/BouncyCastle.Crypto.dll
Resource
win10-en-20210920
Behavioral task
behavioral3
Sample
Woxy 3.0 [Crack.sx]/Colorful.Console.dll
Resource
win7-en-20211014
Behavioral task
behavioral4
Sample
Woxy 3.0 [Crack.sx]/Colorful.Console.dll
Resource
win10-en-20210920
Behavioral task
behavioral5
Sample
Woxy 3.0 [Crack.sx]/ConsoleTables.dll
Resource
win7-en-20211014
Behavioral task
behavioral6
Sample
Woxy 3.0 [Crack.sx]/ConsoleTables.dll
Resource
win10-en-20210920
Behavioral task
behavioral7
Sample
Woxy 3.0 [Crack.sx]/MailKit.dll
Resource
win7-en-20211014
Behavioral task
behavioral8
Sample
Woxy 3.0 [Crack.sx]/MailKit.dll
Resource
win10-en-20210920
Behavioral task
behavioral9
Sample
Woxy 3.0 [Crack.sx]/MimeKit.dll
Resource
win7-en-20210920
Behavioral task
behavioral10
Sample
Woxy 3.0 [Crack.sx]/MimeKit.dll
Resource
win10-en-20211014
Behavioral task
behavioral11
Sample
Woxy 3.0 [Crack.sx]/Newtonsoft.Json.dll
Resource
win7-en-20210920
Behavioral task
behavioral12
Sample
Woxy 3.0 [Crack.sx]/Newtonsoft.Json.dll
Resource
win10-en-20211014
Behavioral task
behavioral13
Sample
Woxy 3.0 [Crack.sx]/Woxy 3.0 [Crack.sx].exe
Resource
win7-en-20210920
General
-
Target
Woxy 3.0 [Crack.sx]/Woxy 3.0 [Crack.sx].exe
-
Size
776KB
-
MD5
5afd70d54cc4af7f236894d674842493
-
SHA1
6565657adebd3063ba85886e551e551b0bbd6fdb
-
SHA256
8b79e79f75578ab62d83e89b6bfaf5404fa868041b880995579f3cd6ae6f995e
-
SHA512
6fa7daafcd661d873bae7e092fab5c89f8a56978003d31b3b91eabc735e50ecc01b8e90f90fbcec193c0656f134b6ce69c98825cfbaeaa07a536ddc5eea641fa
Malware Config
Extracted
njrat
Carbonblack2102
batvoi
1368.vnh.wtf:5552
0de45b5c6627a3e65a4b2a1e68ec841b
-
reg_key
0de45b5c6627a3e65a4b2a1e68ec841b
-
splitter
|'|'|
Signatures
-
Taurus Stealer Payload 3 IoCs
Processes:
resource yara_rule behavioral14/memory/3940-154-0x0000000000400000-0x0000000000437000-memory.dmp family_taurus_stealer behavioral14/memory/3940-155-0x000000000041CEE8-mapping.dmp family_taurus_stealer behavioral14/memory/3940-156-0x0000000000400000-0x0000000000437000-memory.dmp family_taurus_stealer -
Executes dropped EXE 4 IoCs
Processes:
WMI PERFORMANCE REVERSE ADAPTER.EXEWMI PERFORMANCE REVERSE ADPIRE.EXEWOXY 3.0 [CRACK.SX].EXEWMI Performance Reverse Adapters.exepid process 2712 WMI PERFORMANCE REVERSE ADAPTER.EXE 3320 WMI PERFORMANCE REVERSE ADPIRE.EXE 4036 WOXY 3.0 [CRACK.SX].EXE 2808 WMI Performance Reverse Adapters.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
WMI Performance Reverse Adapters.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0de45b5c6627a3e65a4b2a1e68ec841b.exe WMI Performance Reverse Adapters.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0de45b5c6627a3e65a4b2a1e68ec841b.exe WMI Performance Reverse Adapters.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WMI Performance Reverse Adapters.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\0de45b5c6627a3e65a4b2a1e68ec841b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WMI Performance Reverse Adapters.exe\" .." WMI Performance Reverse Adapters.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\0de45b5c6627a3e65a4b2a1e68ec841b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WMI Performance Reverse Adapters.exe\" .." WMI Performance Reverse Adapters.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
WMI PERFORMANCE REVERSE ADPIRE.EXEdescription pid process target process PID 3320 set thread context of 3940 3320 WMI PERFORMANCE REVERSE ADPIRE.EXE mscorsvw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2084 4036 WerFault.exe WOXY 3.0 [CRACK.SX].EXE -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 2084 WerFault.exe 2084 WerFault.exe 2084 WerFault.exe 2084 WerFault.exe 2084 WerFault.exe 2084 WerFault.exe 2084 WerFault.exe 2084 WerFault.exe 2084 WerFault.exe 2084 WerFault.exe 2084 WerFault.exe 2084 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
WMI PERFORMANCE REVERSE ADPIRE.EXEWerFault.exeWMI Performance Reverse Adapters.exedescription pid process Token: SeDebugPrivilege 3320 WMI PERFORMANCE REVERSE ADPIRE.EXE Token: SeRestorePrivilege 2084 WerFault.exe Token: SeBackupPrivilege 2084 WerFault.exe Token: SeDebugPrivilege 2084 WerFault.exe Token: SeDebugPrivilege 2808 WMI Performance Reverse Adapters.exe Token: 33 2808 WMI Performance Reverse Adapters.exe Token: SeIncBasePriorityPrivilege 2808 WMI Performance Reverse Adapters.exe Token: 33 2808 WMI Performance Reverse Adapters.exe Token: SeIncBasePriorityPrivilege 2808 WMI Performance Reverse Adapters.exe Token: 33 2808 WMI Performance Reverse Adapters.exe Token: SeIncBasePriorityPrivilege 2808 WMI Performance Reverse Adapters.exe Token: 33 2808 WMI Performance Reverse Adapters.exe Token: SeIncBasePriorityPrivilege 2808 WMI Performance Reverse Adapters.exe Token: 33 2808 WMI Performance Reverse Adapters.exe Token: SeIncBasePriorityPrivilege 2808 WMI Performance Reverse Adapters.exe Token: 33 2808 WMI Performance Reverse Adapters.exe Token: SeIncBasePriorityPrivilege 2808 WMI Performance Reverse Adapters.exe Token: 33 2808 WMI Performance Reverse Adapters.exe Token: SeIncBasePriorityPrivilege 2808 WMI Performance Reverse Adapters.exe Token: 33 2808 WMI Performance Reverse Adapters.exe Token: SeIncBasePriorityPrivilege 2808 WMI Performance Reverse Adapters.exe Token: 33 2808 WMI Performance Reverse Adapters.exe Token: SeIncBasePriorityPrivilege 2808 WMI Performance Reverse Adapters.exe Token: 33 2808 WMI Performance Reverse Adapters.exe Token: SeIncBasePriorityPrivilege 2808 WMI Performance Reverse Adapters.exe Token: 33 2808 WMI Performance Reverse Adapters.exe Token: SeIncBasePriorityPrivilege 2808 WMI Performance Reverse Adapters.exe Token: 33 2808 WMI Performance Reverse Adapters.exe Token: SeIncBasePriorityPrivilege 2808 WMI Performance Reverse Adapters.exe Token: 33 2808 WMI Performance Reverse Adapters.exe Token: SeIncBasePriorityPrivilege 2808 WMI Performance Reverse Adapters.exe Token: 33 2808 WMI Performance Reverse Adapters.exe Token: SeIncBasePriorityPrivilege 2808 WMI Performance Reverse Adapters.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
Woxy 3.0 [Crack.sx].exeWMI PERFORMANCE REVERSE ADAPTER.EXEWMI Performance Reverse Adapters.exeWMI PERFORMANCE REVERSE ADPIRE.EXEdescription pid process target process PID 1692 wrote to memory of 2712 1692 Woxy 3.0 [Crack.sx].exe WMI PERFORMANCE REVERSE ADAPTER.EXE PID 1692 wrote to memory of 2712 1692 Woxy 3.0 [Crack.sx].exe WMI PERFORMANCE REVERSE ADAPTER.EXE PID 1692 wrote to memory of 2712 1692 Woxy 3.0 [Crack.sx].exe WMI PERFORMANCE REVERSE ADAPTER.EXE PID 1692 wrote to memory of 3320 1692 Woxy 3.0 [Crack.sx].exe WMI PERFORMANCE REVERSE ADPIRE.EXE PID 1692 wrote to memory of 3320 1692 Woxy 3.0 [Crack.sx].exe WMI PERFORMANCE REVERSE ADPIRE.EXE PID 1692 wrote to memory of 3320 1692 Woxy 3.0 [Crack.sx].exe WMI PERFORMANCE REVERSE ADPIRE.EXE PID 1692 wrote to memory of 4036 1692 Woxy 3.0 [Crack.sx].exe WOXY 3.0 [CRACK.SX].EXE PID 1692 wrote to memory of 4036 1692 Woxy 3.0 [Crack.sx].exe WOXY 3.0 [CRACK.SX].EXE PID 1692 wrote to memory of 4036 1692 Woxy 3.0 [Crack.sx].exe WOXY 3.0 [CRACK.SX].EXE PID 2712 wrote to memory of 2808 2712 WMI PERFORMANCE REVERSE ADAPTER.EXE WMI Performance Reverse Adapters.exe PID 2712 wrote to memory of 2808 2712 WMI PERFORMANCE REVERSE ADAPTER.EXE WMI Performance Reverse Adapters.exe PID 2712 wrote to memory of 2808 2712 WMI PERFORMANCE REVERSE ADAPTER.EXE WMI Performance Reverse Adapters.exe PID 2808 wrote to memory of 2628 2808 WMI Performance Reverse Adapters.exe netsh.exe PID 2808 wrote to memory of 2628 2808 WMI Performance Reverse Adapters.exe netsh.exe PID 2808 wrote to memory of 2628 2808 WMI Performance Reverse Adapters.exe netsh.exe PID 3320 wrote to memory of 3940 3320 WMI PERFORMANCE REVERSE ADPIRE.EXE mscorsvw.exe PID 3320 wrote to memory of 3940 3320 WMI PERFORMANCE REVERSE ADPIRE.EXE mscorsvw.exe PID 3320 wrote to memory of 3940 3320 WMI PERFORMANCE REVERSE ADPIRE.EXE mscorsvw.exe PID 3320 wrote to memory of 3940 3320 WMI PERFORMANCE REVERSE ADPIRE.EXE mscorsvw.exe PID 3320 wrote to memory of 3940 3320 WMI PERFORMANCE REVERSE ADPIRE.EXE mscorsvw.exe PID 3320 wrote to memory of 3940 3320 WMI PERFORMANCE REVERSE ADPIRE.EXE mscorsvw.exe PID 3320 wrote to memory of 3940 3320 WMI PERFORMANCE REVERSE ADPIRE.EXE mscorsvw.exe PID 3320 wrote to memory of 3940 3320 WMI PERFORMANCE REVERSE ADPIRE.EXE mscorsvw.exe PID 3320 wrote to memory of 3940 3320 WMI PERFORMANCE REVERSE ADPIRE.EXE mscorsvw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Woxy 3.0 [Crack.sx]\Woxy 3.0 [Crack.sx].exe"C:\Users\Admin\AppData\Local\Temp\Woxy 3.0 [Crack.sx]\Woxy 3.0 [Crack.sx].exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WMI PERFORMANCE REVERSE ADAPTER.EXE"C:\Users\Admin\AppData\Local\Temp\WMI PERFORMANCE REVERSE ADAPTER.EXE"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WMI Performance Reverse Adapters.exe"C:\Users\Admin\AppData\Local\Temp\WMI Performance Reverse Adapters.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\WMI Performance Reverse Adapters.exe" "WMI Performance Reverse Adapters.exe" ENABLE4⤵
-
C:\Users\Admin\AppData\Local\Temp\WMI PERFORMANCE REVERSE ADPIRE.EXE"C:\Users\Admin\AppData\Local\Temp\WMI PERFORMANCE REVERSE ADPIRE.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\WOXY 3.0 [CRACK.SX].EXE"C:\Users\Admin\AppData\Local\Temp\WOXY 3.0 [CRACK.SX].EXE"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 8723⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\WMI PERFORMANCE REVERSE ADAPTER.EXEMD5
870a6f849d1e8f3297d3d947de1d3dda
SHA12f618fdf99aa8b94c7ef34fe93f73fce8afeaf97
SHA256b94a72f37633262bc036a0ff29cdd2ec4f6f26ea3dee357ef727defeffcea39b
SHA512f3cbf80e3b5200bc926b098840230189c15dcd7cd81792fa3461de5c999f83f352a5529db3c3fc045e43110c9e35d8676bdb3343597663f17dfd840e503adad7
-
C:\Users\Admin\AppData\Local\Temp\WMI PERFORMANCE REVERSE ADAPTER.EXEMD5
870a6f849d1e8f3297d3d947de1d3dda
SHA12f618fdf99aa8b94c7ef34fe93f73fce8afeaf97
SHA256b94a72f37633262bc036a0ff29cdd2ec4f6f26ea3dee357ef727defeffcea39b
SHA512f3cbf80e3b5200bc926b098840230189c15dcd7cd81792fa3461de5c999f83f352a5529db3c3fc045e43110c9e35d8676bdb3343597663f17dfd840e503adad7
-
C:\Users\Admin\AppData\Local\Temp\WMI PERFORMANCE REVERSE ADPIRE.EXEMD5
5375abc86290f5c3ffa86d4129e4bd27
SHA1a1a3b2165549bd4c34985d3a230f8304202926ab
SHA256c499e93433a8ff462799108ac5462ce05fa93bf716f3723fbccb7ff13dbebb9f
SHA512f951acf23e5576fae983fd805a32eebea95966c74ffffd99bbd6de17d2e5db0db9b282c242d00e5515b4d67d885f09c749fae09aece26275f17f0d20670b6709
-
C:\Users\Admin\AppData\Local\Temp\WMI PERFORMANCE REVERSE ADPIRE.EXEMD5
5375abc86290f5c3ffa86d4129e4bd27
SHA1a1a3b2165549bd4c34985d3a230f8304202926ab
SHA256c499e93433a8ff462799108ac5462ce05fa93bf716f3723fbccb7ff13dbebb9f
SHA512f951acf23e5576fae983fd805a32eebea95966c74ffffd99bbd6de17d2e5db0db9b282c242d00e5515b4d67d885f09c749fae09aece26275f17f0d20670b6709
-
C:\Users\Admin\AppData\Local\Temp\WMI Performance Reverse Adapters.exeMD5
870a6f849d1e8f3297d3d947de1d3dda
SHA12f618fdf99aa8b94c7ef34fe93f73fce8afeaf97
SHA256b94a72f37633262bc036a0ff29cdd2ec4f6f26ea3dee357ef727defeffcea39b
SHA512f3cbf80e3b5200bc926b098840230189c15dcd7cd81792fa3461de5c999f83f352a5529db3c3fc045e43110c9e35d8676bdb3343597663f17dfd840e503adad7
-
C:\Users\Admin\AppData\Local\Temp\WMI Performance Reverse Adapters.exeMD5
870a6f849d1e8f3297d3d947de1d3dda
SHA12f618fdf99aa8b94c7ef34fe93f73fce8afeaf97
SHA256b94a72f37633262bc036a0ff29cdd2ec4f6f26ea3dee357ef727defeffcea39b
SHA512f3cbf80e3b5200bc926b098840230189c15dcd7cd81792fa3461de5c999f83f352a5529db3c3fc045e43110c9e35d8676bdb3343597663f17dfd840e503adad7
-
C:\Users\Admin\AppData\Local\Temp\WOXY 3.0 [CRACK.SX].EXEMD5
7750a6691f29ecb236c82e0e6c082625
SHA18f4612f45d417f5db5f577687dd9be2131f7aa65
SHA256464375a7177f6500882be8fea8660b82be9669b16b86f700f79bf5334817afbf
SHA512645c96b8028fbacc853075792c7e728a7b293f42fe47fbc2ddf7fba9cebf0beab731314defcbc0bb12a16e7898a558979dba5bbd1d687713eb1a73a17908143f
-
C:\Users\Admin\AppData\Local\Temp\WOXY 3.0 [CRACK.SX].EXEMD5
7750a6691f29ecb236c82e0e6c082625
SHA18f4612f45d417f5db5f577687dd9be2131f7aa65
SHA256464375a7177f6500882be8fea8660b82be9669b16b86f700f79bf5334817afbf
SHA512645c96b8028fbacc853075792c7e728a7b293f42fe47fbc2ddf7fba9cebf0beab731314defcbc0bb12a16e7898a558979dba5bbd1d687713eb1a73a17908143f
-
memory/2628-148-0x0000000000000000-mapping.dmp
-
memory/2712-126-0x0000000000280000-0x0000000000281000-memory.dmpFilesize
4KB
-
memory/2712-131-0x0000000004AC0000-0x0000000004AC1000-memory.dmpFilesize
4KB
-
memory/2712-132-0x00000000050D0000-0x00000000050D1000-memory.dmpFilesize
4KB
-
memory/2712-116-0x0000000000000000-mapping.dmp
-
memory/2808-141-0x0000000000000000-mapping.dmp
-
memory/2808-151-0x00000000056A0000-0x00000000056A1000-memory.dmpFilesize
4KB
-
memory/2808-150-0x00000000054F0000-0x000000000558C000-memory.dmpFilesize
624KB
-
memory/3320-125-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/3320-153-0x0000000005820000-0x0000000005821000-memory.dmpFilesize
4KB
-
memory/3320-139-0x0000000004AC0000-0x0000000004AD9000-memory.dmpFilesize
100KB
-
memory/3320-140-0x0000000002600000-0x0000000002601000-memory.dmpFilesize
4KB
-
memory/3320-138-0x0000000004A80000-0x0000000004AC0000-memory.dmpFilesize
256KB
-
memory/3320-135-0x0000000004BC0000-0x0000000004BC1000-memory.dmpFilesize
4KB
-
memory/3320-118-0x0000000000000000-mapping.dmp
-
memory/3320-152-0x0000000004BA0000-0x0000000004BA6000-memory.dmpFilesize
24KB
-
memory/3940-156-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/3940-155-0x000000000041CEE8-mapping.dmp
-
memory/3940-154-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/4036-137-0x0000000004B70000-0x0000000004B71000-memory.dmpFilesize
4KB
-
memory/4036-120-0x0000000000000000-mapping.dmp
-
memory/4036-127-0x0000000000F00000-0x0000000000F01000-memory.dmpFilesize
4KB
-
memory/4036-133-0x0000000000900000-0x0000000000901000-memory.dmpFilesize
4KB