Analysis

  • max time kernel
    134s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    02-10-2022 22:52

General

  • Target

    bf6a763be37b940d0ab0ca6d8d5cbba15366861f36acf4e98e4249f92f445e39.exe

  • Size

    194KB

  • MD5

    668d157ae4a5f12573f9711d5c545c20

  • SHA1

    ad7ff5f2fdb495a21c13656bb6ab8269b37b580e

  • SHA256

    bf6a763be37b940d0ab0ca6d8d5cbba15366861f36acf4e98e4249f92f445e39

  • SHA512

    245cd610ec06f30662b7be887f86b4b75f9c2947240837b7699df1a58301f4d2c6a1c2dbfea30a5df629f48a2eb11445bf0a638e4ad8a603069a8949a7f9735b

  • SSDEEP

    3072:JjQONxHpxhA2H/hegAuhIR/M5eWsJzayw8zcXyNYCQk2eDwXJQ6p:ScHm2Y0hPeWKzayFzvCCvzSJQ

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • NetWire RAT payload 5 IoCs
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bf6a763be37b940d0ab0ca6d8d5cbba15366861f36acf4e98e4249f92f445e39.exe
    "C:\Users\Admin\AppData\Local\Temp\bf6a763be37b940d0ab0ca6d8d5cbba15366861f36acf4e98e4249f92f445e39.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1988
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      2⤵
      • Drops file in Windows directory
      PID:1284
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\csc.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1792
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\csc.exe"
        3⤵
        • Modifies WinLogon for persistence
        PID:912

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Winlogon Helper DLL

1
T1004

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/912-71-0x0000000000000000-mapping.dmp
  • memory/1284-62-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

  • memory/1284-57-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

  • memory/1284-58-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

  • memory/1284-60-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

  • memory/1284-64-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

  • memory/1284-65-0x00000000004021DA-mapping.dmp
  • memory/1284-68-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

  • memory/1284-69-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

  • memory/1792-70-0x0000000000000000-mapping.dmp
  • memory/1988-56-0x00000000747E0000-0x0000000074D8B000-memory.dmp
    Filesize

    5.7MB

  • memory/1988-54-0x0000000075911000-0x0000000075913000-memory.dmp
    Filesize

    8KB

  • memory/1988-55-0x00000000747E0000-0x0000000074D8B000-memory.dmp
    Filesize

    5.7MB