Analysis
-
max time kernel
286s -
max time network
228s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23-10-2022 17:38
Static task
static1
Behavioral task
behavioral1
Sample
2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.zip
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe
Resource
win7-20220812-en
General
-
Target
2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe
-
Size
1.3MB
-
MD5
5c9ad0440fefa31403bd944a1a10a3b8
-
SHA1
2707299e9ec7fb2173f6afb2e23a4d74865cf5a3
-
SHA256
2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8
-
SHA512
9b5b620be47d31f652d0100d891808f9b6baff7177c17604be6b0eb9cc731737e610ff47f83ffe8b9f50da48107087be06e74b75347f8d460b35a83d366c1078
-
SSDEEP
24576:AemBdOxLFDApSPKk48wxpb4YLDrvomDMzqZB:0BiLFssPH48ApZDrYzq
Malware Config
Extracted
netwire
banqueislamik.ddrive.online:3360
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
SALUT
-
lock_executable
false
-
offline_keylogger
false
-
password
Password
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/856-66-0x0000000000330000-0x0000000001330000-memory.dmp netwire behavioral2/memory/856-67-0x000000000034AE7B-mapping.dmp netwire behavioral2/memory/856-71-0x0000000000330000-0x0000000001330000-memory.dmp netwire behavioral2/memory/856-72-0x0000000000330000-0x0000000001330000-memory.dmp netwire -
Executes dropped EXE 3 IoCs
Processes:
othnl.exeothnl.exeothnl.exepid process 540 othnl.exe 856 othnl.exe 2000 othnl.exe -
Loads dropped DLL 2 IoCs
Processes:
2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exeothnl.exepid process 1048 2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe 540 othnl.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce 2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
othnl.exedescription pid process target process PID 540 set thread context of 856 540 othnl.exe othnl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
othnl.exeothnl.exepid process 540 othnl.exe 540 othnl.exe 2000 othnl.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
othnl.exedescription pid process Token: 33 540 othnl.exe Token: SeIncBasePriorityPrivilege 540 othnl.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exeothnl.execmd.exetaskeng.exedescription pid process target process PID 1048 wrote to memory of 540 1048 2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe othnl.exe PID 1048 wrote to memory of 540 1048 2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe othnl.exe PID 1048 wrote to memory of 540 1048 2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe othnl.exe PID 1048 wrote to memory of 540 1048 2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe othnl.exe PID 540 wrote to memory of 1508 540 othnl.exe cmd.exe PID 540 wrote to memory of 1508 540 othnl.exe cmd.exe PID 540 wrote to memory of 1508 540 othnl.exe cmd.exe PID 540 wrote to memory of 1508 540 othnl.exe cmd.exe PID 540 wrote to memory of 856 540 othnl.exe othnl.exe PID 540 wrote to memory of 856 540 othnl.exe othnl.exe PID 540 wrote to memory of 856 540 othnl.exe othnl.exe PID 540 wrote to memory of 856 540 othnl.exe othnl.exe PID 540 wrote to memory of 856 540 othnl.exe othnl.exe PID 540 wrote to memory of 856 540 othnl.exe othnl.exe PID 540 wrote to memory of 856 540 othnl.exe othnl.exe PID 1508 wrote to memory of 1212 1508 cmd.exe schtasks.exe PID 1508 wrote to memory of 1212 1508 cmd.exe schtasks.exe PID 1508 wrote to memory of 1212 1508 cmd.exe schtasks.exe PID 1508 wrote to memory of 1212 1508 cmd.exe schtasks.exe PID 540 wrote to memory of 856 540 othnl.exe othnl.exe PID 540 wrote to memory of 856 540 othnl.exe othnl.exe PID 1168 wrote to memory of 2000 1168 taskeng.exe othnl.exe PID 1168 wrote to memory of 2000 1168 taskeng.exe othnl.exe PID 1168 wrote to memory of 2000 1168 taskeng.exe othnl.exe PID 1168 wrote to memory of 2000 1168 taskeng.exe othnl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe"C:\Users\Admin\AppData\Local\Temp\2b1245c4547eee5a4545431f1969ab4dd5ba8ac4d0d2dd758d3c77a250e6ddb8.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\othnl.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\othnl.exe zwkrwa.hep2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 5 /tn xeezzrd /tr "C:\Users\Admin\xeezzrd\othnl.exe C:\Users\Admin\xeezzrd\zwkrwa.hep"3⤵
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 5 /tn xeezzrd /tr "C:\Users\Admin\xeezzrd\othnl.exe C:\Users\Admin\xeezzrd\zwkrwa.hep"4⤵
- Creates scheduled task(s)
PID:1212 -
C:\Users\Admin\othnl.exe03⤵
- Executes dropped EXE
PID:856
-
C:\Windows\system32\taskeng.exetaskeng.exe {59C0B56C-B077-4785-8536-3897CA995E71} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Users\Admin\xeezzrd\othnl.exeC:\Users\Admin\xeezzrd\othnl.exe C:\Users\Admin\xeezzrd\zwkrwa.hep2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2000
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
273KB
MD5b87b1eebcce45db72f46c45d7627c854
SHA1dc8e7030defc35a9d1ad6cfb5a354ecd372506a2
SHA256cd591bbfcb167fa8a7c960812967f90440a350458fe4422c6257cc0558f34953
SHA512fa514a1e7f56689cfdbda78a0c3ea9e73668121e94ab8057fe9a0dc77a4ddd0b8b2aa833109c5f41c182c625392e073a9c4d4a13fdfb8b57aeae9e5733cb3467
-
Filesize
918KB
MD5ad5e6eb33f8b6b48fab6d9ab3e1212c1
SHA1712f5e781df0e1cf0a52cc1312f097c290770909
SHA256dd998d69304649d295691a188f8d0b04b4c2ca5dc7fb03494867bd7738200daa
SHA51211822e5ec5b765109db5c132e8c7dd172f883bb7ae57f78be3861099aef24b0625dc943f2d20b4eff2615e5b98f2836322c8ccac526ee6448c04cfc28328c538
-
Filesize
918KB
MD5ad5e6eb33f8b6b48fab6d9ab3e1212c1
SHA1712f5e781df0e1cf0a52cc1312f097c290770909
SHA256dd998d69304649d295691a188f8d0b04b4c2ca5dc7fb03494867bd7738200daa
SHA51211822e5ec5b765109db5c132e8c7dd172f883bb7ae57f78be3861099aef24b0625dc943f2d20b4eff2615e5b98f2836322c8ccac526ee6448c04cfc28328c538
-
Filesize
113.7MB
MD57c0a58bf2315abf9612d58fbfaaeb0eb
SHA13e8d2de112be00950fd776bba6883449804f5b39
SHA256be8f159ef84167d6a542d7201cf09340b8dd222fec36e5430dc148062a96fb47
SHA51224866cd04234e6cd83d6b3125ec68ec0f2c2f601ac566379a5c820a97e3d503cc7ffeac220921b8aa8c6d0e53530c96d9b3cd38c90d02b433b691d81ec9c3a91
-
Filesize
44KB
MD50e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
Filesize
918KB
MD5ad5e6eb33f8b6b48fab6d9ab3e1212c1
SHA1712f5e781df0e1cf0a52cc1312f097c290770909
SHA256dd998d69304649d295691a188f8d0b04b4c2ca5dc7fb03494867bd7738200daa
SHA51211822e5ec5b765109db5c132e8c7dd172f883bb7ae57f78be3861099aef24b0625dc943f2d20b4eff2615e5b98f2836322c8ccac526ee6448c04cfc28328c538
-
Filesize
918KB
MD5ad5e6eb33f8b6b48fab6d9ab3e1212c1
SHA1712f5e781df0e1cf0a52cc1312f097c290770909
SHA256dd998d69304649d295691a188f8d0b04b4c2ca5dc7fb03494867bd7738200daa
SHA51211822e5ec5b765109db5c132e8c7dd172f883bb7ae57f78be3861099aef24b0625dc943f2d20b4eff2615e5b98f2836322c8ccac526ee6448c04cfc28328c538
-
Filesize
44KB
MD50e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215