Analysis
-
max time kernel
151s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
22-09-2022 10:39
Static task
static1
Behavioral task
behavioral1
Sample
c3da75b39650dd66fa445a7a120b6383.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c3da75b39650dd66fa445a7a120b6383.exe
Resource
win10v2004-20220812-en
General
-
Target
c3da75b39650dd66fa445a7a120b6383.exe
-
Size
1.2MB
-
MD5
c3da75b39650dd66fa445a7a120b6383
-
SHA1
22e7e85a8ba70a9d5e4c1cfb74365418ef5f45fe
-
SHA256
67f5ddf21cf15cefce056ddbe7bbcb3a3a7cd3551c0c1aec77360de58d820786
-
SHA512
a6e6cf1b95a314bc3bf81cee1aadc3657df3d40dba3518480cbe1e121cda6dc3a8a50cc3e3f5d13188a788783db612c1b1d51d3652c92de865a2ed8ca555bac4
-
SSDEEP
24576:MAOcZXgZd9/IhSnxay31+k97w84cKSVlioyvt1qztey4Zodu:a3YSMA1+YUcKsscey4Zh
Malware Config
Signatures
-
NetWire RAT payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1640-69-0x00000000004126D0-mapping.dmp netwire behavioral1/memory/1640-68-0x0000000000410000-0x00000000008D0000-memory.dmp netwire behavioral1/memory/1640-73-0x0000000000410000-0x00000000008D0000-memory.dmp netwire behavioral1/memory/1640-74-0x0000000000410000-0x00000000008D0000-memory.dmp netwire behavioral1/memory/1640-75-0x0000000000410000-0x00000000008D0000-memory.dmp netwire -
Executes dropped EXE 2 IoCs
Processes:
gbaxx.pifRegSvcs.exepid process 956 gbaxx.pif 1640 RegSvcs.exe -
Loads dropped DLL 5 IoCs
Processes:
c3da75b39650dd66fa445a7a120b6383.exegbaxx.pifpid process 2044 c3da75b39650dd66fa445a7a120b6383.exe 2044 c3da75b39650dd66fa445a7a120b6383.exe 2044 c3da75b39650dd66fa445a7a120b6383.exe 2044 c3da75b39650dd66fa445a7a120b6383.exe 956 gbaxx.pif -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
gbaxx.pifdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run gbaxx.pif Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\4_71\\gbaxx.pif C:\\Users\\Admin\\4_71\\aqxxu.gci" gbaxx.pif -
Suspicious use of SetThreadContext 1 IoCs
Processes:
gbaxx.pifdescription pid process target process PID 956 set thread context of 1640 956 gbaxx.pif RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
gbaxx.pifpid process 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif 956 gbaxx.pif -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
c3da75b39650dd66fa445a7a120b6383.exegbaxx.pifdescription pid process target process PID 2044 wrote to memory of 956 2044 c3da75b39650dd66fa445a7a120b6383.exe gbaxx.pif PID 2044 wrote to memory of 956 2044 c3da75b39650dd66fa445a7a120b6383.exe gbaxx.pif PID 2044 wrote to memory of 956 2044 c3da75b39650dd66fa445a7a120b6383.exe gbaxx.pif PID 2044 wrote to memory of 956 2044 c3da75b39650dd66fa445a7a120b6383.exe gbaxx.pif PID 956 wrote to memory of 1640 956 gbaxx.pif RegSvcs.exe PID 956 wrote to memory of 1640 956 gbaxx.pif RegSvcs.exe PID 956 wrote to memory of 1640 956 gbaxx.pif RegSvcs.exe PID 956 wrote to memory of 1640 956 gbaxx.pif RegSvcs.exe PID 956 wrote to memory of 1640 956 gbaxx.pif RegSvcs.exe PID 956 wrote to memory of 1640 956 gbaxx.pif RegSvcs.exe PID 956 wrote to memory of 1640 956 gbaxx.pif RegSvcs.exe PID 956 wrote to memory of 1640 956 gbaxx.pif RegSvcs.exe PID 956 wrote to memory of 1640 956 gbaxx.pif RegSvcs.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c3da75b39650dd66fa445a7a120b6383.exe"C:\Users\Admin\AppData\Local\Temp\c3da75b39650dd66fa445a7a120b6383.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\4_71\gbaxx.pif"C:\Users\Admin\4_71\gbaxx.pif" aqxxu.gci2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\4_71\aqxxu.gciFilesize
226.8MB
MD5370cc30e19b9eb90227bc3ff8686280a
SHA1b44e78a9f062f2cb4a0f67201276b7bcf81bcb54
SHA2562865f37fdfb83c7481753c4a27d95d26104b385a87d8dd06f849a63f9964ac0f
SHA51253387dd4d717ec4335d6ee41c1df089584acdf743f8aeb57efec2499777ffc85f6de51cb25bbb2635079394f461c2a13638f7af06858814bdf8744b9172bcd9c
-
C:\Users\Admin\4_71\gbaxx.pifFilesize
1.3MB
MD592b9ea22338dcd34bc1d8bef60a635a4
SHA1b7da7f7f1533e073463ba02f986e5c17e15d39c3
SHA25621dd8e3960c9e3f987a40d30fdb7ebbe9139dfa9b5e5700e36cbd209f36269d0
SHA512ff8922aab4ef89f6c67921274a35c558f88e419e43312252a744123e25981f2f297c6bc00ac57d462f66cf99ce24cc642a2fbf84861c0875d30486271fb712f5
-
C:\Users\Admin\4_71\qsxmcps.ouiFilesize
255KB
MD5a06e1db61565c81aee8af18c64a65b8a
SHA1775d179131afe20d03361bd355d6a4ae9de07d40
SHA256a43b300e39bc4a56b73a4f20910888e2da961534508eb51ff65917b3b16e6b27
SHA512930f7872c5f48dab379b9dcc890c09527a58e1d3c5ad3884584dbcd5416641732a6882ab931319fef0b79e0eedd883931182fb97c32f7b3001059bc98a9f2182
-
C:\Users\Admin\4_71\vjxctlj.icmFilesize
59KB
MD515d718c9cd8d542707d1678c7e07977c
SHA1b75383d90e81780b7273cbf9897ae5e49c08c2ad
SHA2560479c71d29a13c33f1d41443fe86cad1eaaaa479ae2babc56ca89540e5db5470
SHA51296c163a2c3faa1904de26bd3196aa5f45e79d06cd81607812c617c121e44d017da6f8f95b7e13b6da7a76adb88490cf8db38095e486b7def1001770ec2f096af
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeFilesize
44KB
MD50e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
\Users\Admin\4_71\gbaxx.pifFilesize
1.3MB
MD592b9ea22338dcd34bc1d8bef60a635a4
SHA1b7da7f7f1533e073463ba02f986e5c17e15d39c3
SHA25621dd8e3960c9e3f987a40d30fdb7ebbe9139dfa9b5e5700e36cbd209f36269d0
SHA512ff8922aab4ef89f6c67921274a35c558f88e419e43312252a744123e25981f2f297c6bc00ac57d462f66cf99ce24cc642a2fbf84861c0875d30486271fb712f5
-
\Users\Admin\4_71\gbaxx.pifFilesize
1.3MB
MD592b9ea22338dcd34bc1d8bef60a635a4
SHA1b7da7f7f1533e073463ba02f986e5c17e15d39c3
SHA25621dd8e3960c9e3f987a40d30fdb7ebbe9139dfa9b5e5700e36cbd209f36269d0
SHA512ff8922aab4ef89f6c67921274a35c558f88e419e43312252a744123e25981f2f297c6bc00ac57d462f66cf99ce24cc642a2fbf84861c0875d30486271fb712f5
-
\Users\Admin\4_71\gbaxx.pifFilesize
1.3MB
MD592b9ea22338dcd34bc1d8bef60a635a4
SHA1b7da7f7f1533e073463ba02f986e5c17e15d39c3
SHA25621dd8e3960c9e3f987a40d30fdb7ebbe9139dfa9b5e5700e36cbd209f36269d0
SHA512ff8922aab4ef89f6c67921274a35c558f88e419e43312252a744123e25981f2f297c6bc00ac57d462f66cf99ce24cc642a2fbf84861c0875d30486271fb712f5
-
\Users\Admin\4_71\gbaxx.pifFilesize
1.3MB
MD592b9ea22338dcd34bc1d8bef60a635a4
SHA1b7da7f7f1533e073463ba02f986e5c17e15d39c3
SHA25621dd8e3960c9e3f987a40d30fdb7ebbe9139dfa9b5e5700e36cbd209f36269d0
SHA512ff8922aab4ef89f6c67921274a35c558f88e419e43312252a744123e25981f2f297c6bc00ac57d462f66cf99ce24cc642a2fbf84861c0875d30486271fb712f5
-
\Users\Admin\AppData\Local\Temp\RegSvcs.exeFilesize
44KB
MD50e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
memory/956-59-0x0000000000000000-mapping.dmp
-
memory/1640-66-0x0000000000410000-0x00000000008D0000-memory.dmpFilesize
4.8MB
-
memory/1640-69-0x00000000004126D0-mapping.dmp
-
memory/1640-68-0x0000000000410000-0x00000000008D0000-memory.dmpFilesize
4.8MB
-
memory/1640-73-0x0000000000410000-0x00000000008D0000-memory.dmpFilesize
4.8MB
-
memory/1640-74-0x0000000000410000-0x00000000008D0000-memory.dmpFilesize
4.8MB
-
memory/1640-75-0x0000000000410000-0x00000000008D0000-memory.dmpFilesize
4.8MB
-
memory/2044-54-0x0000000075F81000-0x0000000075F83000-memory.dmpFilesize
8KB