Analysis
-
max time kernel
174s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
30-06-2022 23:48
Static task
static1
Behavioral task
behavioral1
Sample
3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe
Resource
win7-20220414-en
General
-
Target
3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe
-
Size
813KB
-
MD5
c78cc437caa7edfc9c3494c58b017e8a
-
SHA1
61cbbf0bef3c282c12a88fa927ce1447caffb3f7
-
SHA256
3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651
-
SHA512
bf049956c7cbf887820027f658a89f3833dccef089b50beaf3d60b8a8e539947728710d218a03d5948e9ae9b15e6640557425822daa57ef4b248bba7e81431f5
Malware Config
Extracted
netwire
blackhills.ddns.net:1030
213.183.58.34:1031
-
activex_autorun
false
-
copy_executable
true
-
delete_original
true
-
host_id
Lord Of Sabbath
-
install_path
%AppData%\Roaming\svchost.exe
-
lock_executable
true
-
mutex
conhost
-
offline_keylogger
false
-
password
Password
-
registry_autorun
false
-
use_mutex
true
Signatures
-
NetWire RAT payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/4460-134-0x0000000000000000-mapping.dmp netwire behavioral2/memory/4460-136-0x0000000000400000-0x0000000000420000-memory.dmp netwire behavioral2/memory/4460-138-0x0000000000400000-0x0000000000420000-memory.dmp netwire behavioral2/memory/4460-141-0x0000000000400000-0x0000000000420000-memory.dmp netwire behavioral2/memory/4460-145-0x0000000000400000-0x0000000000420000-memory.dmp netwire -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 4812 svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exedescription pid process target process PID 916 set thread context of 4460 916 3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe svchost.exe -
Drops file in Program Files directory 24 IoCs
Processes:
java.exejavaw.exedescription ioc process File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb java.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 1 IoCs
Processes:
3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings 3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exesvchost.exejavaw.exedescription pid process target process PID 916 wrote to memory of 1740 916 3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe schtasks.exe PID 916 wrote to memory of 1740 916 3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe schtasks.exe PID 916 wrote to memory of 1740 916 3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe schtasks.exe PID 916 wrote to memory of 4460 916 3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe svchost.exe PID 916 wrote to memory of 4460 916 3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe svchost.exe PID 916 wrote to memory of 4460 916 3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe svchost.exe PID 916 wrote to memory of 4460 916 3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe svchost.exe PID 916 wrote to memory of 4460 916 3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe svchost.exe PID 916 wrote to memory of 4460 916 3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe svchost.exe PID 916 wrote to memory of 4460 916 3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe svchost.exe PID 916 wrote to memory of 4460 916 3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe svchost.exe PID 916 wrote to memory of 4460 916 3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe svchost.exe PID 4460 wrote to memory of 4812 4460 svchost.exe svchost.exe PID 4460 wrote to memory of 4812 4460 svchost.exe svchost.exe PID 4460 wrote to memory of 4812 4460 svchost.exe svchost.exe PID 916 wrote to memory of 4452 916 3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe javaw.exe PID 916 wrote to memory of 4452 916 3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe javaw.exe PID 4452 wrote to memory of 2152 4452 javaw.exe java.exe PID 4452 wrote to memory of 2152 4452 javaw.exe java.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe"C:\Users\Admin\AppData\Local\Temp\3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "ALGKF\ALGKF" /XML "C:\Users\Admin\AppData\Roaming\ALGKF\aOOOOO.xml"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Roaming\svchost.exe-m "C:\Windows\SysWOW64\svchost.exe"3⤵
- Executes dropped EXE
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\EAWET.jar"2⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Java\jre1.8.0_66\bin\java.exe"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.3906858704923446546710497355773653.class3⤵
- Drops file in Program Files directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestampFilesize
50B
MD58f5d0c9e226a450b9170d10bcadd68e2
SHA1174ad28520d9aedd6d6f7e0e05c878581ac37556
SHA256ef7f258cb736b42b6b7648401d6a62b0de1a6778d070fbeff1a6fb4e8001f20d
SHA5123438a1331638bdb686ad110cf21457c68aeefc541b6d0ae135ba334adda83415094c8e2ee65f8d2f4cc03bf4f9edb048a69e0b8fc2dadf76d9fbef00fb40ef24
-
C:\Users\Admin\AppData\Local\Temp\EAWET.jarFilesize
473KB
MD5d6d2b3e890041545cc409ab31157aa1a
SHA15b569bce8f9f00b2ce684738496cbffc908131f7
SHA256fea9e7094bc95dc152f595f7b45c78ec15a76fc6ceec9812d38de6c601c4170e
SHA51216419ec9491e8fc85a5ea7b71234e656cc33dd95703bbb6c2b05d2edf50f8f58f9bab624d395cd64e28d4ac56eb7af24f97264b79fe12d9bce4d2df1257c6ff1
-
C:\Users\Admin\AppData\Local\Temp\_0.3906858704923446546710497355773653.classFilesize
241KB
MD5781fb531354d6f291f1ccab48da6d39f
SHA19ce4518ebcb5be6d1f0b5477fa00c26860fe9a68
SHA25697d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9
SHA5123e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8
-
C:\Users\Admin\AppData\Roaming\ALGKF\aOOOOO.xmlFilesize
1KB
MD5244445d8e0121079b25f44d0b527e333
SHA110853217b97d2b256083e9756444552c05d7b8da
SHA2562833be5ffc4003f66bb2d3ea80556d89cd393f4453ad269efedb4707416b9e6c
SHA512c2a87f1f7a50eef4384e3e5d29add3e5fe841f4026d75847b83ab5a117d09694e6a29412ef82a143bad139b5ac62c7e716f38a5d74baee58d2515fcc3f2d570b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3751123196-3323558407-1869646069-1000\83aa4cc77f591dfc2374580bbd95f6ba_6bb404a8-25bc-4cef-a831-797f8d1e89c0Filesize
45B
MD5c8366ae350e7019aefc9d1e6e6a498c6
SHA15731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA25611e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA51233c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd
-
C:\Users\Admin\AppData\Roaming\Roaming\svchost.exeFilesize
45KB
MD5b7c999040d80e5bf87886d70d992c51e
SHA1a8ed9a51cc14ccf99b670e60ebbc110756504929
SHA2565c3257b277f160109071e7e716040e67657341d8c42aa68d9afafe1630fcc53e
SHA51271ba2fbd705e51b488afe3bb33a67212cf297e97e8b1b20ada33e16956f7ec8f89a79e04a4b256fd61a442fada690aff0c807c2bdcc9165a9c7be3de725de309
-
memory/916-131-0x0000000074BC0000-0x0000000075171000-memory.dmpFilesize
5.7MB
-
memory/916-130-0x0000000074BC0000-0x0000000075171000-memory.dmpFilesize
5.7MB
-
memory/916-147-0x0000000074BC0000-0x0000000075171000-memory.dmpFilesize
5.7MB
-
memory/1740-132-0x0000000000000000-mapping.dmp
-
memory/2152-170-0x0000000002AA0000-0x0000000003AA0000-memory.dmpFilesize
16.0MB
-
memory/2152-158-0x0000000000000000-mapping.dmp
-
memory/4452-157-0x00000000029A0000-0x00000000039A0000-memory.dmpFilesize
16.0MB
-
memory/4452-143-0x0000000000000000-mapping.dmp
-
memory/4452-179-0x00000000029A0000-0x00000000039A0000-memory.dmpFilesize
16.0MB
-
memory/4452-180-0x00000000029A0000-0x00000000039A0000-memory.dmpFilesize
16.0MB
-
memory/4460-145-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4460-141-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4460-138-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4460-135-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4460-136-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4460-134-0x0000000000000000-mapping.dmp
-
memory/4812-142-0x0000000000000000-mapping.dmp