Analysis
-
max time kernel
134s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
02-10-2022 22:52
Static task
static1
Behavioral task
behavioral1
Sample
bf6a763be37b940d0ab0ca6d8d5cbba15366861f36acf4e98e4249f92f445e39.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
bf6a763be37b940d0ab0ca6d8d5cbba15366861f36acf4e98e4249f92f445e39.exe
Resource
win10v2004-20220812-en
General
-
Target
bf6a763be37b940d0ab0ca6d8d5cbba15366861f36acf4e98e4249f92f445e39.exe
-
Size
194KB
-
MD5
668d157ae4a5f12573f9711d5c545c20
-
SHA1
ad7ff5f2fdb495a21c13656bb6ab8269b37b580e
-
SHA256
bf6a763be37b940d0ab0ca6d8d5cbba15366861f36acf4e98e4249f92f445e39
-
SHA512
245cd610ec06f30662b7be887f86b4b75f9c2947240837b7699df1a58301f4d2c6a1c2dbfea30a5df629f48a2eb11445bf0a638e4ad8a603069a8949a7f9735b
-
SSDEEP
3072:JjQONxHpxhA2H/hegAuhIR/M5eWsJzayw8zcXyNYCQk2eDwXJQ6p:ScHm2Y0hPeWKzayFzvCCvzSJQ
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\csc.exe" reg.exe -
NetWire RAT payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1284-62-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral1/memory/1284-64-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral1/memory/1284-65-0x00000000004021DA-mapping.dmp netwire behavioral1/memory/1284-68-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral1/memory/1284-69-0x0000000000400000-0x000000000041E000-memory.dmp netwire -
Suspicious use of SetThreadContext 1 IoCs
Processes:
bf6a763be37b940d0ab0ca6d8d5cbba15366861f36acf4e98e4249f92f445e39.exedescription pid process target process PID 1988 set thread context of 1284 1988 bf6a763be37b940d0ab0ca6d8d5cbba15366861f36acf4e98e4249f92f445e39.exe cvtres.exe -
Drops file in Windows directory 2 IoCs
Processes:
cvtres.exedescription ioc process File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\.Identifier cvtres.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\.Identifier cvtres.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
bf6a763be37b940d0ab0ca6d8d5cbba15366861f36acf4e98e4249f92f445e39.execmd.exedescription pid process target process PID 1988 wrote to memory of 1284 1988 bf6a763be37b940d0ab0ca6d8d5cbba15366861f36acf4e98e4249f92f445e39.exe cvtres.exe PID 1988 wrote to memory of 1284 1988 bf6a763be37b940d0ab0ca6d8d5cbba15366861f36acf4e98e4249f92f445e39.exe cvtres.exe PID 1988 wrote to memory of 1284 1988 bf6a763be37b940d0ab0ca6d8d5cbba15366861f36acf4e98e4249f92f445e39.exe cvtres.exe PID 1988 wrote to memory of 1284 1988 bf6a763be37b940d0ab0ca6d8d5cbba15366861f36acf4e98e4249f92f445e39.exe cvtres.exe PID 1988 wrote to memory of 1284 1988 bf6a763be37b940d0ab0ca6d8d5cbba15366861f36acf4e98e4249f92f445e39.exe cvtres.exe PID 1988 wrote to memory of 1284 1988 bf6a763be37b940d0ab0ca6d8d5cbba15366861f36acf4e98e4249f92f445e39.exe cvtres.exe PID 1988 wrote to memory of 1284 1988 bf6a763be37b940d0ab0ca6d8d5cbba15366861f36acf4e98e4249f92f445e39.exe cvtres.exe PID 1988 wrote to memory of 1284 1988 bf6a763be37b940d0ab0ca6d8d5cbba15366861f36acf4e98e4249f92f445e39.exe cvtres.exe PID 1988 wrote to memory of 1284 1988 bf6a763be37b940d0ab0ca6d8d5cbba15366861f36acf4e98e4249f92f445e39.exe cvtres.exe PID 1988 wrote to memory of 1792 1988 bf6a763be37b940d0ab0ca6d8d5cbba15366861f36acf4e98e4249f92f445e39.exe cmd.exe PID 1988 wrote to memory of 1792 1988 bf6a763be37b940d0ab0ca6d8d5cbba15366861f36acf4e98e4249f92f445e39.exe cmd.exe PID 1988 wrote to memory of 1792 1988 bf6a763be37b940d0ab0ca6d8d5cbba15366861f36acf4e98e4249f92f445e39.exe cmd.exe PID 1988 wrote to memory of 1792 1988 bf6a763be37b940d0ab0ca6d8d5cbba15366861f36acf4e98e4249f92f445e39.exe cmd.exe PID 1792 wrote to memory of 912 1792 cmd.exe reg.exe PID 1792 wrote to memory of 912 1792 cmd.exe reg.exe PID 1792 wrote to memory of 912 1792 cmd.exe reg.exe PID 1792 wrote to memory of 912 1792 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf6a763be37b940d0ab0ca6d8d5cbba15366861f36acf4e98e4249f92f445e39.exe"C:\Users\Admin\AppData\Local\Temp\bf6a763be37b940d0ab0ca6d8d5cbba15366861f36acf4e98e4249f92f445e39.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe2⤵
- Drops file in Windows directory
PID:1284 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\csc.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\csc.exe"3⤵
- Modifies WinLogon for persistence
PID:912