Analysis
-
max time kernel
114s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
01-07-2022 07:33
Static task
static1
Behavioral task
behavioral1
Sample
3e66b276204a34135abfd32954a8d81cd068b5661c6f5ac12141dde45fd773ba.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3e66b276204a34135abfd32954a8d81cd068b5661c6f5ac12141dde45fd773ba.exe
Resource
win10v2004-20220414-en
General
-
Target
3e66b276204a34135abfd32954a8d81cd068b5661c6f5ac12141dde45fd773ba.exe
-
Size
508KB
-
MD5
70774c09cd557ec674d9ef20cafae2e8
-
SHA1
92db9ee475f9c2cb8bb4f0db21bdc903372600c3
-
SHA256
3e66b276204a34135abfd32954a8d81cd068b5661c6f5ac12141dde45fd773ba
-
SHA512
281a6a04e8097c4106d576fd6888da3919132ce9c0a080f0a4666f95b0ca6d37f27f39d214a2b5187a2d6ccaac8455545f2f800397bd53312d3d8b47afbc7020
Malware Config
Extracted
netwire
mlhdns.phatbois.me:4772
mlhdns.pandabearsunited.xyz:4772
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
C:\Users\Admin\AppData\Roaming\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1212-76-0x0000000000400000-0x000000000042C000-memory.dmp netwire -
Executes dropped EXE 1 IoCs
Processes:
llwinsc.exepid process 1756 llwinsc.exe -
Drops startup file 2 IoCs
Processes:
3e66b276204a34135abfd32954a8d81cd068b5661c6f5ac12141dde45fd773ba.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\llwinsc.exe 3e66b276204a34135abfd32954a8d81cd068b5661c6f5ac12141dde45fd773ba.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\llwinsc.exe 3e66b276204a34135abfd32954a8d81cd068b5661c6f5ac12141dde45fd773ba.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
llwinsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Default Settings = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\llwinsc.exe -boot" llwinsc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
llwinsc.exedescription pid process target process PID 1756 set thread context of 1212 1756 llwinsc.exe AppLaunch.exe -
Drops file in Windows directory 4 IoCs
Processes:
3e66b276204a34135abfd32954a8d81cd068b5661c6f5ac12141dde45fd773ba.exellwinsc.exedescription ioc process File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new 3e66b276204a34135abfd32954a8d81cd068b5661c6f5ac12141dde45fd773ba.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new 3e66b276204a34135abfd32954a8d81cd068b5661c6f5ac12141dde45fd773ba.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new llwinsc.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new llwinsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
3e66b276204a34135abfd32954a8d81cd068b5661c6f5ac12141dde45fd773ba.exellwinsc.exedescription pid process Token: SeDebugPrivilege 2044 3e66b276204a34135abfd32954a8d81cd068b5661c6f5ac12141dde45fd773ba.exe Token: SeDebugPrivilege 1756 llwinsc.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
3e66b276204a34135abfd32954a8d81cd068b5661c6f5ac12141dde45fd773ba.exeexplorer.exellwinsc.exedescription pid process target process PID 2044 wrote to memory of 1620 2044 3e66b276204a34135abfd32954a8d81cd068b5661c6f5ac12141dde45fd773ba.exe explorer.exe PID 2044 wrote to memory of 1620 2044 3e66b276204a34135abfd32954a8d81cd068b5661c6f5ac12141dde45fd773ba.exe explorer.exe PID 2044 wrote to memory of 1620 2044 3e66b276204a34135abfd32954a8d81cd068b5661c6f5ac12141dde45fd773ba.exe explorer.exe PID 2044 wrote to memory of 1620 2044 3e66b276204a34135abfd32954a8d81cd068b5661c6f5ac12141dde45fd773ba.exe explorer.exe PID 1716 wrote to memory of 1756 1716 explorer.exe llwinsc.exe PID 1716 wrote to memory of 1756 1716 explorer.exe llwinsc.exe PID 1716 wrote to memory of 1756 1716 explorer.exe llwinsc.exe PID 1716 wrote to memory of 1756 1716 explorer.exe llwinsc.exe PID 1756 wrote to memory of 1212 1756 llwinsc.exe AppLaunch.exe PID 1756 wrote to memory of 1212 1756 llwinsc.exe AppLaunch.exe PID 1756 wrote to memory of 1212 1756 llwinsc.exe AppLaunch.exe PID 1756 wrote to memory of 1212 1756 llwinsc.exe AppLaunch.exe PID 1756 wrote to memory of 1212 1756 llwinsc.exe AppLaunch.exe PID 1756 wrote to memory of 1212 1756 llwinsc.exe AppLaunch.exe PID 1756 wrote to memory of 1212 1756 llwinsc.exe AppLaunch.exe PID 1756 wrote to memory of 1212 1756 llwinsc.exe AppLaunch.exe PID 1756 wrote to memory of 1212 1756 llwinsc.exe AppLaunch.exe PID 1756 wrote to memory of 1212 1756 llwinsc.exe AppLaunch.exe PID 1756 wrote to memory of 1212 1756 llwinsc.exe AppLaunch.exe PID 1756 wrote to memory of 1212 1756 llwinsc.exe AppLaunch.exe PID 1756 wrote to memory of 1212 1756 llwinsc.exe AppLaunch.exe PID 1756 wrote to memory of 1212 1756 llwinsc.exe AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e66b276204a34135abfd32954a8d81cd068b5661c6f5ac12141dde45fd773ba.exe"C:\Users\Admin\AppData\Local\Temp\3e66b276204a34135abfd32954a8d81cd068b5661c6f5ac12141dde45fd773ba.exe"1⤵
- Drops startup file
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe" /c select, C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\llwinsc.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\llwinsc.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\llwinsc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\llwinsc.exeFilesize
508KB
MD570774c09cd557ec674d9ef20cafae2e8
SHA192db9ee475f9c2cb8bb4f0db21bdc903372600c3
SHA2563e66b276204a34135abfd32954a8d81cd068b5661c6f5ac12141dde45fd773ba
SHA512281a6a04e8097c4106d576fd6888da3919132ce9c0a080f0a4666f95b0ca6d37f27f39d214a2b5187a2d6ccaac8455545f2f800397bd53312d3d8b47afbc7020
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\llwinsc.exeFilesize
508KB
MD570774c09cd557ec674d9ef20cafae2e8
SHA192db9ee475f9c2cb8bb4f0db21bdc903372600c3
SHA2563e66b276204a34135abfd32954a8d81cd068b5661c6f5ac12141dde45fd773ba
SHA512281a6a04e8097c4106d576fd6888da3919132ce9c0a080f0a4666f95b0ca6d37f27f39d214a2b5187a2d6ccaac8455545f2f800397bd53312d3d8b47afbc7020
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cchFilesize
514B
MD5ab0132018bdef8f7233f491f0aecc699
SHA1be5b112968435687e3b453695ea2e231fe6652a7
SHA256d5eff5f78997673e794c532fdc5fbc483bcf7e0e7265e5af34117943b9247f61
SHA5122090b648cf7456d1eb3388ec703b4d468d5ca0a5507098ccb02c6b4e08c2e5fe4b52cc76061f2021376028bdd179ba3e232309ad4ea5dbcc26cd5a774cd06e0b
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cchFilesize
514B
MD5ab0132018bdef8f7233f491f0aecc699
SHA1be5b112968435687e3b453695ea2e231fe6652a7
SHA256d5eff5f78997673e794c532fdc5fbc483bcf7e0e7265e5af34117943b9247f61
SHA5122090b648cf7456d1eb3388ec703b4d468d5ca0a5507098ccb02c6b4e08c2e5fe4b52cc76061f2021376028bdd179ba3e232309ad4ea5dbcc26cd5a774cd06e0b
-
memory/1212-76-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1212-72-0x0000000000429000-0x000000000042A200-memory.dmpFilesize
4KB
-
memory/1212-70-0x0000000000429000-0x000000000042A200-memory.dmpFilesize
4KB
-
memory/1212-69-0x0000000000401000-0x000000000041D200-memory.dmpFilesize
112KB
-
memory/1620-59-0x0000000071891000-0x0000000071893000-memory.dmpFilesize
8KB
-
memory/1620-57-0x0000000000000000-mapping.dmp
-
memory/1716-60-0x000007FEFBB11000-0x000007FEFBB13000-memory.dmpFilesize
8KB
-
memory/1756-62-0x0000000000000000-mapping.dmp
-
memory/1756-66-0x00000000744D0000-0x0000000074A7B000-memory.dmpFilesize
5.7MB
-
memory/1756-68-0x00000000744D0000-0x0000000074A7B000-memory.dmpFilesize
5.7MB
-
memory/1756-75-0x00000000744D0000-0x0000000074A7B000-memory.dmpFilesize
5.7MB
-
memory/2044-67-0x00000000744D0000-0x0000000074A7B000-memory.dmpFilesize
5.7MB
-
memory/2044-54-0x0000000075441000-0x0000000075443000-memory.dmpFilesize
8KB
-
memory/2044-56-0x00000000744D0000-0x0000000074A7B000-memory.dmpFilesize
5.7MB
-
memory/2044-55-0x00000000744D0000-0x0000000074A7B000-memory.dmpFilesize
5.7MB