Analysis
-
max time kernel
163s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
30-06-2022 23:48
Static task
static1
Behavioral task
behavioral1
Sample
3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe
Resource
win7-20220414-en
General
-
Target
3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe
-
Size
813KB
-
MD5
c78cc437caa7edfc9c3494c58b017e8a
-
SHA1
61cbbf0bef3c282c12a88fa927ce1447caffb3f7
-
SHA256
3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651
-
SHA512
bf049956c7cbf887820027f658a89f3833dccef089b50beaf3d60b8a8e539947728710d218a03d5948e9ae9b15e6640557425822daa57ef4b248bba7e81431f5
Malware Config
Extracted
netwire
blackhills.ddns.net:1030
213.183.58.34:1031
-
activex_autorun
false
-
copy_executable
true
-
delete_original
true
-
host_id
Lord Of Sabbath
-
install_path
%AppData%\Roaming\svchost.exe
-
lock_executable
true
-
mutex
conhost
-
offline_keylogger
false
-
password
Password
-
registry_autorun
false
-
use_mutex
true
Signatures
-
NetWire RAT payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2016-65-0x0000000000400000-0x0000000000420000-memory.dmp netwire behavioral1/memory/2016-69-0x0000000000400000-0x0000000000420000-memory.dmp netwire behavioral1/memory/2016-71-0x00000000004022CA-mapping.dmp netwire behavioral1/memory/2016-74-0x0000000000400000-0x0000000000420000-memory.dmp netwire behavioral1/memory/2016-78-0x0000000000400000-0x0000000000420000-memory.dmp netwire -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 1308 svchost.exe -
Loads dropped DLL 1 IoCs
Processes:
svchost.exepid process 2016 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exedescription pid process target process PID 848 set thread context of 2016 848 3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
javaw.exejava.exepid process 1696 javaw.exe 1468 java.exe -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exesvchost.exejavaw.exejava.execmd.execmd.exedescription pid process target process PID 848 wrote to memory of 1292 848 3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe schtasks.exe PID 848 wrote to memory of 1292 848 3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe schtasks.exe PID 848 wrote to memory of 1292 848 3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe schtasks.exe PID 848 wrote to memory of 1292 848 3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe schtasks.exe PID 848 wrote to memory of 2016 848 3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe svchost.exe PID 848 wrote to memory of 2016 848 3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe svchost.exe PID 848 wrote to memory of 2016 848 3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe svchost.exe PID 848 wrote to memory of 2016 848 3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe svchost.exe PID 848 wrote to memory of 2016 848 3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe svchost.exe PID 848 wrote to memory of 2016 848 3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe svchost.exe PID 848 wrote to memory of 2016 848 3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe svchost.exe PID 848 wrote to memory of 2016 848 3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe svchost.exe PID 848 wrote to memory of 2016 848 3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe svchost.exe PID 848 wrote to memory of 1696 848 3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe javaw.exe PID 848 wrote to memory of 1696 848 3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe javaw.exe PID 848 wrote to memory of 1696 848 3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe javaw.exe PID 848 wrote to memory of 1696 848 3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe javaw.exe PID 2016 wrote to memory of 1308 2016 svchost.exe svchost.exe PID 2016 wrote to memory of 1308 2016 svchost.exe svchost.exe PID 2016 wrote to memory of 1308 2016 svchost.exe svchost.exe PID 2016 wrote to memory of 1308 2016 svchost.exe svchost.exe PID 1696 wrote to memory of 1468 1696 javaw.exe java.exe PID 1696 wrote to memory of 1468 1696 javaw.exe java.exe PID 1696 wrote to memory of 1468 1696 javaw.exe java.exe PID 1468 wrote to memory of 1460 1468 java.exe cmd.exe PID 1468 wrote to memory of 1460 1468 java.exe cmd.exe PID 1468 wrote to memory of 1460 1468 java.exe cmd.exe PID 1460 wrote to memory of 2000 1460 cmd.exe cscript.exe PID 1460 wrote to memory of 2000 1460 cmd.exe cscript.exe PID 1460 wrote to memory of 2000 1460 cmd.exe cscript.exe PID 1468 wrote to memory of 1592 1468 java.exe cmd.exe PID 1468 wrote to memory of 1592 1468 java.exe cmd.exe PID 1468 wrote to memory of 1592 1468 java.exe cmd.exe PID 1592 wrote to memory of 1192 1592 cmd.exe cscript.exe PID 1592 wrote to memory of 1192 1592 cmd.exe cscript.exe PID 1592 wrote to memory of 1192 1592 cmd.exe cscript.exe PID 1468 wrote to memory of 1748 1468 java.exe xcopy.exe PID 1468 wrote to memory of 1748 1468 java.exe xcopy.exe PID 1468 wrote to memory of 1748 1468 java.exe xcopy.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe"C:\Users\Admin\AppData\Local\Temp\3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "ALGKF\ALGKF" /XML "C:\Users\Admin\AppData\Roaming\ALGKF\aqqqqq.xml"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Roaming\svchost.exe-m "C:\Windows\SysWOW64\svchost.exe"3⤵
- Executes dropped EXE
-
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\EAWET.jar"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Java\jre7\bin\java.exe"C:\Program Files\Java\jre7\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.4871153365732568949495036599929600.class3⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1016837867290675563.vbs4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1016837867290675563.vbs5⤵
-
C:\Windows\system32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive8467573201941676963.vbs4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive8467573201941676963.vbs5⤵
-
C:\Windows\system32\xcopy.exexcopy "C:\Program Files\Java\jre7" "C:\Users\Admin\AppData\Roaming\Oracle\" /e4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\EAWET.jarFilesize
473KB
MD5d6d2b3e890041545cc409ab31157aa1a
SHA15b569bce8f9f00b2ce684738496cbffc908131f7
SHA256fea9e7094bc95dc152f595f7b45c78ec15a76fc6ceec9812d38de6c601c4170e
SHA51216419ec9491e8fc85a5ea7b71234e656cc33dd95703bbb6c2b05d2edf50f8f58f9bab624d395cd64e28d4ac56eb7af24f97264b79fe12d9bce4d2df1257c6ff1
-
C:\Users\Admin\AppData\Local\Temp\Retrive1016837867290675563.vbsFilesize
276B
MD53bdfd33017806b85949b6faa7d4b98e4
SHA1f92844fee69ef98db6e68931adfaa9a0a0f8ce66
SHA2569da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6
SHA512ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429
-
C:\Users\Admin\AppData\Local\Temp\Retrive8467573201941676963.vbsFilesize
281B
MD5a32c109297ed1ca155598cd295c26611
SHA1dc4a1fdbaad15ddd6fe22d3907c6b03727b71510
SHA25645bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7
SHA51270372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887
-
C:\Users\Admin\AppData\Local\Temp\_0.4871153365732568949495036599929600.classFilesize
241KB
MD5781fb531354d6f291f1ccab48da6d39f
SHA19ce4518ebcb5be6d1f0b5477fa00c26860fe9a68
SHA25697d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9
SHA5123e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8
-
C:\Users\Admin\AppData\Roaming\ALGKF\aqqqqq.xmlFilesize
1KB
MD5c8325ecb9abbb228d3b5d4e84c96f320
SHA19a84f6658bbe3a769bb204f7667672ce936fbb87
SHA256a85c2c8e56106858330b70f234c37b0a7f6aaae75139a88bd446b46168490b7e
SHA51231f6b28b61d31a127e8c4dcfcd5538b127ce82e31d1ae9172085d92636687dfa159e5ff31e047b35401575b6c92987eba2da3a5d1e7eaf980a4b950bb7efe278
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2277218442-1199762539-2004043321-1000\83aa4cc77f591dfc2374580bbd95f6ba_4cab856c-2ae4-4cbd-8a04-329969ee64daFilesize
45B
MD5c8366ae350e7019aefc9d1e6e6a498c6
SHA15731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA25611e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA51233c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd
-
C:\Users\Admin\AppData\Roaming\Roaming\svchost.exeFilesize
20KB
MD554a47f6b5e09a77e61649109c6a08866
SHA14af001b3c3816b860660cf2de2c0fd3c1dfb4878
SHA256121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2
SHA51288ee0ef5af1b0b38c19ab4c307636352fc403ea74f3bfb17e246f7fd815ac042183086133cd9fe805bd47e15854776871bb7d384e419862c91503eeb82bfb419
-
\Users\Admin\AppData\Roaming\Roaming\svchost.exeFilesize
20KB
MD554a47f6b5e09a77e61649109c6a08866
SHA14af001b3c3816b860660cf2de2c0fd3c1dfb4878
SHA256121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2
SHA51288ee0ef5af1b0b38c19ab4c307636352fc403ea74f3bfb17e246f7fd815ac042183086133cd9fe805bd47e15854776871bb7d384e419862c91503eeb82bfb419
-
memory/848-58-0x00000000745C0000-0x0000000074B6B000-memory.dmpFilesize
5.7MB
-
memory/848-55-0x00000000745C0000-0x0000000074B6B000-memory.dmpFilesize
5.7MB
-
memory/848-54-0x0000000075941000-0x0000000075943000-memory.dmpFilesize
8KB
-
memory/848-81-0x00000000745C0000-0x0000000074B6B000-memory.dmpFilesize
5.7MB
-
memory/1192-118-0x0000000000000000-mapping.dmp
-
memory/1292-56-0x0000000000000000-mapping.dmp
-
memory/1308-77-0x0000000000000000-mapping.dmp
-
memory/1460-114-0x0000000000000000-mapping.dmp
-
memory/1468-111-0x0000000002200000-0x0000000005200000-memory.dmpFilesize
48.0MB
-
memory/1468-100-0x0000000002200000-0x0000000005200000-memory.dmpFilesize
48.0MB
-
memory/1468-93-0x0000000000000000-mapping.dmp
-
memory/1592-117-0x0000000000000000-mapping.dmp
-
memory/1696-109-0x00000000022A0000-0x00000000052A0000-memory.dmpFilesize
48.0MB
-
memory/1696-92-0x00000000022A0000-0x00000000052A0000-memory.dmpFilesize
48.0MB
-
memory/1696-80-0x000007FEFBAA1000-0x000007FEFBAA3000-memory.dmpFilesize
8KB
-
memory/1696-76-0x0000000000000000-mapping.dmp
-
memory/2000-115-0x0000000000000000-mapping.dmp
-
memory/2016-78-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2016-74-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2016-71-0x00000000004022CA-mapping.dmp
-
memory/2016-69-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2016-65-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2016-62-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2016-60-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2016-59-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB