Analysis
-
max time kernel
117s -
max time network
140s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
17/02/2022, 02:54
Behavioral task
behavioral1
Sample
5e2e654d06837d7f65a0633dfbf1dd03d61791e889b1fb1b594bfa0a9d06bbac.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
5e2e654d06837d7f65a0633dfbf1dd03d61791e889b1fb1b594bfa0a9d06bbac.exe
Resource
win10v2004-en-20220112
General
-
Target
5e2e654d06837d7f65a0633dfbf1dd03d61791e889b1fb1b594bfa0a9d06bbac.exe
-
Size
148KB
-
MD5
9e1eaf5b802057f0e7b6130787534c21
-
SHA1
26dddf04ee40627f7b7f0c59574b00159d72ddd2
-
SHA256
5e2e654d06837d7f65a0633dfbf1dd03d61791e889b1fb1b594bfa0a9d06bbac
-
SHA512
11814391c05f3b4f96623f5d4753626ec6372b9c6f09fbaebcdb530694c648eab2484622a65e318dca360e0410ef8bd64c4ad67a844267faee66e1a790586c3a
Malware Config
Extracted
netwire
oluwaboi.duckdns.org:20202
-
activex_autorun
false
- activex_key
-
copy_executable
true
-
delete_original
false
-
host_id
Dollarboss
-
install_path
%AppData%\Install\redok.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
hrTvdnfD
-
offline_keylogger
true
-
password
oluwaboi
-
registry_autorun
true
-
startup_name
redok
-
use_mutex
true
Signatures
-
NetWire RAT payload 3 IoCs
resource yara_rule behavioral1/files/0x0007000000012604-56.dat netwire behavioral1/files/0x0007000000012604-57.dat netwire behavioral1/files/0x0007000000012604-58.dat netwire -
Executes dropped EXE 1 IoCs
pid Process 464 redok.exe -
Loads dropped DLL 2 IoCs
pid Process 1268 5e2e654d06837d7f65a0633dfbf1dd03d61791e889b1fb1b594bfa0a9d06bbac.exe 1268 5e2e654d06837d7f65a0633dfbf1dd03d61791e889b1fb1b594bfa0a9d06bbac.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ redok.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\redok = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\redok.exe" redok.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1268 wrote to memory of 464 1268 5e2e654d06837d7f65a0633dfbf1dd03d61791e889b1fb1b594bfa0a9d06bbac.exe 27 PID 1268 wrote to memory of 464 1268 5e2e654d06837d7f65a0633dfbf1dd03d61791e889b1fb1b594bfa0a9d06bbac.exe 27 PID 1268 wrote to memory of 464 1268 5e2e654d06837d7f65a0633dfbf1dd03d61791e889b1fb1b594bfa0a9d06bbac.exe 27 PID 1268 wrote to memory of 464 1268 5e2e654d06837d7f65a0633dfbf1dd03d61791e889b1fb1b594bfa0a9d06bbac.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e2e654d06837d7f65a0633dfbf1dd03d61791e889b1fb1b594bfa0a9d06bbac.exe"C:\Users\Admin\AppData\Local\Temp\5e2e654d06837d7f65a0633dfbf1dd03d61791e889b1fb1b594bfa0a9d06bbac.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Users\Admin\AppData\Roaming\Install\redok.exe"C:\Users\Admin\AppData\Roaming\Install\redok.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:464
-