Analysis
-
max time kernel
127s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
01-07-2022 08:02
Static task
static1
Behavioral task
behavioral1
Sample
3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exe
Resource
win10v2004-20220414-en
General
-
Target
3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exe
-
Size
626KB
-
MD5
d2b8bfc68681f6e58838eff7a2cb33c0
-
SHA1
1c365788f6d248efea2a1a7f574efd610866deff
-
SHA256
3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574
-
SHA512
6eeb7aa28dd1a038d8cf87b50c7bc46496cbb6e0b2181ea01bf9b0c0b3601229f84845a6025a21357b2fede93ac34ead37fd96809b0f914f89cae7ca4f43a6dc
Malware Config
Extracted
netwire
185.101.93.198:8681
185.101.93.198:9691
89.46.223.154:8585
89.46.223.154:1194
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1344-76-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral1/memory/1344-82-0x0000000077570000-0x00000000776F0000-memory.dmp netwire -
Executes dropped EXE 2 IoCs
Processes:
plesk.exeplesk.exepid process 1548 plesk.exe 1344 plesk.exe -
Loads dropped DLL 3 IoCs
Processes:
3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exeplesk.exepid process 1080 3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exe 1080 3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exe 1548 plesk.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\AHDSKD87372930473JNDKSKSNSBG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\plesk\\plesk.vbs -FF" WScript.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
plesk.exedescription pid process target process PID 1548 set thread context of 1344 1548 plesk.exe plesk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exeplesk.exepid process 1080 3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exe 1548 plesk.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
plesk.exepid process 1344 plesk.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exeplesk.exedescription pid process target process PID 1080 wrote to memory of 964 1080 3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exe WScript.exe PID 1080 wrote to memory of 964 1080 3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exe WScript.exe PID 1080 wrote to memory of 964 1080 3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exe WScript.exe PID 1080 wrote to memory of 964 1080 3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exe WScript.exe PID 1080 wrote to memory of 1548 1080 3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exe plesk.exe PID 1080 wrote to memory of 1548 1080 3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exe plesk.exe PID 1080 wrote to memory of 1548 1080 3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exe plesk.exe PID 1080 wrote to memory of 1548 1080 3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exe plesk.exe PID 1548 wrote to memory of 1344 1548 plesk.exe plesk.exe PID 1548 wrote to memory of 1344 1548 plesk.exe plesk.exe PID 1548 wrote to memory of 1344 1548 plesk.exe plesk.exe PID 1548 wrote to memory of 1344 1548 plesk.exe plesk.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exe"C:\Users\Admin\AppData\Local\Temp\3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\plesk\plesk.vbs"2⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\plesk\plesk.exe"C:\Users\Admin\AppData\Local\Temp\plesk\plesk.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\plesk\plesk.exeC:\Users\Admin\AppData\Local\Temp\plesk\plesk.exe"3⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\plesk\plesk.exeFilesize
626KB
MD5d2b8bfc68681f6e58838eff7a2cb33c0
SHA11c365788f6d248efea2a1a7f574efd610866deff
SHA2563e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574
SHA5126eeb7aa28dd1a038d8cf87b50c7bc46496cbb6e0b2181ea01bf9b0c0b3601229f84845a6025a21357b2fede93ac34ead37fd96809b0f914f89cae7ca4f43a6dc
-
C:\Users\Admin\AppData\Local\Temp\plesk\plesk.exeFilesize
626KB
MD5d2b8bfc68681f6e58838eff7a2cb33c0
SHA11c365788f6d248efea2a1a7f574efd610866deff
SHA2563e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574
SHA5126eeb7aa28dd1a038d8cf87b50c7bc46496cbb6e0b2181ea01bf9b0c0b3601229f84845a6025a21357b2fede93ac34ead37fd96809b0f914f89cae7ca4f43a6dc
-
C:\Users\Admin\AppData\Local\Temp\plesk\plesk.exeFilesize
626KB
MD5d2b8bfc68681f6e58838eff7a2cb33c0
SHA11c365788f6d248efea2a1a7f574efd610866deff
SHA2563e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574
SHA5126eeb7aa28dd1a038d8cf87b50c7bc46496cbb6e0b2181ea01bf9b0c0b3601229f84845a6025a21357b2fede93ac34ead37fd96809b0f914f89cae7ca4f43a6dc
-
C:\Users\Admin\AppData\Local\Temp\plesk\plesk.vbsFilesize
1024B
MD5f964ef1908684af0edaffac5e9be4e20
SHA165b65b4a3398ab4cdd0c4ab1db6eb25f6172cb2c
SHA256bba4125f2fabc793609bec64ec8e26c920a2e4213b4eeab3fac338bb716e9143
SHA51226cfd088e96766041ace82a7483cc620eb8ccf7765b6b9f7e987c2eb18561ee895c7f6e66d90712e8d50a88c87a35a3266a1db5829bb1ff0b749af9791a5eda1
-
\Users\Admin\AppData\Local\Temp\plesk\plesk.exeFilesize
626KB
MD5d2b8bfc68681f6e58838eff7a2cb33c0
SHA11c365788f6d248efea2a1a7f574efd610866deff
SHA2563e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574
SHA5126eeb7aa28dd1a038d8cf87b50c7bc46496cbb6e0b2181ea01bf9b0c0b3601229f84845a6025a21357b2fede93ac34ead37fd96809b0f914f89cae7ca4f43a6dc
-
\Users\Admin\AppData\Local\Temp\plesk\plesk.exeFilesize
626KB
MD5d2b8bfc68681f6e58838eff7a2cb33c0
SHA11c365788f6d248efea2a1a7f574efd610866deff
SHA2563e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574
SHA5126eeb7aa28dd1a038d8cf87b50c7bc46496cbb6e0b2181ea01bf9b0c0b3601229f84845a6025a21357b2fede93ac34ead37fd96809b0f914f89cae7ca4f43a6dc
-
\Users\Admin\AppData\Local\Temp\plesk\plesk.exeFilesize
626KB
MD5d2b8bfc68681f6e58838eff7a2cb33c0
SHA11c365788f6d248efea2a1a7f574efd610866deff
SHA2563e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574
SHA5126eeb7aa28dd1a038d8cf87b50c7bc46496cbb6e0b2181ea01bf9b0c0b3601229f84845a6025a21357b2fede93ac34ead37fd96809b0f914f89cae7ca4f43a6dc
-
memory/964-58-0x0000000000000000-mapping.dmp
-
memory/1080-65-0x0000000077570000-0x00000000776F0000-memory.dmpFilesize
1.5MB
-
memory/1080-56-0x00000000752D1000-0x00000000752D3000-memory.dmpFilesize
8KB
-
memory/1080-57-0x0000000000290000-0x0000000000296000-memory.dmpFilesize
24KB
-
memory/1344-71-0x000000000047F08E-mapping.dmp
-
memory/1344-76-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1344-82-0x0000000077570000-0x00000000776F0000-memory.dmpFilesize
1.5MB
-
memory/1344-83-0x0000000077570000-0x00000000776F0000-memory.dmpFilesize
1.5MB
-
memory/1548-62-0x0000000000000000-mapping.dmp
-
memory/1548-73-0x0000000077570000-0x00000000776F0000-memory.dmpFilesize
1.5MB