Analysis
-
max time kernel
126s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
27-11-2022 19:29
Static task
static1
Behavioral task
behavioral1
Sample
7e2e43809394b213e0a404eabbe6dc3637e9987f333f6fb0faec7d5a93807fa5.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
7e2e43809394b213e0a404eabbe6dc3637e9987f333f6fb0faec7d5a93807fa5.exe
Resource
win10v2004-20221111-en
General
-
Target
7e2e43809394b213e0a404eabbe6dc3637e9987f333f6fb0faec7d5a93807fa5.exe
-
Size
136KB
-
MD5
e60849a081a21f89a82c3a088df8d151
-
SHA1
ef426b03a7a6d6eca11580054f1fbd2f22eff1aa
-
SHA256
7e2e43809394b213e0a404eabbe6dc3637e9987f333f6fb0faec7d5a93807fa5
-
SHA512
994a0dbd4169dd4c9a623d590a232e352495bc6c3cf2153229f28cdb0a8ea4f089ce805863ebf2a4b1ae8b38b30d63b401d2307db6e600e7ecb27ea18dffe98b
-
SSDEEP
3072:pDDqMbZO754Dui9/PoADWIAWwRo/UnJuNC6S4IuNC6S:pDDqMVO7m6DA6IAFpnJz
Malware Config
Signatures
-
NetWire RAT payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1232-66-0x0000000000000000-mapping.dmp netwire behavioral1/memory/1232-69-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral1/memory/1232-71-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral1/memory/1232-72-0x0000000000400000-0x000000000041E000-memory.dmp netwire -
Executes dropped EXE 2 IoCs
Processes:
ghfg.exeghfg.exepid process 1352 ghfg.exe 1232 ghfg.exe -
Loads dropped DLL 2 IoCs
Processes:
7e2e43809394b213e0a404eabbe6dc3637e9987f333f6fb0faec7d5a93807fa5.exepid process 1044 7e2e43809394b213e0a404eabbe6dc3637e9987f333f6fb0faec7d5a93807fa5.exe 1044 7e2e43809394b213e0a404eabbe6dc3637e9987f333f6fb0faec7d5a93807fa5.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
7e2e43809394b213e0a404eabbe6dc3637e9987f333f6fb0faec7d5a93807fa5.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\hgfdd = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\ghfg.exe" 7e2e43809394b213e0a404eabbe6dc3637e9987f333f6fb0faec7d5a93807fa5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
7e2e43809394b213e0a404eabbe6dc3637e9987f333f6fb0faec7d5a93807fa5.exeghfg.exepid process 1044 7e2e43809394b213e0a404eabbe6dc3637e9987f333f6fb0faec7d5a93807fa5.exe 1352 ghfg.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
7e2e43809394b213e0a404eabbe6dc3637e9987f333f6fb0faec7d5a93807fa5.exeghfg.exedescription pid process target process PID 1044 wrote to memory of 1352 1044 7e2e43809394b213e0a404eabbe6dc3637e9987f333f6fb0faec7d5a93807fa5.exe ghfg.exe PID 1044 wrote to memory of 1352 1044 7e2e43809394b213e0a404eabbe6dc3637e9987f333f6fb0faec7d5a93807fa5.exe ghfg.exe PID 1044 wrote to memory of 1352 1044 7e2e43809394b213e0a404eabbe6dc3637e9987f333f6fb0faec7d5a93807fa5.exe ghfg.exe PID 1044 wrote to memory of 1352 1044 7e2e43809394b213e0a404eabbe6dc3637e9987f333f6fb0faec7d5a93807fa5.exe ghfg.exe PID 1352 wrote to memory of 1232 1352 ghfg.exe ghfg.exe PID 1352 wrote to memory of 1232 1352 ghfg.exe ghfg.exe PID 1352 wrote to memory of 1232 1352 ghfg.exe ghfg.exe PID 1352 wrote to memory of 1232 1352 ghfg.exe ghfg.exe PID 1352 wrote to memory of 1232 1352 ghfg.exe ghfg.exe PID 1352 wrote to memory of 1232 1352 ghfg.exe ghfg.exe PID 1352 wrote to memory of 1232 1352 ghfg.exe ghfg.exe PID 1352 wrote to memory of 1232 1352 ghfg.exe ghfg.exe PID 1352 wrote to memory of 1232 1352 ghfg.exe ghfg.exe PID 1352 wrote to memory of 1232 1352 ghfg.exe ghfg.exe PID 1352 wrote to memory of 1232 1352 ghfg.exe ghfg.exe PID 1352 wrote to memory of 1232 1352 ghfg.exe ghfg.exe PID 1352 wrote to memory of 1232 1352 ghfg.exe ghfg.exe PID 1352 wrote to memory of 1232 1352 ghfg.exe ghfg.exe PID 1352 wrote to memory of 1232 1352 ghfg.exe ghfg.exe PID 1352 wrote to memory of 1232 1352 ghfg.exe ghfg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7e2e43809394b213e0a404eabbe6dc3637e9987f333f6fb0faec7d5a93807fa5.exe"C:\Users\Admin\AppData\Local\Temp\7e2e43809394b213e0a404eabbe6dc3637e9987f333f6fb0faec7d5a93807fa5.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\subfolder\ghfg.exe"C:\Users\Admin\AppData\Roaming\subfolder\ghfg.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\subfolder\ghfg.exe"C:\Users\Admin\AppData\Roaming\subfolder\ghfg.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\subfolder\ghfg.exeFilesize
136KB
MD5046b592569a033fe90e17f4353845137
SHA1a01da78db23763cd11f34b237856228a4665a9dc
SHA2568dc49a428b5f29e320f36c23ea935bf80ac5340cafd88b9fa295b119000d134e
SHA512946c747ff6b32415c8d76794c89a817f03dc54380be81cce89c8c9c598a207bb0e6ae5257fbfc00f77823f15576b7d220e83ce21b71babafafb3daad0ce01970
-
C:\Users\Admin\AppData\Roaming\subfolder\ghfg.exeFilesize
136KB
MD5046b592569a033fe90e17f4353845137
SHA1a01da78db23763cd11f34b237856228a4665a9dc
SHA2568dc49a428b5f29e320f36c23ea935bf80ac5340cafd88b9fa295b119000d134e
SHA512946c747ff6b32415c8d76794c89a817f03dc54380be81cce89c8c9c598a207bb0e6ae5257fbfc00f77823f15576b7d220e83ce21b71babafafb3daad0ce01970
-
C:\Users\Admin\AppData\Roaming\subfolder\ghfg.exeFilesize
136KB
MD5046b592569a033fe90e17f4353845137
SHA1a01da78db23763cd11f34b237856228a4665a9dc
SHA2568dc49a428b5f29e320f36c23ea935bf80ac5340cafd88b9fa295b119000d134e
SHA512946c747ff6b32415c8d76794c89a817f03dc54380be81cce89c8c9c598a207bb0e6ae5257fbfc00f77823f15576b7d220e83ce21b71babafafb3daad0ce01970
-
\Users\Admin\AppData\Roaming\subfolder\ghfg.exeFilesize
136KB
MD5046b592569a033fe90e17f4353845137
SHA1a01da78db23763cd11f34b237856228a4665a9dc
SHA2568dc49a428b5f29e320f36c23ea935bf80ac5340cafd88b9fa295b119000d134e
SHA512946c747ff6b32415c8d76794c89a817f03dc54380be81cce89c8c9c598a207bb0e6ae5257fbfc00f77823f15576b7d220e83ce21b71babafafb3daad0ce01970
-
\Users\Admin\AppData\Roaming\subfolder\ghfg.exeFilesize
136KB
MD5046b592569a033fe90e17f4353845137
SHA1a01da78db23763cd11f34b237856228a4665a9dc
SHA2568dc49a428b5f29e320f36c23ea935bf80ac5340cafd88b9fa295b119000d134e
SHA512946c747ff6b32415c8d76794c89a817f03dc54380be81cce89c8c9c598a207bb0e6ae5257fbfc00f77823f15576b7d220e83ce21b71babafafb3daad0ce01970
-
memory/1044-61-0x00000000002F0000-0x00000000002F6000-memory.dmpFilesize
24KB
-
memory/1044-56-0x0000000075071000-0x0000000075073000-memory.dmpFilesize
8KB
-
memory/1232-66-0x0000000000000000-mapping.dmp
-
memory/1232-69-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1232-71-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1232-72-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1352-68-0x0000000000230000-0x0000000000236000-memory.dmpFilesize
24KB
-
memory/1352-59-0x0000000000000000-mapping.dmp