Analysis
-
max time kernel
151s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29-10-2022 13:18
Static task
static1
Behavioral task
behavioral1
Sample
dbb7bd6fcc8d6536b345ad60b9a73f6347a7a3cdeeb6d70c30e3cc071bc385a9.exe
Resource
win7-20220812-en
General
-
Target
dbb7bd6fcc8d6536b345ad60b9a73f6347a7a3cdeeb6d70c30e3cc071bc385a9.exe
-
Size
929KB
-
MD5
9b9168993c6917e4d22c803e5debae72
-
SHA1
8246cc5731773b5dd5b4cad5e4c9d647af5e6ab6
-
SHA256
dbb7bd6fcc8d6536b345ad60b9a73f6347a7a3cdeeb6d70c30e3cc071bc385a9
-
SHA512
27e1761af2a901da6f05220dbd9f3c77e85b53a48f5f23bcf1e59dc0a45b57f6f30fee89e96632f27c4a96c02e0f78ae04564f4ebd839103484b99dfd7281051
-
SSDEEP
12288:SK2mhAMJ/cPly0xW2/Npj8h7UZYE82Y5UKUL4n4y3Xp3SbSlQMYs:T2O/GlyEW2j47g6zwm4m53Sb21Ys
Malware Config
Signatures
-
NetWire RAT payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1720-67-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral1/memory/1720-68-0x00000000004021DA-mapping.dmp netwire behavioral1/memory/1720-71-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral1/memory/1720-73-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral1/memory/1720-74-0x0000000000400000-0x000000000041E000-memory.dmp netwire -
Executes dropped EXE 1 IoCs
Processes:
Java.exepid process 1604 Java.exe -
Loads dropped DLL 4 IoCs
Processes:
dbb7bd6fcc8d6536b345ad60b9a73f6347a7a3cdeeb6d70c30e3cc071bc385a9.exepid process 1488 dbb7bd6fcc8d6536b345ad60b9a73f6347a7a3cdeeb6d70c30e3cc071bc385a9.exe 1488 dbb7bd6fcc8d6536b345ad60b9a73f6347a7a3cdeeb6d70c30e3cc071bc385a9.exe 1488 dbb7bd6fcc8d6536b345ad60b9a73f6347a7a3cdeeb6d70c30e3cc071bc385a9.exe 1488 dbb7bd6fcc8d6536b345ad60b9a73f6347a7a3cdeeb6d70c30e3cc071bc385a9.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Java.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce Java.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\C:\Users\Admin\gi51947 = "C:\\Users\\Admin\\gi51947\\r.vbs" Java.exe -
Processes:
Java.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Java.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Java.exedescription pid process target process PID 1604 set thread context of 1720 1604 Java.exe RegSvcs.exe -
Drops file in Windows directory 2 IoCs
Processes:
RegSvcs.exedescription ioc process File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\.Identifier RegSvcs.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\.Identifier RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Java.exepid process 1604 Java.exe 1604 Java.exe 1604 Java.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
dbb7bd6fcc8d6536b345ad60b9a73f6347a7a3cdeeb6d70c30e3cc071bc385a9.exeJava.exedescription pid process target process PID 1488 wrote to memory of 1604 1488 dbb7bd6fcc8d6536b345ad60b9a73f6347a7a3cdeeb6d70c30e3cc071bc385a9.exe Java.exe PID 1488 wrote to memory of 1604 1488 dbb7bd6fcc8d6536b345ad60b9a73f6347a7a3cdeeb6d70c30e3cc071bc385a9.exe Java.exe PID 1488 wrote to memory of 1604 1488 dbb7bd6fcc8d6536b345ad60b9a73f6347a7a3cdeeb6d70c30e3cc071bc385a9.exe Java.exe PID 1488 wrote to memory of 1604 1488 dbb7bd6fcc8d6536b345ad60b9a73f6347a7a3cdeeb6d70c30e3cc071bc385a9.exe Java.exe PID 1488 wrote to memory of 1604 1488 dbb7bd6fcc8d6536b345ad60b9a73f6347a7a3cdeeb6d70c30e3cc071bc385a9.exe Java.exe PID 1488 wrote to memory of 1604 1488 dbb7bd6fcc8d6536b345ad60b9a73f6347a7a3cdeeb6d70c30e3cc071bc385a9.exe Java.exe PID 1488 wrote to memory of 1604 1488 dbb7bd6fcc8d6536b345ad60b9a73f6347a7a3cdeeb6d70c30e3cc071bc385a9.exe Java.exe PID 1604 wrote to memory of 1720 1604 Java.exe RegSvcs.exe PID 1604 wrote to memory of 1720 1604 Java.exe RegSvcs.exe PID 1604 wrote to memory of 1720 1604 Java.exe RegSvcs.exe PID 1604 wrote to memory of 1720 1604 Java.exe RegSvcs.exe PID 1604 wrote to memory of 1720 1604 Java.exe RegSvcs.exe PID 1604 wrote to memory of 1720 1604 Java.exe RegSvcs.exe PID 1604 wrote to memory of 1720 1604 Java.exe RegSvcs.exe PID 1604 wrote to memory of 1720 1604 Java.exe RegSvcs.exe PID 1604 wrote to memory of 1720 1604 Java.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dbb7bd6fcc8d6536b345ad60b9a73f6347a7a3cdeeb6d70c30e3cc071bc385a9.exe"C:\Users\Admin\AppData\Local\Temp\dbb7bd6fcc8d6536b345ad60b9a73f6347a7a3cdeeb6d70c30e3cc071bc385a9.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\gi51947\Java.exe"C:\Users\Admin\gi51947\Java.exe" vrporoniclh2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Drops file in Windows directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\gi51947\Java.exeFilesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
C:\Users\Admin\gi51947\acqn.AQDFilesize
140B
MD505c4e5f2fc02d8078139d17bcae0b8cb
SHA13abd1ac93bd56b4183d0b065697068beb0969662
SHA256ee3bd1515406343db29d523176c35469a82ff2ad2fcd1f430a0b8d5ac6370c13
SHA5124a5489c49e576ee301de4d37eccafc335db8f78e289592ea86bdc97e65f37fbb8ab679b2530018232dd94a72e1ed17f234f153ed5ddefb08041d0accdf2107e1
-
C:\Users\Admin\gi51947\uuhgs.LGLFilesize
84KB
MD5eb257d02551ece59ee7b2a295d64c684
SHA1bd8fa12f9b3c54f6028687a97c7eb319f36e7fde
SHA25673185759e98e25236ac7fb119d4ecf303ed4f89204a83ad3de2a208274b336d9
SHA512d8ba8c301069e1587834f6862a3a291f70eb8eb3708d09907dfeaad2e0cd72a6ebf80cc1bd97b6a015b3d2b8fe0543d9eb4a4771f5e629075416a6421dd53711
-
C:\Users\Admin\gi51947\vrporoniclhFilesize
646.8MB
MD54999589e676ffd61cb16a58ed9bdbb17
SHA1a5a23b17271ec4e060f4b0406203c34033a864fe
SHA256dd321e68f68610ec18d66e6fb50f803878ed6bebd65c3b5c49ee5d2e1136e58e
SHA51251233000e2b485ef053e8b439f742c445d0950395284e339059ade9889c9cf09c2a58dc26ca2045a6e0ee6fde8314087da69fa08a8da4914fc319d68431ae0bc
-
\Users\Admin\gi51947\Java.exeFilesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
\Users\Admin\gi51947\Java.exeFilesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
\Users\Admin\gi51947\Java.exeFilesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
\Users\Admin\gi51947\Java.exeFilesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
memory/1488-54-0x0000000075AD1000-0x0000000075AD3000-memory.dmpFilesize
8KB
-
memory/1604-59-0x0000000000000000-mapping.dmp
-
memory/1720-65-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1720-67-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1720-68-0x00000000004021DA-mapping.dmp
-
memory/1720-71-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1720-73-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1720-74-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB