Analysis
-
max time kernel
138s -
max time network
158s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29-10-2022 12:55
Static task
static1
Behavioral task
behavioral1
Sample
9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe
Resource
win10v2004-20220812-en
General
-
Target
9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe
-
Size
941KB
-
MD5
de8b5bf85996fdf042f003dbf666f127
-
SHA1
69f502f7da3c50371aa65fcfc491c1dd9e8a1af4
-
SHA256
9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c
-
SHA512
b6372a6d318f4bdb1e979730a0931b6adc11f99ac05fb4b9dc6d02a588bb85b093a8a2621a352defef9651e065b5565bc6939bdd357806ccde08390cd8cc5801
-
SSDEEP
12288:+tb20Qc3lT7af41ePBRYuQLKpqeUhbTv5OFgNuPPpHSgaylegnRSN5i6A:+tb20pkaCqT5TBWgNQ7acegm5i6A
Malware Config
Signatures
-
NetWire RAT payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1616-62-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral1/memory/1616-63-0x0000000000402196-mapping.dmp netwire behavioral1/memory/1616-66-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral1/memory/1616-68-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral1/memory/1468-83-0x0000000000402196-mapping.dmp netwire behavioral1/memory/1468-88-0x0000000000400000-0x000000000041E000-memory.dmp netwire -
Executes dropped EXE 3 IoCs
Processes:
Host.exeHost.exeHost.exepid process 624 Host.exe 668 Host.exe 1468 Host.exe -
Loads dropped DLL 2 IoCs
Processes:
9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exeHost.exepid process 1616 9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe 624 Host.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exeHost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe" 9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Host.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe" Host.exe -
AutoIT Executable 6 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Install\Host.exe autoit_exe C:\Users\Admin\AppData\Roaming\Install\Host.exe autoit_exe C:\Users\Admin\AppData\Roaming\Install\Host.exe autoit_exe \Users\Admin\AppData\Roaming\Install\Host.exe autoit_exe C:\Users\Admin\AppData\Roaming\Install\Host.exe autoit_exe C:\Users\Admin\AppData\Roaming\Install\Host.exe autoit_exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exeHost.exedescription pid process target process PID 1656 set thread context of 1616 1656 9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe 9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe PID 668 set thread context of 1468 668 Host.exe Host.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exeHost.exepid process 1656 9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe 668 Host.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
Processes:
9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exeHost.exepid process 1916 9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe 1916 9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe 1916 9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe 1916 9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe 624 Host.exe 624 Host.exe 624 Host.exe 624 Host.exe -
Suspicious use of SendNotifyMessage 8 IoCs
Processes:
9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exeHost.exepid process 1916 9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe 1916 9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe 1916 9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe 1916 9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe 624 Host.exe 624 Host.exe 624 Host.exe 624 Host.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exeHost.exeHost.exedescription pid process target process PID 1916 wrote to memory of 1656 1916 9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe 9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe PID 1916 wrote to memory of 1656 1916 9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe 9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe PID 1916 wrote to memory of 1656 1916 9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe 9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe PID 1916 wrote to memory of 1656 1916 9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe 9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe PID 1656 wrote to memory of 1616 1656 9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe 9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe PID 1656 wrote to memory of 1616 1656 9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe 9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe PID 1656 wrote to memory of 1616 1656 9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe 9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe PID 1656 wrote to memory of 1616 1656 9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe 9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe PID 1656 wrote to memory of 1616 1656 9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe 9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe PID 1656 wrote to memory of 1616 1656 9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe 9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe PID 1616 wrote to memory of 624 1616 9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe Host.exe PID 1616 wrote to memory of 624 1616 9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe Host.exe PID 1616 wrote to memory of 624 1616 9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe Host.exe PID 1616 wrote to memory of 624 1616 9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe Host.exe PID 624 wrote to memory of 668 624 Host.exe Host.exe PID 624 wrote to memory of 668 624 Host.exe Host.exe PID 624 wrote to memory of 668 624 Host.exe Host.exe PID 624 wrote to memory of 668 624 Host.exe Host.exe PID 668 wrote to memory of 1468 668 Host.exe Host.exe PID 668 wrote to memory of 1468 668 Host.exe Host.exe PID 668 wrote to memory of 1468 668 Host.exe Host.exe PID 668 wrote to memory of 1468 668 Host.exe Host.exe PID 668 wrote to memory of 1468 668 Host.exe Host.exe PID 668 wrote to memory of 1468 668 Host.exe Host.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe"C:\Users\Admin\AppData\Local\Temp\9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe"C:\Users\Admin\AppData\Local\Temp\9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe" /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\532062" "C:\Users\Admin\AppData\Local\Temp\9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe"C:\Users\Admin\AppData\Local\Temp\9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe" /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\612296" "C:\Users\Admin\AppData\Roaming\Install\Host.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"6⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\532062Filesize
17KB
MD5acb96857f1515cd9dc58fddefd4500ba
SHA1b581e4649a7208e4136397759cb85cd488a0ba9d
SHA2565ba7ad392b20e2ed5bff396445a68930f54f71eccfda850eefe345a06c131eaa
SHA512d58046cf05f1f6d1843c419b70efa97f44e1df3624cd77308a7def236cdfdb40c416ee311065ee61dea6a4ea959c239d12cf4c5b76c0616407466767c3ee571d
-
C:\Users\Admin\AppData\Local\Temp\612296Filesize
17KB
MD5acb96857f1515cd9dc58fddefd4500ba
SHA1b581e4649a7208e4136397759cb85cd488a0ba9d
SHA2565ba7ad392b20e2ed5bff396445a68930f54f71eccfda850eefe345a06c131eaa
SHA512d58046cf05f1f6d1843c419b70efa97f44e1df3624cd77308a7def236cdfdb40c416ee311065ee61dea6a4ea959c239d12cf4c5b76c0616407466767c3ee571d
-
C:\Users\Admin\AppData\Local\Temp\incl1Filesize
15KB
MD543be50d8c2e1daa337c2a095036d31c8
SHA195f036a4a87d917289b2d9aaa66ed988923af631
SHA2565f5f65f7559705ede966292f4253dc132bff7b954befe54537dcd905c4e0d43c
SHA5120dd1ac8b0a6ef4d1513035e718fd2ab34e449e92fd72bc9ef50caee45de979d816deb64e673f54982d9fea02500f0893a5101fd5f67b8c6e2019d1dc03b4d2bf
-
C:\Users\Admin\AppData\Local\Temp\incl1Filesize
15KB
MD543be50d8c2e1daa337c2a095036d31c8
SHA195f036a4a87d917289b2d9aaa66ed988923af631
SHA2565f5f65f7559705ede966292f4253dc132bff7b954befe54537dcd905c4e0d43c
SHA5120dd1ac8b0a6ef4d1513035e718fd2ab34e449e92fd72bc9ef50caee45de979d816deb64e673f54982d9fea02500f0893a5101fd5f67b8c6e2019d1dc03b4d2bf
-
C:\Users\Admin\AppData\Local\Temp\incl2Filesize
81KB
MD50befa75ab59c2b7c956217c940d2fedc
SHA1eecafe732b699ee4ced655e8998bd4aacb165ed0
SHA2565587214fabea7842a8e1015ec6ab1930f416722c5609fae3b64801798d86d5b8
SHA5124435b2ab9ea76f038bcf77da2cbea4db29bf84c5552c6dd82a897e0337d90d2b5e784400f57c77f4b4c9d33fb40d457ee06df541006b1e7bb182558f3c1d66d0
-
C:\Users\Admin\AppData\Local\Temp\incl2Filesize
81KB
MD50befa75ab59c2b7c956217c940d2fedc
SHA1eecafe732b699ee4ced655e8998bd4aacb165ed0
SHA2565587214fabea7842a8e1015ec6ab1930f416722c5609fae3b64801798d86d5b8
SHA5124435b2ab9ea76f038bcf77da2cbea4db29bf84c5552c6dd82a897e0337d90d2b5e784400f57c77f4b4c9d33fb40d457ee06df541006b1e7bb182558f3c1d66d0
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
941KB
MD5de8b5bf85996fdf042f003dbf666f127
SHA169f502f7da3c50371aa65fcfc491c1dd9e8a1af4
SHA2569fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c
SHA512b6372a6d318f4bdb1e979730a0931b6adc11f99ac05fb4b9dc6d02a588bb85b093a8a2621a352defef9651e065b5565bc6939bdd357806ccde08390cd8cc5801
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
941KB
MD5de8b5bf85996fdf042f003dbf666f127
SHA169f502f7da3c50371aa65fcfc491c1dd9e8a1af4
SHA2569fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c
SHA512b6372a6d318f4bdb1e979730a0931b6adc11f99ac05fb4b9dc6d02a588bb85b093a8a2621a352defef9651e065b5565bc6939bdd357806ccde08390cd8cc5801
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
941KB
MD5de8b5bf85996fdf042f003dbf666f127
SHA169f502f7da3c50371aa65fcfc491c1dd9e8a1af4
SHA2569fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c
SHA512b6372a6d318f4bdb1e979730a0931b6adc11f99ac05fb4b9dc6d02a588bb85b093a8a2621a352defef9651e065b5565bc6939bdd357806ccde08390cd8cc5801
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
941KB
MD5de8b5bf85996fdf042f003dbf666f127
SHA169f502f7da3c50371aa65fcfc491c1dd9e8a1af4
SHA2569fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c
SHA512b6372a6d318f4bdb1e979730a0931b6adc11f99ac05fb4b9dc6d02a588bb85b093a8a2621a352defef9651e065b5565bc6939bdd357806ccde08390cd8cc5801
-
\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
941KB
MD5de8b5bf85996fdf042f003dbf666f127
SHA169f502f7da3c50371aa65fcfc491c1dd9e8a1af4
SHA2569fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c
SHA512b6372a6d318f4bdb1e979730a0931b6adc11f99ac05fb4b9dc6d02a588bb85b093a8a2621a352defef9651e065b5565bc6939bdd357806ccde08390cd8cc5801
-
\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
941KB
MD5de8b5bf85996fdf042f003dbf666f127
SHA169f502f7da3c50371aa65fcfc491c1dd9e8a1af4
SHA2569fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c
SHA512b6372a6d318f4bdb1e979730a0931b6adc11f99ac05fb4b9dc6d02a588bb85b093a8a2621a352defef9651e065b5565bc6939bdd357806ccde08390cd8cc5801
-
memory/624-69-0x0000000000000000-mapping.dmp
-
memory/668-74-0x0000000000000000-mapping.dmp
-
memory/1468-83-0x0000000000402196-mapping.dmp
-
memory/1468-88-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1616-68-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1616-66-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1616-63-0x0000000000402196-mapping.dmp
-
memory/1616-62-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1616-60-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1656-55-0x0000000000000000-mapping.dmp
-
memory/1916-54-0x0000000075C51000-0x0000000075C53000-memory.dmpFilesize
8KB