Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 07:29
Static task
static1
Behavioral task
behavioral1
Sample
fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe
Resource
win10v2004-20220901-en
General
-
Target
fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe
-
Size
105KB
-
MD5
e11591310952d9c6eeeaf88ff19432b2
-
SHA1
71bd602670f33e1f0573c6bbd15ead0992e4973f
-
SHA256
fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53
-
SHA512
e8ff1f1766d49736549a5792a613f4e9776de534c2eca1e172de29af3a94a407d568020ece86e6f6d2381c47ea23b0e3e025e1a84f4a2c651c171fb240ec9b07
-
SSDEEP
3072:gM1BjoYNXoKDIJBXJPLW1D9DOgDqK2VRNbA/6A/d:gMMYNXqBBCN9DOgOK2VzbVA/d
Malware Config
Signatures
-
NetWire RAT payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4500-134-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral2/memory/4500-136-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral2/memory/4500-139-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral2/memory/2288-148-0x0000000000400000-0x000000000041E000-memory.dmp netwire -
Executes dropped EXE 2 IoCs
Processes:
Host.exeHost.exepid process 1480 Host.exe 2288 Host.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
Host.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32W2EMSA-D3P0-G0V7-PP47-3T5XRLUK6562}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe\"" Host.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32W2EMSA-D3P0-G0V7-PP47-3T5XRLUK6562} Host.exe -
Loads dropped DLL 2 IoCs
Processes:
fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exeHost.exepid process 2836 fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe 1480 Host.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Host.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Host.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe" Host.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exeHost.exedescription pid process target process PID 2836 set thread context of 4500 2836 fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe PID 1480 set thread context of 2288 1480 Host.exe Host.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Install\Host.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\Install\Host.exe nsis_installer_2 C:\Users\Admin\AppData\Roaming\Install\Host.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\Install\Host.exe nsis_installer_2 C:\Users\Admin\AppData\Roaming\Install\Host.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\Install\Host.exe nsis_installer_2 -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exefc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exeHost.exedescription pid process target process PID 2836 wrote to memory of 4500 2836 fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe PID 2836 wrote to memory of 4500 2836 fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe PID 2836 wrote to memory of 4500 2836 fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe PID 2836 wrote to memory of 4500 2836 fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe PID 2836 wrote to memory of 4500 2836 fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe PID 2836 wrote to memory of 4500 2836 fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe PID 2836 wrote to memory of 4500 2836 fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe PID 2836 wrote to memory of 4500 2836 fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe PID 2836 wrote to memory of 4500 2836 fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe PID 4500 wrote to memory of 1480 4500 fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe Host.exe PID 4500 wrote to memory of 1480 4500 fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe Host.exe PID 4500 wrote to memory of 1480 4500 fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe Host.exe PID 1480 wrote to memory of 2288 1480 Host.exe Host.exe PID 1480 wrote to memory of 2288 1480 Host.exe Host.exe PID 1480 wrote to memory of 2288 1480 Host.exe Host.exe PID 1480 wrote to memory of 2288 1480 Host.exe Host.exe PID 1480 wrote to memory of 2288 1480 Host.exe Host.exe PID 1480 wrote to memory of 2288 1480 Host.exe Host.exe PID 1480 wrote to memory of 2288 1480 Host.exe Host.exe PID 1480 wrote to memory of 2288 1480 Host.exe Host.exe PID 1480 wrote to memory of 2288 1480 Host.exe Host.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe"C:\Users\Admin\AppData\Local\Temp\fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe"C:\Users\Admin\AppData\Local\Temp\fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe-m "C:\Users\Admin\AppData\Local\Temp\fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"4⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nskBC22.tmp\acosmists.dllFilesize
44KB
MD5556cc3600c86ea1383f036fbc13b617d
SHA1cf5c93b117321411c2ba16b24a29f940cf01926c
SHA25658f18a822473ff36370b7a0991304a413010819b7c1881c5b637e8747aff86b3
SHA5120380629798e50628139ab040622be41af252e57fad1510b2bce61eadcf66743bced2c1e15f49dcef7c296f4a00c9a67c97926c94e2e127767df2f4de9f21f71b
-
C:\Users\Admin\AppData\Local\Temp\nsyC4AD.tmp\acosmists.dllFilesize
44KB
MD5556cc3600c86ea1383f036fbc13b617d
SHA1cf5c93b117321411c2ba16b24a29f940cf01926c
SHA25658f18a822473ff36370b7a0991304a413010819b7c1881c5b637e8747aff86b3
SHA5120380629798e50628139ab040622be41af252e57fad1510b2bce61eadcf66743bced2c1e15f49dcef7c296f4a00c9a67c97926c94e2e127767df2f4de9f21f71b
-
C:\Users\Admin\AppData\Roaming\DISK2.DSKFilesize
81KB
MD53d144aebb15820aa8af4033c00a419a6
SHA16c82768036cbbba492af14d6fab5a7a675ee1d6e
SHA2565e85e55ade3b763209938fbb34c1fbd16007737428ac51891745f35bd80fc09a
SHA51274aaa5db6dd80f02c816aec70d90b1f9bf9c5af8000adec8676fb8f92216754132ba0b2fdca61366a06d6b7bb57833017c924bf6d87feda4a648ff78e2dd1972
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
105KB
MD5e11591310952d9c6eeeaf88ff19432b2
SHA171bd602670f33e1f0573c6bbd15ead0992e4973f
SHA256fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53
SHA512e8ff1f1766d49736549a5792a613f4e9776de534c2eca1e172de29af3a94a407d568020ece86e6f6d2381c47ea23b0e3e025e1a84f4a2c651c171fb240ec9b07
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
105KB
MD5e11591310952d9c6eeeaf88ff19432b2
SHA171bd602670f33e1f0573c6bbd15ead0992e4973f
SHA256fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53
SHA512e8ff1f1766d49736549a5792a613f4e9776de534c2eca1e172de29af3a94a407d568020ece86e6f6d2381c47ea23b0e3e025e1a84f4a2c651c171fb240ec9b07
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
105KB
MD5e11591310952d9c6eeeaf88ff19432b2
SHA171bd602670f33e1f0573c6bbd15ead0992e4973f
SHA256fc361bfc9536f31350c99e5bffc007477e6ac9d1bc1fee3604c8fcae39153e53
SHA512e8ff1f1766d49736549a5792a613f4e9776de534c2eca1e172de29af3a94a407d568020ece86e6f6d2381c47ea23b0e3e025e1a84f4a2c651c171fb240ec9b07
-
memory/1480-137-0x0000000000000000-mapping.dmp
-
memory/2288-148-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2288-143-0x0000000000000000-mapping.dmp
-
memory/4500-136-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/4500-139-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/4500-134-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/4500-133-0x0000000000000000-mapping.dmp