Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
22-09-2022 10:39
Static task
static1
Behavioral task
behavioral1
Sample
c3da75b39650dd66fa445a7a120b6383.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c3da75b39650dd66fa445a7a120b6383.exe
Resource
win10v2004-20220812-en
General
-
Target
c3da75b39650dd66fa445a7a120b6383.exe
-
Size
1.2MB
-
MD5
c3da75b39650dd66fa445a7a120b6383
-
SHA1
22e7e85a8ba70a9d5e4c1cfb74365418ef5f45fe
-
SHA256
67f5ddf21cf15cefce056ddbe7bbcb3a3a7cd3551c0c1aec77360de58d820786
-
SHA512
a6e6cf1b95a314bc3bf81cee1aadc3657df3d40dba3518480cbe1e121cda6dc3a8a50cc3e3f5d13188a788783db612c1b1d51d3652c92de865a2ed8ca555bac4
-
SSDEEP
24576:MAOcZXgZd9/IhSnxay31+k97w84cKSVlioyvt1qztey4Zodu:a3YSMA1+YUcKsscey4Zh
Malware Config
Signatures
-
NetWire RAT payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/4800-138-0x0000000000F00000-0x0000000001646000-memory.dmp netwire behavioral2/memory/4800-139-0x0000000000F026D0-mapping.dmp netwire behavioral2/memory/4800-142-0x0000000000F00000-0x0000000001646000-memory.dmp netwire behavioral2/memory/4800-143-0x0000000000F00000-0x0000000001646000-memory.dmp netwire behavioral2/memory/4800-144-0x0000000000F00000-0x0000000001646000-memory.dmp netwire -
Executes dropped EXE 2 IoCs
Processes:
gbaxx.pifRegSvcs.exepid process 868 gbaxx.pif 4800 RegSvcs.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c3da75b39650dd66fa445a7a120b6383.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation c3da75b39650dd66fa445a7a120b6383.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
gbaxx.pifdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run gbaxx.pif Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\4_71\\gbaxx.pif C:\\Users\\Admin\\4_71\\aqxxu.gci" gbaxx.pif -
Suspicious use of SetThreadContext 1 IoCs
Processes:
gbaxx.pifdescription pid process target process PID 868 set thread context of 4800 868 gbaxx.pif RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
gbaxx.pifpid process 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif 868 gbaxx.pif -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
c3da75b39650dd66fa445a7a120b6383.exegbaxx.pifdescription pid process target process PID 384 wrote to memory of 868 384 c3da75b39650dd66fa445a7a120b6383.exe gbaxx.pif PID 384 wrote to memory of 868 384 c3da75b39650dd66fa445a7a120b6383.exe gbaxx.pif PID 384 wrote to memory of 868 384 c3da75b39650dd66fa445a7a120b6383.exe gbaxx.pif PID 868 wrote to memory of 4800 868 gbaxx.pif RegSvcs.exe PID 868 wrote to memory of 4800 868 gbaxx.pif RegSvcs.exe PID 868 wrote to memory of 4800 868 gbaxx.pif RegSvcs.exe PID 868 wrote to memory of 4800 868 gbaxx.pif RegSvcs.exe PID 868 wrote to memory of 4800 868 gbaxx.pif RegSvcs.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c3da75b39650dd66fa445a7a120b6383.exe"C:\Users\Admin\AppData\Local\Temp\c3da75b39650dd66fa445a7a120b6383.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\4_71\gbaxx.pif"C:\Users\Admin\4_71\gbaxx.pif" aqxxu.gci2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\4_71\aqxxu.gciFilesize
226.8MB
MD5370cc30e19b9eb90227bc3ff8686280a
SHA1b44e78a9f062f2cb4a0f67201276b7bcf81bcb54
SHA2562865f37fdfb83c7481753c4a27d95d26104b385a87d8dd06f849a63f9964ac0f
SHA51253387dd4d717ec4335d6ee41c1df089584acdf743f8aeb57efec2499777ffc85f6de51cb25bbb2635079394f461c2a13638f7af06858814bdf8744b9172bcd9c
-
C:\Users\Admin\4_71\gbaxx.pifFilesize
1.3MB
MD592b9ea22338dcd34bc1d8bef60a635a4
SHA1b7da7f7f1533e073463ba02f986e5c17e15d39c3
SHA25621dd8e3960c9e3f987a40d30fdb7ebbe9139dfa9b5e5700e36cbd209f36269d0
SHA512ff8922aab4ef89f6c67921274a35c558f88e419e43312252a744123e25981f2f297c6bc00ac57d462f66cf99ce24cc642a2fbf84861c0875d30486271fb712f5
-
C:\Users\Admin\4_71\gbaxx.pifFilesize
1.3MB
MD592b9ea22338dcd34bc1d8bef60a635a4
SHA1b7da7f7f1533e073463ba02f986e5c17e15d39c3
SHA25621dd8e3960c9e3f987a40d30fdb7ebbe9139dfa9b5e5700e36cbd209f36269d0
SHA512ff8922aab4ef89f6c67921274a35c558f88e419e43312252a744123e25981f2f297c6bc00ac57d462f66cf99ce24cc642a2fbf84861c0875d30486271fb712f5
-
C:\Users\Admin\4_71\qsxmcps.ouiFilesize
255KB
MD5a06e1db61565c81aee8af18c64a65b8a
SHA1775d179131afe20d03361bd355d6a4ae9de07d40
SHA256a43b300e39bc4a56b73a4f20910888e2da961534508eb51ff65917b3b16e6b27
SHA512930f7872c5f48dab379b9dcc890c09527a58e1d3c5ad3884584dbcd5416641732a6882ab931319fef0b79e0eedd883931182fb97c32f7b3001059bc98a9f2182
-
C:\Users\Admin\4_71\vjxctlj.icmFilesize
59KB
MD515d718c9cd8d542707d1678c7e07977c
SHA1b75383d90e81780b7273cbf9897ae5e49c08c2ad
SHA2560479c71d29a13c33f1d41443fe86cad1eaaaa479ae2babc56ca89540e5db5470
SHA51296c163a2c3faa1904de26bd3196aa5f45e79d06cd81607812c617c121e44d017da6f8f95b7e13b6da7a76adb88490cf8db38095e486b7def1001770ec2f096af
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeFilesize
44KB
MD59d352bc46709f0cb5ec974633a0c3c94
SHA11969771b2f022f9a86d77ac4d4d239becdf08d07
SHA2562c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA51213c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b
-
memory/868-132-0x0000000000000000-mapping.dmp
-
memory/4800-138-0x0000000000F00000-0x0000000001646000-memory.dmpFilesize
7.3MB
-
memory/4800-139-0x0000000000F026D0-mapping.dmp
-
memory/4800-142-0x0000000000F00000-0x0000000001646000-memory.dmpFilesize
7.3MB
-
memory/4800-143-0x0000000000F00000-0x0000000001646000-memory.dmpFilesize
7.3MB
-
memory/4800-144-0x0000000000F00000-0x0000000001646000-memory.dmpFilesize
7.3MB