Analysis
-
max time kernel
146s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
20-11-2022 04:02
Static task
static1
Behavioral task
behavioral1
Sample
40c26b6c33d9d3d38194c90eae2e6564450e9c2f64d8cca838a527515db285a1.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
40c26b6c33d9d3d38194c90eae2e6564450e9c2f64d8cca838a527515db285a1.exe
Resource
win10v2004-20220812-en
General
-
Target
40c26b6c33d9d3d38194c90eae2e6564450e9c2f64d8cca838a527515db285a1.exe
-
Size
87KB
-
MD5
320eeab7b748f8f53fb2722e42046990
-
SHA1
700094dcc889f9866afee7cf7b3a00c4a9430918
-
SHA256
40c26b6c33d9d3d38194c90eae2e6564450e9c2f64d8cca838a527515db285a1
-
SHA512
2b8a021759fad02584eb4786ad92ab9fa39948729cf5d56635505578728f6bbd5c6d9926a05e7e744b85770db0c95a14da493b0443c33b729b356b2e0a3206e3
-
SSDEEP
1536:nwiKJJMrjeYMZjIxQ2VV5ms1LrvMm0u0aSRerY9VlA0Gx5LViQa:hvK6G8fvMmJ0RRerY/lA0s1g
Malware Config
Signatures
-
NetWire RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1136-71-0x0000000000400000-0x0000000000418000-memory.dmp netwire -
Loads dropped DLL 1 IoCs
Processes:
40c26b6c33d9d3d38194c90eae2e6564450e9c2f64d8cca838a527515db285a1.exepid process 1636 40c26b6c33d9d3d38194c90eae2e6564450e9c2f64d8cca838a527515db285a1.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gw2hwNrLvA = "C:\\Users\\Admin\\AppData\\Roaming\\v294jnEZ\\VQNqLI8.exe.lnk" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
40c26b6c33d9d3d38194c90eae2e6564450e9c2f64d8cca838a527515db285a1.exedescription pid process target process PID 1636 set thread context of 1136 1636 40c26b6c33d9d3d38194c90eae2e6564450e9c2f64d8cca838a527515db285a1.exe cvtres.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
40c26b6c33d9d3d38194c90eae2e6564450e9c2f64d8cca838a527515db285a1.exepid process 1636 40c26b6c33d9d3d38194c90eae2e6564450e9c2f64d8cca838a527515db285a1.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
40c26b6c33d9d3d38194c90eae2e6564450e9c2f64d8cca838a527515db285a1.exedescription pid process Token: SeDebugPrivilege 1636 40c26b6c33d9d3d38194c90eae2e6564450e9c2f64d8cca838a527515db285a1.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
40c26b6c33d9d3d38194c90eae2e6564450e9c2f64d8cca838a527515db285a1.execmd.exedescription pid process target process PID 1636 wrote to memory of 1340 1636 40c26b6c33d9d3d38194c90eae2e6564450e9c2f64d8cca838a527515db285a1.exe cmd.exe PID 1636 wrote to memory of 1340 1636 40c26b6c33d9d3d38194c90eae2e6564450e9c2f64d8cca838a527515db285a1.exe cmd.exe PID 1636 wrote to memory of 1340 1636 40c26b6c33d9d3d38194c90eae2e6564450e9c2f64d8cca838a527515db285a1.exe cmd.exe PID 1636 wrote to memory of 1340 1636 40c26b6c33d9d3d38194c90eae2e6564450e9c2f64d8cca838a527515db285a1.exe cmd.exe PID 1340 wrote to memory of 1920 1340 cmd.exe reg.exe PID 1340 wrote to memory of 1920 1340 cmd.exe reg.exe PID 1340 wrote to memory of 1920 1340 cmd.exe reg.exe PID 1340 wrote to memory of 1920 1340 cmd.exe reg.exe PID 1636 wrote to memory of 1136 1636 40c26b6c33d9d3d38194c90eae2e6564450e9c2f64d8cca838a527515db285a1.exe cvtres.exe PID 1636 wrote to memory of 1136 1636 40c26b6c33d9d3d38194c90eae2e6564450e9c2f64d8cca838a527515db285a1.exe cvtres.exe PID 1636 wrote to memory of 1136 1636 40c26b6c33d9d3d38194c90eae2e6564450e9c2f64d8cca838a527515db285a1.exe cvtres.exe PID 1636 wrote to memory of 1136 1636 40c26b6c33d9d3d38194c90eae2e6564450e9c2f64d8cca838a527515db285a1.exe cvtres.exe PID 1636 wrote to memory of 1136 1636 40c26b6c33d9d3d38194c90eae2e6564450e9c2f64d8cca838a527515db285a1.exe cvtres.exe PID 1636 wrote to memory of 1136 1636 40c26b6c33d9d3d38194c90eae2e6564450e9c2f64d8cca838a527515db285a1.exe cvtres.exe PID 1636 wrote to memory of 1136 1636 40c26b6c33d9d3d38194c90eae2e6564450e9c2f64d8cca838a527515db285a1.exe cvtres.exe PID 1636 wrote to memory of 1136 1636 40c26b6c33d9d3d38194c90eae2e6564450e9c2f64d8cca838a527515db285a1.exe cvtres.exe PID 1636 wrote to memory of 1136 1636 40c26b6c33d9d3d38194c90eae2e6564450e9c2f64d8cca838a527515db285a1.exe cvtres.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\40c26b6c33d9d3d38194c90eae2e6564450e9c2f64d8cca838a527515db285a1.exe"C:\Users\Admin\AppData\Local\Temp\40c26b6c33d9d3d38194c90eae2e6564450e9c2f64d8cca838a527515db285a1.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Gw2hwNrLvA" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\v294jnEZ\VQNqLI8.exe.lnk"2⤵
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Gw2hwNrLvA" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\v294jnEZ\VQNqLI8.exe.lnk"3⤵
- Adds Run key to start application
PID:1920
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"2⤵PID:1136
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
87KB
MD5320eeab7b748f8f53fb2722e42046990
SHA1700094dcc889f9866afee7cf7b3a00c4a9430918
SHA25640c26b6c33d9d3d38194c90eae2e6564450e9c2f64d8cca838a527515db285a1
SHA5122b8a021759fad02584eb4786ad92ab9fa39948729cf5d56635505578728f6bbd5c6d9926a05e7e744b85770db0c95a14da493b0443c33b729b356b2e0a3206e3