Analysis
-
max time kernel
151s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 00:49
Static task
static1
Behavioral task
behavioral1
Sample
detail-information.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
detail-information.exe
-
Size
494KB
-
MD5
07591af2349f8ebc5789fcb0b60c7c91
-
SHA1
828bcdd3d1e32d2ed0b0660fc92f41a562d4d466
-
SHA256
b50a0ea3d467e25e9c1917668e10f70e67434e468fcecbb1d3a927a3f105dbfa
-
SHA512
8bc1068c0d85f62176fe8e23ec23ecbcfaa1296d379c26ff5fe7ee274c5ef7d12b7a1fec44941eca9841af17c61c5c1b3ad50739fb5d5baadd72bf2feef48ad3
Malware Config
Signatures
-
NetWire RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2624-136-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/2968-142-0x0000000000400000-0x0000000000433000-memory.dmp netwire -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
detail-information.exedetail-information.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation detail-information.exe Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation detail-information.exe -
Drops startup file 2 IoCs
Processes:
detail-information.exedetail-information.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe detail-information.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe detail-information.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
detail-information.exedetail-information.exedescription pid process target process PID 1004 set thread context of 2624 1004 detail-information.exe RegAsm.exe PID 2156 set thread context of 2968 2156 detail-information.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
detail-information.exepid process 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
detail-information.exedetail-information.exepid process 1004 detail-information.exe 1004 detail-information.exe 1004 detail-information.exe 2156 detail-information.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
detail-information.exedetail-information.exedescription pid process Token: SeDebugPrivilege 1004 detail-information.exe Token: SeDebugPrivilege 2156 detail-information.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
detail-information.execmd.exedetail-information.execmd.exedescription pid process target process PID 1004 wrote to memory of 2432 1004 detail-information.exe RegAsm.exe PID 1004 wrote to memory of 2432 1004 detail-information.exe RegAsm.exe PID 1004 wrote to memory of 2432 1004 detail-information.exe RegAsm.exe PID 1004 wrote to memory of 1108 1004 detail-information.exe RegAsm.exe PID 1004 wrote to memory of 1108 1004 detail-information.exe RegAsm.exe PID 1004 wrote to memory of 1108 1004 detail-information.exe RegAsm.exe PID 1004 wrote to memory of 2624 1004 detail-information.exe RegAsm.exe PID 1004 wrote to memory of 2624 1004 detail-information.exe RegAsm.exe PID 1004 wrote to memory of 2624 1004 detail-information.exe RegAsm.exe PID 1004 wrote to memory of 2624 1004 detail-information.exe RegAsm.exe PID 1004 wrote to memory of 3156 1004 detail-information.exe cmd.exe PID 1004 wrote to memory of 3156 1004 detail-information.exe cmd.exe PID 1004 wrote to memory of 3156 1004 detail-information.exe cmd.exe PID 1004 wrote to memory of 2156 1004 detail-information.exe detail-information.exe PID 1004 wrote to memory of 2156 1004 detail-information.exe detail-information.exe PID 1004 wrote to memory of 2156 1004 detail-information.exe detail-information.exe PID 3156 wrote to memory of 2832 3156 cmd.exe choice.exe PID 3156 wrote to memory of 2832 3156 cmd.exe choice.exe PID 3156 wrote to memory of 2832 3156 cmd.exe choice.exe PID 2156 wrote to memory of 2968 2156 detail-information.exe RegAsm.exe PID 2156 wrote to memory of 2968 2156 detail-information.exe RegAsm.exe PID 2156 wrote to memory of 2968 2156 detail-information.exe RegAsm.exe PID 2156 wrote to memory of 2968 2156 detail-information.exe RegAsm.exe PID 2156 wrote to memory of 4820 2156 detail-information.exe cmd.exe PID 2156 wrote to memory of 4820 2156 detail-information.exe cmd.exe PID 2156 wrote to memory of 4820 2156 detail-information.exe cmd.exe PID 4820 wrote to memory of 2084 4820 cmd.exe choice.exe PID 4820 wrote to memory of 2084 4820 cmd.exe choice.exe PID 4820 wrote to memory of 2084 4820 cmd.exe choice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\detail-information.exe"C:\Users\Admin\AppData\Local\Temp\detail-information.exe"1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\detail-information.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 33⤵
-
C:\Users\Admin\AppData\Local\Temp\detail-information.exe"C:\Users\Admin\AppData\Local\Temp\detail-information.exe"2⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\detail-information.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 34⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1004-130-0x0000000000F80000-0x0000000001002000-memory.dmpFilesize
520KB
-
memory/1004-131-0x0000000005940000-0x00000000059D2000-memory.dmpFilesize
584KB
-
memory/1004-132-0x00000000070E0000-0x00000000070E3000-memory.dmpFilesize
12KB
-
memory/1004-135-0x0000000007730000-0x0000000007733000-memory.dmpFilesize
12KB
-
memory/2084-141-0x0000000000000000-mapping.dmp
-
memory/2156-137-0x0000000000000000-mapping.dmp
-
memory/2624-136-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/2624-133-0x0000000000000000-mapping.dmp
-
memory/2832-138-0x0000000000000000-mapping.dmp
-
memory/2968-139-0x0000000000000000-mapping.dmp
-
memory/2968-142-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/3156-134-0x0000000000000000-mapping.dmp
-
memory/4820-140-0x0000000000000000-mapping.dmp