Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
27-11-2022 04:13
Static task
static1
Behavioral task
behavioral1
Sample
3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe
Resource
win10v2004-20221111-en
General
-
Target
3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe
-
Size
141KB
-
MD5
9f3a2c39b2697ccfb4fbd3a9317c3f8b
-
SHA1
45af562894d49f33aa15316e3a975d8de13921a8
-
SHA256
3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93
-
SHA512
f50efc6d91c1768a740db7e58eacc9d65d5f81fb3ea899c1533a31e3c276ae99f2fafdc9922c697e0c80ebe541bfe0265a492f5b19a9fb2fff60d9c0b4240428
-
SSDEEP
3072:7Asj8MBX8s0oXJLrJY7+Ne4tgJFvcHWK9BAMprDgkZPU8n20PjK9vNPszT:7AsBZtK7+FtgJFvc2mrDgkZPUw20Pji8
Malware Config
Signatures
-
NetWire RAT payload 7 IoCs
Processes:
resource yara_rule behavioral1/memory/576-61-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral1/memory/576-63-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral1/memory/576-64-0x00000000004021DA-mapping.dmp netwire behavioral1/memory/576-67-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral1/memory/576-71-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral1/memory/1360-87-0x00000000004021DA-mapping.dmp netwire behavioral1/memory/1360-92-0x0000000000400000-0x000000000041E000-memory.dmp netwire -
Executes dropped EXE 2 IoCs
Processes:
Host.exeHost.exepid process 464 Host.exe 1360 Host.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
Host.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{233505I0-OB46-7P45-B65Q-0DT1CI742RQJ}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe\"" Host.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{233505I0-OB46-7P45-B65Q-0DT1CI742RQJ} Host.exe -
Loads dropped DLL 4 IoCs
Processes:
3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exeHost.exepid process 1824 3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe 576 3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe 464 Host.exe 464 Host.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Host.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Host.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe" Host.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exeHost.exedescription pid process target process PID 1824 set thread context of 576 1824 3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe 3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe PID 464 set thread context of 1360 464 Host.exe Host.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 10 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Install\Host.exe nsis_installer_1 \Users\Admin\AppData\Roaming\Install\Host.exe nsis_installer_2 C:\Users\Admin\AppData\Roaming\Install\Host.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\Install\Host.exe nsis_installer_2 C:\Users\Admin\AppData\Roaming\Install\Host.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\Install\Host.exe nsis_installer_2 \Users\Admin\AppData\Roaming\Install\Host.exe nsis_installer_1 \Users\Admin\AppData\Roaming\Install\Host.exe nsis_installer_2 C:\Users\Admin\AppData\Roaming\Install\Host.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\Install\Host.exe nsis_installer_2 -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exeHost.exedescription pid process target process PID 1824 wrote to memory of 576 1824 3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe 3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe PID 1824 wrote to memory of 576 1824 3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe 3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe PID 1824 wrote to memory of 576 1824 3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe 3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe PID 1824 wrote to memory of 576 1824 3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe 3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe PID 1824 wrote to memory of 576 1824 3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe 3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe PID 1824 wrote to memory of 576 1824 3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe 3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe PID 1824 wrote to memory of 576 1824 3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe 3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe PID 1824 wrote to memory of 576 1824 3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe 3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe PID 1824 wrote to memory of 576 1824 3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe 3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe PID 1824 wrote to memory of 576 1824 3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe 3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe PID 1824 wrote to memory of 576 1824 3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe 3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe PID 1824 wrote to memory of 576 1824 3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe 3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe PID 576 wrote to memory of 464 576 3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe Host.exe PID 576 wrote to memory of 464 576 3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe Host.exe PID 576 wrote to memory of 464 576 3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe Host.exe PID 576 wrote to memory of 464 576 3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe Host.exe PID 576 wrote to memory of 464 576 3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe Host.exe PID 576 wrote to memory of 464 576 3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe Host.exe PID 576 wrote to memory of 464 576 3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe Host.exe PID 464 wrote to memory of 1360 464 Host.exe Host.exe PID 464 wrote to memory of 1360 464 Host.exe Host.exe PID 464 wrote to memory of 1360 464 Host.exe Host.exe PID 464 wrote to memory of 1360 464 Host.exe Host.exe PID 464 wrote to memory of 1360 464 Host.exe Host.exe PID 464 wrote to memory of 1360 464 Host.exe Host.exe PID 464 wrote to memory of 1360 464 Host.exe Host.exe PID 464 wrote to memory of 1360 464 Host.exe Host.exe PID 464 wrote to memory of 1360 464 Host.exe Host.exe PID 464 wrote to memory of 1360 464 Host.exe Host.exe PID 464 wrote to memory of 1360 464 Host.exe Host.exe PID 464 wrote to memory of 1360 464 Host.exe Host.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe"C:\Users\Admin\AppData\Local\Temp\3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe"C:\Users\Admin\AppData\Local\Temp\3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe-m "C:\Users\Admin\AppData\Local\Temp\3b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"4⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\2gawda1afwfwyt21aFilesize
263B
MD5dfae9d9b51e2e0887dae38074186a600
SHA189d59bdbf68eddaf5f8facc82b1ebf8ee3992b15
SHA256aa2d43f866891e70424fad9d68e26868abe3f57b613b0dbaa7d73a4cdf56e2aa
SHA5126d7b345efe037f6c7cc64ce5e3b1a4b5d34601501761b5a29c221cdeeba5932e64252884bf16cae33aedd1601297c9f9d93cc96fc7ea625345b39c9d81ad6e50
-
C:\Users\Admin\AppData\Roaming\HALF_BAKED[1998]DVDRIP.AVI.aviFilesize
84KB
MD5073a02afc81db5e60af9e7eb5cb158c7
SHA161a1e4f257ddfd428adb6d6e68c5266c2484a5ca
SHA25682a64a71c77cfa8b71285a122c873b0374e835d67c06cf8527ef288f6b8936ce
SHA512c77dd672c6063ca5ee33b7c3709b5ba0204bc789e89f2fbbe069710664cbe12742f54ca39f81f1ce1622f0fd9b0a795bfe6149995f1e6d18ba1258e4d72e2726
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
141KB
MD59f3a2c39b2697ccfb4fbd3a9317c3f8b
SHA145af562894d49f33aa15316e3a975d8de13921a8
SHA2563b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93
SHA512f50efc6d91c1768a740db7e58eacc9d65d5f81fb3ea899c1533a31e3c276ae99f2fafdc9922c697e0c80ebe541bfe0265a492f5b19a9fb2fff60d9c0b4240428
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
141KB
MD59f3a2c39b2697ccfb4fbd3a9317c3f8b
SHA145af562894d49f33aa15316e3a975d8de13921a8
SHA2563b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93
SHA512f50efc6d91c1768a740db7e58eacc9d65d5f81fb3ea899c1533a31e3c276ae99f2fafdc9922c697e0c80ebe541bfe0265a492f5b19a9fb2fff60d9c0b4240428
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
141KB
MD59f3a2c39b2697ccfb4fbd3a9317c3f8b
SHA145af562894d49f33aa15316e3a975d8de13921a8
SHA2563b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93
SHA512f50efc6d91c1768a740db7e58eacc9d65d5f81fb3ea899c1533a31e3c276ae99f2fafdc9922c697e0c80ebe541bfe0265a492f5b19a9fb2fff60d9c0b4240428
-
C:\Users\Admin\AppData\Roaming\KYdrxQ9SE2UvHWh-eofJq0DG9kwYbrV-9wmXESoHMLtaGOi-JE8MpifY97Avm3V.exeMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\nso2DB8.tmp\deviances.dllFilesize
63KB
MD5c80dd075d9b0fc3f46674169909c0ebf
SHA1cbb8b6b10a598bd4625a917be7de0868d2c1bd50
SHA25659e36818923aa15c98738715460ed8928005d27447dad880d7cadaf09ebf576d
SHA5128c582e8ff3b283769f3a8e254548a6ddf5f424da117633819a0531a457c355f4f8e638a396fbc4150565b2f77ee4ae045a20ad5c039ee9e6f29d8ae89d68faa4
-
\Users\Admin\AppData\Local\Temp\nso7024.tmp\deviances.dllFilesize
63KB
MD5c80dd075d9b0fc3f46674169909c0ebf
SHA1cbb8b6b10a598bd4625a917be7de0868d2c1bd50
SHA25659e36818923aa15c98738715460ed8928005d27447dad880d7cadaf09ebf576d
SHA5128c582e8ff3b283769f3a8e254548a6ddf5f424da117633819a0531a457c355f4f8e638a396fbc4150565b2f77ee4ae045a20ad5c039ee9e6f29d8ae89d68faa4
-
\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
141KB
MD59f3a2c39b2697ccfb4fbd3a9317c3f8b
SHA145af562894d49f33aa15316e3a975d8de13921a8
SHA2563b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93
SHA512f50efc6d91c1768a740db7e58eacc9d65d5f81fb3ea899c1533a31e3c276ae99f2fafdc9922c697e0c80ebe541bfe0265a492f5b19a9fb2fff60d9c0b4240428
-
\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
141KB
MD59f3a2c39b2697ccfb4fbd3a9317c3f8b
SHA145af562894d49f33aa15316e3a975d8de13921a8
SHA2563b7965955c76752c635a89d5124c15ec90a91e4469375976b860ba61e9f51b93
SHA512f50efc6d91c1768a740db7e58eacc9d65d5f81fb3ea899c1533a31e3c276ae99f2fafdc9922c697e0c80ebe541bfe0265a492f5b19a9fb2fff60d9c0b4240428
-
memory/464-69-0x0000000000000000-mapping.dmp
-
memory/576-71-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/576-67-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/576-64-0x00000000004021DA-mapping.dmp
-
memory/576-63-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/576-61-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/576-59-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/576-57-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/576-56-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1360-87-0x00000000004021DA-mapping.dmp
-
memory/1360-92-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1824-54-0x0000000075F21000-0x0000000075F23000-memory.dmpFilesize
8KB