Analysis
-
max time kernel
358s -
max time network
502s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 01:25
Static task
static1
Behavioral task
behavioral1
Sample
68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe
Resource
win7-20220812-en
General
-
Target
68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe
-
Size
136KB
-
MD5
21b289e88c52899e189bd93995cd4f45
-
SHA1
4b73d5200538d31d5a8aebab6ca2387df4489d96
-
SHA256
68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b
-
SHA512
013b6644a35bf5611dec48886c177552170b1ac02ae88a5218ce76a6082d664b5c27de61843576679af3f5ba4d95fcc3ca67e65790052bcee52d71eef439f703
-
SSDEEP
3072:RM+9i7SFCIXJZHWYekfrwKQjSs2cRgIuabx0AW9CVcpdPdMJ:RMTCP2YhfrwKQjSYgIuEeAKnLs
Malware Config
Signatures
-
NetWire RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4308-139-0x0000000000400000-0x0000000000417000-memory.dmp netwire -
Executes dropped EXE 1 IoCs
Processes:
Host.exepid process 4716 Host.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation 68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe -
Loads dropped DLL 2 IoCs
Processes:
68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exepid process 4020 68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe 4020 68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exedescription pid process target process PID 4020 set thread context of 4308 4020 68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe 68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Setup\Host.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\Setup\Host.exe nsis_installer_2 C:\Users\Admin\AppData\Roaming\Setup\Host.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\Setup\Host.exe nsis_installer_2 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exedescription pid process target process PID 4020 wrote to memory of 4308 4020 68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe 68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe PID 4020 wrote to memory of 4308 4020 68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe 68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe PID 4020 wrote to memory of 4308 4020 68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe 68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe PID 4020 wrote to memory of 4308 4020 68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe 68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe PID 4020 wrote to memory of 4308 4020 68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe 68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe PID 4020 wrote to memory of 4308 4020 68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe 68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe PID 4020 wrote to memory of 4308 4020 68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe 68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe PID 4020 wrote to memory of 4308 4020 68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe 68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe PID 4020 wrote to memory of 4308 4020 68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe 68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe PID 4308 wrote to memory of 4716 4308 68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe Host.exe PID 4308 wrote to memory of 4716 4308 68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe Host.exe PID 4308 wrote to memory of 4716 4308 68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe Host.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe"C:\Users\Admin\AppData\Local\Temp\68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe"C:\Users\Admin\AppData\Local\Temp\68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Setup\Host.exe"C:\Users\Admin\AppData\Roaming\Setup\Host.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nsx42FD.tmp\sprees.dllFilesize
57KB
MD52aac95e2511af03b42b391a420a2db04
SHA1c7aac5b6f68de9c7d6aa3fb91db42b957d000e6c
SHA2565a39e3e9583fa118254280b7a7e55837a3a8aa8e0f9027c014eb163ecd305b17
SHA5128e522dfcd49bd41ab6d2c00a03de97a5302b151763df76ce6532b83dc48181e3ca1df239947d3c8ad55b538691b5567293785fef5d509c3ad9f0131c1912c3aa
-
C:\Users\Admin\AppData\Local\Temp\nsx42FD.tmp\sprees.dllFilesize
57KB
MD52aac95e2511af03b42b391a420a2db04
SHA1c7aac5b6f68de9c7d6aa3fb91db42b957d000e6c
SHA2565a39e3e9583fa118254280b7a7e55837a3a8aa8e0f9027c014eb163ecd305b17
SHA5128e522dfcd49bd41ab6d2c00a03de97a5302b151763df76ce6532b83dc48181e3ca1df239947d3c8ad55b538691b5567293785fef5d509c3ad9f0131c1912c3aa
-
C:\Users\Admin\AppData\Local\Temp\sprees.mjwFilesize
68KB
MD5ebdd3b8ebf400c8d56ef48adf8b78dff
SHA1553dbb7db9457d249683d36114d0fed90087bdac
SHA25650f942da50af23e6149873501452b25cb9ab00e2fec1d6c2cb6c460ce61cdc5d
SHA512c192e9ea00c67f440f309f2f782c6bb7c6fecb773ccc992a57d697bf11cb01c93482c580377463b3a626424b52e9d7d69ce5cd744dd46f710899b61fee73fd9c
-
C:\Users\Admin\AppData\Roaming\Setup\Host.exeFilesize
136KB
MD521b289e88c52899e189bd93995cd4f45
SHA14b73d5200538d31d5a8aebab6ca2387df4489d96
SHA25668aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b
SHA512013b6644a35bf5611dec48886c177552170b1ac02ae88a5218ce76a6082d664b5c27de61843576679af3f5ba4d95fcc3ca67e65790052bcee52d71eef439f703
-
C:\Users\Admin\AppData\Roaming\Setup\Host.exeFilesize
136KB
MD521b289e88c52899e189bd93995cd4f45
SHA14b73d5200538d31d5a8aebab6ca2387df4489d96
SHA25668aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b
SHA512013b6644a35bf5611dec48886c177552170b1ac02ae88a5218ce76a6082d664b5c27de61843576679af3f5ba4d95fcc3ca67e65790052bcee52d71eef439f703
-
memory/4020-134-0x0000000002610000-0x0000000002627000-memory.dmpFilesize
92KB
-
memory/4308-135-0x0000000000000000-mapping.dmp
-
memory/4308-136-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/4308-138-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/4308-139-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/4716-140-0x0000000000000000-mapping.dmp