Analysis
-
max time kernel
11s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23-10-2022 17:33
Static task
static1
Behavioral task
behavioral1
Sample
2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe
Resource
win10v2004-20220812-en
General
-
Target
2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe
-
Size
1.3MB
-
MD5
5c9ad0440fefa31403bd944a1a10a3b8
-
SHA1
2707299e9ec7fb2173f6afb2e23a4d74865cf5a3
-
SHA256
2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8
-
SHA512
9b5b620be47d31f652d0100d891808f9b6baff7177c17604be6b0eb9cc731737e610ff47f83ffe8b9f50da48107087be06e74b75347f8d460b35a83d366c1078
-
SSDEEP
24576:AemBdOxLFDApSPKk48wxpb4YLDrvomDMzqZB:0BiLFssPH48ApZDrYzq
Malware Config
Extracted
netwire
banqueislamik.ddrive.online:3360
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
SALUT
-
lock_executable
false
-
offline_keylogger
false
-
password
Password
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1712-67-0x0000000000B30000-0x0000000001B30000-memory.dmp netwire behavioral1/memory/1712-68-0x0000000000B4AE7B-mapping.dmp netwire behavioral1/memory/1712-72-0x0000000000B30000-0x0000000001B30000-memory.dmp netwire -
Executes dropped EXE 2 IoCs
Processes:
othnl.exeothnl.exepid process 1448 othnl.exe 1712 othnl.exe -
Loads dropped DLL 2 IoCs
Processes:
2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exeothnl.exepid process 1492 2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe 1448 othnl.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce 2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
othnl.exedescription pid process target process PID 1448 set thread context of 1712 1448 othnl.exe othnl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
othnl.exepid process 1448 othnl.exe 1448 othnl.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
othnl.exedescription pid process Token: 33 1448 othnl.exe Token: SeIncBasePriorityPrivilege 1448 othnl.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exeothnl.execmd.exedescription pid process target process PID 1492 wrote to memory of 1448 1492 2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe othnl.exe PID 1492 wrote to memory of 1448 1492 2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe othnl.exe PID 1492 wrote to memory of 1448 1492 2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe othnl.exe PID 1492 wrote to memory of 1448 1492 2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe othnl.exe PID 1448 wrote to memory of 1380 1448 othnl.exe cmd.exe PID 1448 wrote to memory of 1380 1448 othnl.exe cmd.exe PID 1448 wrote to memory of 1380 1448 othnl.exe cmd.exe PID 1448 wrote to memory of 1380 1448 othnl.exe cmd.exe PID 1448 wrote to memory of 1712 1448 othnl.exe othnl.exe PID 1448 wrote to memory of 1712 1448 othnl.exe othnl.exe PID 1448 wrote to memory of 1712 1448 othnl.exe othnl.exe PID 1448 wrote to memory of 1712 1448 othnl.exe othnl.exe PID 1448 wrote to memory of 1712 1448 othnl.exe othnl.exe PID 1448 wrote to memory of 1712 1448 othnl.exe othnl.exe PID 1448 wrote to memory of 1712 1448 othnl.exe othnl.exe PID 1380 wrote to memory of 1696 1380 cmd.exe schtasks.exe PID 1380 wrote to memory of 1696 1380 cmd.exe schtasks.exe PID 1380 wrote to memory of 1696 1380 cmd.exe schtasks.exe PID 1380 wrote to memory of 1696 1380 cmd.exe schtasks.exe PID 1448 wrote to memory of 1712 1448 othnl.exe othnl.exe PID 1448 wrote to memory of 1712 1448 othnl.exe othnl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe"C:\Users\Admin\AppData\Local\Temp\2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\othnl.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\othnl.exe zwkrwa.hep2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 5 /tn xeezzrd /tr "C:\Users\Admin\xeezzrd\othnl.exe C:\Users\Admin\xeezzrd\zwkrwa.hep"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 5 /tn xeezzrd /tr "C:\Users\Admin\xeezzrd\othnl.exe C:\Users\Admin\xeezzrd\zwkrwa.hep"4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\othnl.exe03⤵
- Executes dropped EXE
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lyzbolct.osnFilesize
273KB
MD5b87b1eebcce45db72f46c45d7627c854
SHA1dc8e7030defc35a9d1ad6cfb5a354ecd372506a2
SHA256cd591bbfcb167fa8a7c960812967f90440a350458fe4422c6257cc0558f34953
SHA512fa514a1e7f56689cfdbda78a0c3ea9e73668121e94ab8057fe9a0dc77a4ddd0b8b2aa833109c5f41c182c625392e073a9c4d4a13fdfb8b57aeae9e5733cb3467
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\othnl.exeFilesize
918KB
MD5ad5e6eb33f8b6b48fab6d9ab3e1212c1
SHA1712f5e781df0e1cf0a52cc1312f097c290770909
SHA256dd998d69304649d295691a188f8d0b04b4c2ca5dc7fb03494867bd7738200daa
SHA51211822e5ec5b765109db5c132e8c7dd172f883bb7ae57f78be3861099aef24b0625dc943f2d20b4eff2615e5b98f2836322c8ccac526ee6448c04cfc28328c538
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\othnl.exeFilesize
918KB
MD5ad5e6eb33f8b6b48fab6d9ab3e1212c1
SHA1712f5e781df0e1cf0a52cc1312f097c290770909
SHA256dd998d69304649d295691a188f8d0b04b4c2ca5dc7fb03494867bd7738200daa
SHA51211822e5ec5b765109db5c132e8c7dd172f883bb7ae57f78be3861099aef24b0625dc943f2d20b4eff2615e5b98f2836322c8ccac526ee6448c04cfc28328c538
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zwkrwa.hepFilesize
86.1MB
MD51a7e515bde41cea1de9c82de07abd28a
SHA17c0d31b641e88f86bb462ae72f330a150a13e169
SHA256bd4dae03e5cdcef9655648e857fe4cf081736fea315f6f6321a7db2bfd48a3de
SHA51221b25683975a0df4f97ac6ee17012aab05e8efef27d06376edb7efca8064dc66e1a5dab346bc5f6e83501171b3a8aba55c7dfbf0dce39a84192bc4e89ac09fdb
-
C:\Users\Admin\othnl.exeFilesize
44KB
MD50e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\othnl.exeFilesize
918KB
MD5ad5e6eb33f8b6b48fab6d9ab3e1212c1
SHA1712f5e781df0e1cf0a52cc1312f097c290770909
SHA256dd998d69304649d295691a188f8d0b04b4c2ca5dc7fb03494867bd7738200daa
SHA51211822e5ec5b765109db5c132e8c7dd172f883bb7ae57f78be3861099aef24b0625dc943f2d20b4eff2615e5b98f2836322c8ccac526ee6448c04cfc28328c538
-
\Users\Admin\othnl.exeFilesize
44KB
MD50e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
memory/1380-62-0x0000000000000000-mapping.dmp
-
memory/1448-57-0x0000000076121000-0x0000000076123000-memory.dmpFilesize
8KB
-
memory/1448-55-0x0000000000000000-mapping.dmp
-
memory/1696-64-0x0000000000000000-mapping.dmp
-
memory/1712-65-0x0000000000B30000-0x0000000001B30000-memory.dmpFilesize
16.0MB
-
memory/1712-67-0x0000000000B30000-0x0000000001B30000-memory.dmpFilesize
16.0MB
-
memory/1712-68-0x0000000000B4AE7B-mapping.dmp
-
memory/1712-72-0x0000000000B30000-0x0000000001B30000-memory.dmpFilesize
16.0MB
-
memory/1952-59-0x000007FEFBD81000-0x000007FEFBD83000-memory.dmpFilesize
8KB