Analysis
-
max time kernel
138s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
20-11-2022 10:27
Static task
static1
Behavioral task
behavioral1
Sample
56f0c42016573de7c5b5b5b7b3d89eada4c87126af40c3ea00be930a7546c55e.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
56f0c42016573de7c5b5b5b7b3d89eada4c87126af40c3ea00be930a7546c55e.exe
Resource
win10v2004-20221111-en
General
-
Target
56f0c42016573de7c5b5b5b7b3d89eada4c87126af40c3ea00be930a7546c55e.exe
-
Size
184KB
-
MD5
46a9e2cfc81304ae2e4a1b573c819670
-
SHA1
fee3833c609746402586b1120d62798fc783c835
-
SHA256
56f0c42016573de7c5b5b5b7b3d89eada4c87126af40c3ea00be930a7546c55e
-
SHA512
49d894c635fbb8c1f902ad16c4331ed08e680c87289510892a8c2ddbbf6a786a97b64b3f160993778ab6dd7f88cad59debfb16b699998eab0dc14e4fe457a9b8
-
SSDEEP
3072:tMcjLsjH3WkwK7ITSA/19ELhvsKZGBewqxvcAFLAxfKucAFLA:tMuYjXH4pbEdvsKEBgA
Malware Config
Signatures
-
NetWire RAT payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/960-66-0x0000000000000000-mapping.dmp netwire behavioral1/memory/960-69-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral1/memory/960-71-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral1/memory/960-72-0x0000000000400000-0x000000000041E000-memory.dmp netwire -
Executes dropped EXE 2 IoCs
Processes:
jdhdgd.exejdhdgd.exepid process 916 jdhdgd.exe 960 jdhdgd.exe -
Loads dropped DLL 2 IoCs
Processes:
56f0c42016573de7c5b5b5b7b3d89eada4c87126af40c3ea00be930a7546c55e.exepid process 816 56f0c42016573de7c5b5b5b7b3d89eada4c87126af40c3ea00be930a7546c55e.exe 816 56f0c42016573de7c5b5b5b7b3d89eada4c87126af40c3ea00be930a7546c55e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
56f0c42016573de7c5b5b5b7b3d89eada4c87126af40c3ea00be930a7546c55e.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\dhdgd = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\jdhdgd.exe" 56f0c42016573de7c5b5b5b7b3d89eada4c87126af40c3ea00be930a7546c55e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
56f0c42016573de7c5b5b5b7b3d89eada4c87126af40c3ea00be930a7546c55e.exejdhdgd.exepid process 816 56f0c42016573de7c5b5b5b7b3d89eada4c87126af40c3ea00be930a7546c55e.exe 916 jdhdgd.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
56f0c42016573de7c5b5b5b7b3d89eada4c87126af40c3ea00be930a7546c55e.exejdhdgd.exedescription pid process target process PID 816 wrote to memory of 916 816 56f0c42016573de7c5b5b5b7b3d89eada4c87126af40c3ea00be930a7546c55e.exe jdhdgd.exe PID 816 wrote to memory of 916 816 56f0c42016573de7c5b5b5b7b3d89eada4c87126af40c3ea00be930a7546c55e.exe jdhdgd.exe PID 816 wrote to memory of 916 816 56f0c42016573de7c5b5b5b7b3d89eada4c87126af40c3ea00be930a7546c55e.exe jdhdgd.exe PID 816 wrote to memory of 916 816 56f0c42016573de7c5b5b5b7b3d89eada4c87126af40c3ea00be930a7546c55e.exe jdhdgd.exe PID 916 wrote to memory of 960 916 jdhdgd.exe jdhdgd.exe PID 916 wrote to memory of 960 916 jdhdgd.exe jdhdgd.exe PID 916 wrote to memory of 960 916 jdhdgd.exe jdhdgd.exe PID 916 wrote to memory of 960 916 jdhdgd.exe jdhdgd.exe PID 916 wrote to memory of 960 916 jdhdgd.exe jdhdgd.exe PID 916 wrote to memory of 960 916 jdhdgd.exe jdhdgd.exe PID 916 wrote to memory of 960 916 jdhdgd.exe jdhdgd.exe PID 916 wrote to memory of 960 916 jdhdgd.exe jdhdgd.exe PID 916 wrote to memory of 960 916 jdhdgd.exe jdhdgd.exe PID 916 wrote to memory of 960 916 jdhdgd.exe jdhdgd.exe PID 916 wrote to memory of 960 916 jdhdgd.exe jdhdgd.exe PID 916 wrote to memory of 960 916 jdhdgd.exe jdhdgd.exe PID 916 wrote to memory of 960 916 jdhdgd.exe jdhdgd.exe PID 916 wrote to memory of 960 916 jdhdgd.exe jdhdgd.exe PID 916 wrote to memory of 960 916 jdhdgd.exe jdhdgd.exe PID 916 wrote to memory of 960 916 jdhdgd.exe jdhdgd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\56f0c42016573de7c5b5b5b7b3d89eada4c87126af40c3ea00be930a7546c55e.exe"C:\Users\Admin\AppData\Local\Temp\56f0c42016573de7c5b5b5b7b3d89eada4c87126af40c3ea00be930a7546c55e.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\subfolder\jdhdgd.exe"C:\Users\Admin\AppData\Roaming\subfolder\jdhdgd.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\subfolder\jdhdgd.exe"C:\Users\Admin\AppData\Roaming\subfolder\jdhdgd.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\subfolder\jdhdgd.exeFilesize
184KB
MD54bc7dff41d338cf1d7f8317b0191eed9
SHA1301d6ed46912118c41ca11ce5a9a1471b9736125
SHA25655e2f56fc7a7bf7491e088076f026911615eca15328b16bb69871f4f8ce049eb
SHA51291a86ebfd936132809088db465b0313afc25de8f5b904665d52af8d1ec83f25852f9083f4e5deecbb529f9ce6069470a76ebee49343f1f907f432455d8d02da9
-
C:\Users\Admin\AppData\Roaming\subfolder\jdhdgd.exeFilesize
184KB
MD54bc7dff41d338cf1d7f8317b0191eed9
SHA1301d6ed46912118c41ca11ce5a9a1471b9736125
SHA25655e2f56fc7a7bf7491e088076f026911615eca15328b16bb69871f4f8ce049eb
SHA51291a86ebfd936132809088db465b0313afc25de8f5b904665d52af8d1ec83f25852f9083f4e5deecbb529f9ce6069470a76ebee49343f1f907f432455d8d02da9
-
C:\Users\Admin\AppData\Roaming\subfolder\jdhdgd.exeFilesize
184KB
MD54bc7dff41d338cf1d7f8317b0191eed9
SHA1301d6ed46912118c41ca11ce5a9a1471b9736125
SHA25655e2f56fc7a7bf7491e088076f026911615eca15328b16bb69871f4f8ce049eb
SHA51291a86ebfd936132809088db465b0313afc25de8f5b904665d52af8d1ec83f25852f9083f4e5deecbb529f9ce6069470a76ebee49343f1f907f432455d8d02da9
-
\Users\Admin\AppData\Roaming\subfolder\jdhdgd.exeFilesize
184KB
MD54bc7dff41d338cf1d7f8317b0191eed9
SHA1301d6ed46912118c41ca11ce5a9a1471b9736125
SHA25655e2f56fc7a7bf7491e088076f026911615eca15328b16bb69871f4f8ce049eb
SHA51291a86ebfd936132809088db465b0313afc25de8f5b904665d52af8d1ec83f25852f9083f4e5deecbb529f9ce6069470a76ebee49343f1f907f432455d8d02da9
-
\Users\Admin\AppData\Roaming\subfolder\jdhdgd.exeFilesize
184KB
MD54bc7dff41d338cf1d7f8317b0191eed9
SHA1301d6ed46912118c41ca11ce5a9a1471b9736125
SHA25655e2f56fc7a7bf7491e088076f026911615eca15328b16bb69871f4f8ce049eb
SHA51291a86ebfd936132809088db465b0313afc25de8f5b904665d52af8d1ec83f25852f9083f4e5deecbb529f9ce6069470a76ebee49343f1f907f432455d8d02da9
-
memory/816-56-0x0000000075DF1000-0x0000000075DF3000-memory.dmpFilesize
8KB
-
memory/816-61-0x0000000000260000-0x0000000000266000-memory.dmpFilesize
24KB
-
memory/916-59-0x0000000000000000-mapping.dmp
-
memory/916-68-0x0000000000260000-0x0000000000266000-memory.dmpFilesize
24KB
-
memory/960-66-0x0000000000000000-mapping.dmp
-
memory/960-69-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/960-71-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/960-72-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB