Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
29-10-2022 13:18
Static task
static1
Behavioral task
behavioral1
Sample
dbb7bd6fcc8d6536b345ad60b9a73f6347a7a3cdeeb6d70c30e3cc071bc385a9.exe
Resource
win7-20220812-en
General
-
Target
dbb7bd6fcc8d6536b345ad60b9a73f6347a7a3cdeeb6d70c30e3cc071bc385a9.exe
-
Size
929KB
-
MD5
9b9168993c6917e4d22c803e5debae72
-
SHA1
8246cc5731773b5dd5b4cad5e4c9d647af5e6ab6
-
SHA256
dbb7bd6fcc8d6536b345ad60b9a73f6347a7a3cdeeb6d70c30e3cc071bc385a9
-
SHA512
27e1761af2a901da6f05220dbd9f3c77e85b53a48f5f23bcf1e59dc0a45b57f6f30fee89e96632f27c4a96c02e0f78ae04564f4ebd839103484b99dfd7281051
-
SSDEEP
12288:SK2mhAMJ/cPly0xW2/Npj8h7UZYE82Y5UKUL4n4y3Xp3SbSlQMYs:T2O/GlyEW2j47g6zwm4m53Sb21Ys
Malware Config
Signatures
-
NetWire RAT payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/684-139-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral2/memory/684-141-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral2/memory/684-142-0x0000000000400000-0x000000000041E000-memory.dmp netwire -
Executes dropped EXE 1 IoCs
Processes:
Java.exepid process 864 Java.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
dbb7bd6fcc8d6536b345ad60b9a73f6347a7a3cdeeb6d70c30e3cc071bc385a9.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation dbb7bd6fcc8d6536b345ad60b9a73f6347a7a3cdeeb6d70c30e3cc071bc385a9.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Java.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce Java.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\C:\Users\Admin\gi51947 = "C:\\Users\\Admin\\gi51947\\r.vbs" Java.exe -
Processes:
Java.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Java.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Java.exedescription pid process target process PID 864 set thread context of 684 864 Java.exe RegSvcs.exe -
Drops file in Windows directory 2 IoCs
Processes:
RegSvcs.exedescription ioc process File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\.Identifier RegSvcs.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\.Identifier RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
Java.exepid process 864 Java.exe 864 Java.exe 864 Java.exe 864 Java.exe 864 Java.exe 864 Java.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
dbb7bd6fcc8d6536b345ad60b9a73f6347a7a3cdeeb6d70c30e3cc071bc385a9.exeJava.exedescription pid process target process PID 4316 wrote to memory of 864 4316 dbb7bd6fcc8d6536b345ad60b9a73f6347a7a3cdeeb6d70c30e3cc071bc385a9.exe Java.exe PID 4316 wrote to memory of 864 4316 dbb7bd6fcc8d6536b345ad60b9a73f6347a7a3cdeeb6d70c30e3cc071bc385a9.exe Java.exe PID 4316 wrote to memory of 864 4316 dbb7bd6fcc8d6536b345ad60b9a73f6347a7a3cdeeb6d70c30e3cc071bc385a9.exe Java.exe PID 864 wrote to memory of 684 864 Java.exe RegSvcs.exe PID 864 wrote to memory of 684 864 Java.exe RegSvcs.exe PID 864 wrote to memory of 684 864 Java.exe RegSvcs.exe PID 864 wrote to memory of 684 864 Java.exe RegSvcs.exe PID 864 wrote to memory of 684 864 Java.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dbb7bd6fcc8d6536b345ad60b9a73f6347a7a3cdeeb6d70c30e3cc071bc385a9.exe"C:\Users\Admin\AppData\Local\Temp\dbb7bd6fcc8d6536b345ad60b9a73f6347a7a3cdeeb6d70c30e3cc071bc385a9.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\gi51947\Java.exe"C:\Users\Admin\gi51947\Java.exe" vrporoniclh2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Drops file in Windows directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\gi51947\Java.exeFilesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
C:\Users\Admin\gi51947\Java.exeFilesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
C:\Users\Admin\gi51947\acqn.AQDFilesize
140B
MD505c4e5f2fc02d8078139d17bcae0b8cb
SHA13abd1ac93bd56b4183d0b065697068beb0969662
SHA256ee3bd1515406343db29d523176c35469a82ff2ad2fcd1f430a0b8d5ac6370c13
SHA5124a5489c49e576ee301de4d37eccafc335db8f78e289592ea86bdc97e65f37fbb8ab679b2530018232dd94a72e1ed17f234f153ed5ddefb08041d0accdf2107e1
-
C:\Users\Admin\gi51947\uuhgs.LGLFilesize
84KB
MD5eb257d02551ece59ee7b2a295d64c684
SHA1bd8fa12f9b3c54f6028687a97c7eb319f36e7fde
SHA25673185759e98e25236ac7fb119d4ecf303ed4f89204a83ad3de2a208274b336d9
SHA512d8ba8c301069e1587834f6862a3a291f70eb8eb3708d09907dfeaad2e0cd72a6ebf80cc1bd97b6a015b3d2b8fe0543d9eb4a4771f5e629075416a6421dd53711
-
C:\Users\Admin\gi51947\vrporoniclhFilesize
646.8MB
MD54999589e676ffd61cb16a58ed9bdbb17
SHA1a5a23b17271ec4e060f4b0406203c34033a864fe
SHA256dd321e68f68610ec18d66e6fb50f803878ed6bebd65c3b5c49ee5d2e1136e58e
SHA51251233000e2b485ef053e8b439f742c445d0950395284e339059ade9889c9cf09c2a58dc26ca2045a6e0ee6fde8314087da69fa08a8da4914fc319d68431ae0bc
-
memory/684-139-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/684-138-0x0000000000000000-mapping.dmp
-
memory/684-141-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/684-142-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/864-132-0x0000000000000000-mapping.dmp