Analysis
-
max time kernel
149s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
31-07-2022 06:38
Static task
static1
Behavioral task
behavioral1
Sample
a2cfd560eb6407185f6d5099d6c153cd88d9d4e55b725b2e7d560b240d2b917b.exe
Resource
win7-20220715-en
General
-
Target
a2cfd560eb6407185f6d5099d6c153cd88d9d4e55b725b2e7d560b240d2b917b.exe
-
Size
784KB
-
MD5
da62ec3593d48b259a93a8ccf98ac487
-
SHA1
9cc217b195b5ddb10b068681c41b999a4f42ad32
-
SHA256
a2cfd560eb6407185f6d5099d6c153cd88d9d4e55b725b2e7d560b240d2b917b
-
SHA512
3369fb9af4da2869fbb5e7740bfbeac76860d282e9fcdea2c9abfbafb745edd81feb64e3013e4ae32d967b3b15dcbd32461a847956150dc730830ec28e6db878
Malware Config
Signatures
-
NetWire RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1408-66-0x0000000000400000-0x0000000000425000-memory.dmp netwire -
Executes dropped EXE 2 IoCs
Processes:
billisou.exebillisou.exepid process 1984 billisou.exe 1408 billisou.exe -
Loads dropped DLL 2 IoCs
Processes:
a2cfd560eb6407185f6d5099d6c153cd88d9d4e55b725b2e7d560b240d2b917b.exepid process 1832 a2cfd560eb6407185f6d5099d6c153cd88d9d4e55b725b2e7d560b240d2b917b.exe 1832 a2cfd560eb6407185f6d5099d6c153cd88d9d4e55b725b2e7d560b240d2b917b.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
billisou.exedescription pid process target process PID 1984 set thread context of 1408 1984 billisou.exe billisou.exe -
NTFS ADS 1 IoCs
Processes:
a2cfd560eb6407185f6d5099d6c153cd88d9d4e55b725b2e7d560b240d2b917b.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\billingou\billisou.exe:ZoneIdentifier a2cfd560eb6407185f6d5099d6c153cd88d9d4e55b725b2e7d560b240d2b917b.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
a2cfd560eb6407185f6d5099d6c153cd88d9d4e55b725b2e7d560b240d2b917b.exebillisou.exepid process 1832 a2cfd560eb6407185f6d5099d6c153cd88d9d4e55b725b2e7d560b240d2b917b.exe 1984 billisou.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
billisou.exepid process 1984 billisou.exe 1984 billisou.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
a2cfd560eb6407185f6d5099d6c153cd88d9d4e55b725b2e7d560b240d2b917b.exebillisou.exedescription pid process target process PID 1832 wrote to memory of 1984 1832 a2cfd560eb6407185f6d5099d6c153cd88d9d4e55b725b2e7d560b240d2b917b.exe billisou.exe PID 1832 wrote to memory of 1984 1832 a2cfd560eb6407185f6d5099d6c153cd88d9d4e55b725b2e7d560b240d2b917b.exe billisou.exe PID 1832 wrote to memory of 1984 1832 a2cfd560eb6407185f6d5099d6c153cd88d9d4e55b725b2e7d560b240d2b917b.exe billisou.exe PID 1832 wrote to memory of 1984 1832 a2cfd560eb6407185f6d5099d6c153cd88d9d4e55b725b2e7d560b240d2b917b.exe billisou.exe PID 1984 wrote to memory of 1408 1984 billisou.exe billisou.exe PID 1984 wrote to memory of 1408 1984 billisou.exe billisou.exe PID 1984 wrote to memory of 1408 1984 billisou.exe billisou.exe PID 1984 wrote to memory of 1408 1984 billisou.exe billisou.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2cfd560eb6407185f6d5099d6c153cd88d9d4e55b725b2e7d560b240d2b917b.exe"C:\Users\Admin\AppData\Local\Temp\a2cfd560eb6407185f6d5099d6c153cd88d9d4e55b725b2e7d560b240d2b917b.exe"1⤵
- Loads dropped DLL
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Users\Admin\AppData\Roaming\billingou\billisou.exe"C:\Users\Admin\AppData\Roaming\billingou\billisou.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Users\Admin\AppData\Roaming\billingou\billisou.exe"C:\Users\Admin\AppData\Roaming\billingou\billisou.exe"3⤵
- Executes dropped EXE
PID:1408
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
784KB
MD5da62ec3593d48b259a93a8ccf98ac487
SHA19cc217b195b5ddb10b068681c41b999a4f42ad32
SHA256a2cfd560eb6407185f6d5099d6c153cd88d9d4e55b725b2e7d560b240d2b917b
SHA5123369fb9af4da2869fbb5e7740bfbeac76860d282e9fcdea2c9abfbafb745edd81feb64e3013e4ae32d967b3b15dcbd32461a847956150dc730830ec28e6db878
-
Filesize
784KB
MD5da62ec3593d48b259a93a8ccf98ac487
SHA19cc217b195b5ddb10b068681c41b999a4f42ad32
SHA256a2cfd560eb6407185f6d5099d6c153cd88d9d4e55b725b2e7d560b240d2b917b
SHA5123369fb9af4da2869fbb5e7740bfbeac76860d282e9fcdea2c9abfbafb745edd81feb64e3013e4ae32d967b3b15dcbd32461a847956150dc730830ec28e6db878
-
Filesize
784KB
MD5da62ec3593d48b259a93a8ccf98ac487
SHA19cc217b195b5ddb10b068681c41b999a4f42ad32
SHA256a2cfd560eb6407185f6d5099d6c153cd88d9d4e55b725b2e7d560b240d2b917b
SHA5123369fb9af4da2869fbb5e7740bfbeac76860d282e9fcdea2c9abfbafb745edd81feb64e3013e4ae32d967b3b15dcbd32461a847956150dc730830ec28e6db878
-
Filesize
784KB
MD5da62ec3593d48b259a93a8ccf98ac487
SHA19cc217b195b5ddb10b068681c41b999a4f42ad32
SHA256a2cfd560eb6407185f6d5099d6c153cd88d9d4e55b725b2e7d560b240d2b917b
SHA5123369fb9af4da2869fbb5e7740bfbeac76860d282e9fcdea2c9abfbafb745edd81feb64e3013e4ae32d967b3b15dcbd32461a847956150dc730830ec28e6db878
-
Filesize
784KB
MD5da62ec3593d48b259a93a8ccf98ac487
SHA19cc217b195b5ddb10b068681c41b999a4f42ad32
SHA256a2cfd560eb6407185f6d5099d6c153cd88d9d4e55b725b2e7d560b240d2b917b
SHA5123369fb9af4da2869fbb5e7740bfbeac76860d282e9fcdea2c9abfbafb745edd81feb64e3013e4ae32d967b3b15dcbd32461a847956150dc730830ec28e6db878