Analysis
-
max time kernel
145s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 05:37
Static task
static1
Behavioral task
behavioral1
Sample
c6315fa80fa609d5f449ebd5c819d6cf0493d63b82d3e0305994572d66d6e747.exe
Resource
win7-20221111-en
General
-
Target
c6315fa80fa609d5f449ebd5c819d6cf0493d63b82d3e0305994572d66d6e747.exe
-
Size
83KB
-
MD5
6c26db6682e4d7b05aeba40410e7b320
-
SHA1
b429213dc46e07a268cde87c89ed90dfbf367b81
-
SHA256
c6315fa80fa609d5f449ebd5c819d6cf0493d63b82d3e0305994572d66d6e747
-
SHA512
944a139f76f7ccfcee6667cc46f32a45bcd4d6ce187e43612f832696818ef2d32a663d2313182772181cf371940ba810c9aadaa5373335490fc14441c9aad97b
-
SSDEEP
1536:nwJOoN1oYaoZ5iV685XJPCVX0sXeoaPWBZHqzqrwBICISUdq2ZdRcaomhvCm:nwJ52Y7ZoH5XJaVEsuoaPWrHZhNSE1d/
Malware Config
Signatures
-
NetWire RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1180-137-0x0000000000400000-0x0000000000421000-memory.dmp netwire behavioral2/memory/1180-138-0x0000000000400000-0x0000000000421000-memory.dmp netwire -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
c6315fa80fa609d5f449ebd5c819d6cf0493d63b82d3e0305994572d66d6e747.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72807TK1-F8I8-2L2E-T6RS-D4SI13SM7G7Q}\StubPath = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\c6315fa80fa609d5f449ebd5c819d6cf0493d63b82d3e0305994572d66d6e747.exe\"" c6315fa80fa609d5f449ebd5c819d6cf0493d63b82d3e0305994572d66d6e747.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72807TK1-F8I8-2L2E-T6RS-D4SI13SM7G7Q} c6315fa80fa609d5f449ebd5c819d6cf0493d63b82d3e0305994572d66d6e747.exe -
Processes:
resource yara_rule behavioral2/memory/1180-134-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1180-136-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1180-137-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1180-138-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Loads dropped DLL 1 IoCs
Processes:
c6315fa80fa609d5f449ebd5c819d6cf0493d63b82d3e0305994572d66d6e747.exepid process 3464 c6315fa80fa609d5f449ebd5c819d6cf0493d63b82d3e0305994572d66d6e747.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
c6315fa80fa609d5f449ebd5c819d6cf0493d63b82d3e0305994572d66d6e747.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ c6315fa80fa609d5f449ebd5c819d6cf0493d63b82d3e0305994572d66d6e747.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\default = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c6315fa80fa609d5f449ebd5c819d6cf0493d63b82d3e0305994572d66d6e747.exe" c6315fa80fa609d5f449ebd5c819d6cf0493d63b82d3e0305994572d66d6e747.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
c6315fa80fa609d5f449ebd5c819d6cf0493d63b82d3e0305994572d66d6e747.exedescription pid process target process PID 3464 set thread context of 1180 3464 c6315fa80fa609d5f449ebd5c819d6cf0493d63b82d3e0305994572d66d6e747.exe c6315fa80fa609d5f449ebd5c819d6cf0493d63b82d3e0305994572d66d6e747.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
c6315fa80fa609d5f449ebd5c819d6cf0493d63b82d3e0305994572d66d6e747.exedescription pid process target process PID 3464 wrote to memory of 1180 3464 c6315fa80fa609d5f449ebd5c819d6cf0493d63b82d3e0305994572d66d6e747.exe c6315fa80fa609d5f449ebd5c819d6cf0493d63b82d3e0305994572d66d6e747.exe PID 3464 wrote to memory of 1180 3464 c6315fa80fa609d5f449ebd5c819d6cf0493d63b82d3e0305994572d66d6e747.exe c6315fa80fa609d5f449ebd5c819d6cf0493d63b82d3e0305994572d66d6e747.exe PID 3464 wrote to memory of 1180 3464 c6315fa80fa609d5f449ebd5c819d6cf0493d63b82d3e0305994572d66d6e747.exe c6315fa80fa609d5f449ebd5c819d6cf0493d63b82d3e0305994572d66d6e747.exe PID 3464 wrote to memory of 1180 3464 c6315fa80fa609d5f449ebd5c819d6cf0493d63b82d3e0305994572d66d6e747.exe c6315fa80fa609d5f449ebd5c819d6cf0493d63b82d3e0305994572d66d6e747.exe PID 3464 wrote to memory of 1180 3464 c6315fa80fa609d5f449ebd5c819d6cf0493d63b82d3e0305994572d66d6e747.exe c6315fa80fa609d5f449ebd5c819d6cf0493d63b82d3e0305994572d66d6e747.exe PID 3464 wrote to memory of 1180 3464 c6315fa80fa609d5f449ebd5c819d6cf0493d63b82d3e0305994572d66d6e747.exe c6315fa80fa609d5f449ebd5c819d6cf0493d63b82d3e0305994572d66d6e747.exe PID 3464 wrote to memory of 1180 3464 c6315fa80fa609d5f449ebd5c819d6cf0493d63b82d3e0305994572d66d6e747.exe c6315fa80fa609d5f449ebd5c819d6cf0493d63b82d3e0305994572d66d6e747.exe PID 3464 wrote to memory of 1180 3464 c6315fa80fa609d5f449ebd5c819d6cf0493d63b82d3e0305994572d66d6e747.exe c6315fa80fa609d5f449ebd5c819d6cf0493d63b82d3e0305994572d66d6e747.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c6315fa80fa609d5f449ebd5c819d6cf0493d63b82d3e0305994572d66d6e747.exe"C:\Users\Admin\AppData\Local\Temp\c6315fa80fa609d5f449ebd5c819d6cf0493d63b82d3e0305994572d66d6e747.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c6315fa80fa609d5f449ebd5c819d6cf0493d63b82d3e0305994572d66d6e747.exe"C:\Users\Admin\AppData\Local\Temp\c6315fa80fa609d5f449ebd5c819d6cf0493d63b82d3e0305994572d66d6e747.exe"2⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nsqBCED.tmp\pesetas.dllFilesize
22KB
MD503335eedd55f4e846c30f6e343b79f72
SHA1d97be693fa21f3e1f75f6aec08c943a5589d0de4
SHA2560379140a954b9a8cd1be8fa6302a7296af60298b7af77a1e40914f95d012b647
SHA5122f43d9a46c720ae424354b5082f37422d8add2d0931f628fb8f503de5860c94efd130bf66b61efaf6865984fea573d122ada603af06aec56286cd29d9faf5b18
-
memory/1180-133-0x0000000000000000-mapping.dmp
-
memory/1180-134-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1180-136-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1180-137-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1180-138-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB