Analysis
-
max time kernel
344s -
max time network
410s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 12:54
Static task
static1
Behavioral task
behavioral1
Sample
915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe
Resource
win7-20221111-en
General
-
Target
915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe
-
Size
131KB
-
MD5
57ff9ec083c9603c0251fe55595b8793
-
SHA1
8c3c7148559706e5523dae28d5852554042129b0
-
SHA256
915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855
-
SHA512
63f50958bd0b82057b62a4315fb9309af082ee06992949c4967bafe83407d7fcc7097d8713b2656cc5ae13c6386ec671d2a424f73b03f883d182551cdaf2770f
-
SSDEEP
3072:cnF6XpaIxS1rAPXJlfWMzMeYhLjYchZzj6ocuxdlh8CKUm2/4v4c:cnvIxAS+MAeYhLjYchZ3rcMl5KUm2/4v
Malware Config
Signatures
-
NetWire RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3124-138-0x0000000000400000-0x0000000000417000-memory.dmp netwire -
Loads dropped DLL 1 IoCs
Processes:
915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exepid process 1196 915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exedescription pid process target process PID 1196 set thread context of 3124 1196 915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe 915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exedescription pid process target process PID 1196 wrote to memory of 3124 1196 915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe 915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe PID 1196 wrote to memory of 3124 1196 915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe 915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe PID 1196 wrote to memory of 3124 1196 915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe 915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe PID 1196 wrote to memory of 3124 1196 915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe 915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe PID 1196 wrote to memory of 3124 1196 915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe 915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe PID 1196 wrote to memory of 3124 1196 915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe 915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe PID 1196 wrote to memory of 3124 1196 915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe 915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe PID 1196 wrote to memory of 3124 1196 915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe 915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe PID 1196 wrote to memory of 3124 1196 915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe 915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe"C:\Users\Admin\AppData\Local\Temp\915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe"C:\Users\Admin\AppData\Local\Temp\915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nsj25C6.tmp\paperers.dllFilesize
56KB
MD5cba27c45fd90779276f96a717de8a8d0
SHA189ac88cc471d5dbf6b9897435dbeeed29df5246f
SHA2569940a5c28cd07e33b24692df50381acdce80574c5e288293981e7b399b2d1e07
SHA512534bb3af058e89510aaea6f3ca4955e0d7b6dbaf1694fc3523ddba4a7845b7b461e711250957c9673c91a7b7e2e92450fbf0365bfb50202b357346cb8c102d95
-
memory/3124-133-0x0000000000000000-mapping.dmp
-
memory/3124-134-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/3124-136-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/3124-138-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB