Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 08:49
Static task
static1
Behavioral task
behavioral1
Sample
0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe
Resource
win10v2004-20220901-en
General
-
Target
0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe
-
Size
533KB
-
MD5
9ef3eb3bdfc86bfdb5c131fe229d6c6c
-
SHA1
cb86276276349a1b973869aa84bb44048b2cdfe5
-
SHA256
0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1
-
SHA512
3ab04c41784f70299969d22c4fb076c15c5178d6765c72269246790197421ba142ca624d4cbb41db2a8f9bcd929fff9a4e207933d3beb64fddf43b86103ec31a
-
SSDEEP
6144:qTyU80LGVHKDpIoiiPmj8bc5kLGxXtPdomPDNmr2cmuD/4Djh9gH2RdEkNMM+6et:mtj6GQ0m5AgZmbDgPg2R3LrxAu
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FolderName\\file.exe" reg.exe -
NetWire RAT payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\tmp.exe netwire C:\Users\Admin\AppData\Local\Temp\tmp.exe netwire behavioral2/memory/2008-143-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral2/memory/2008-145-0x0000000000400000-0x000000000041E000-memory.dmp netwire -
Executes dropped EXE 1 IoCs
Processes:
tmp.exepid process 1936 tmp.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exewscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exedescription ioc process File created C:\Windows\assembly\Desktop.ini 0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe File opened for modification C:\Windows\assembly\Desktop.ini 0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exedescription pid process target process PID 3836 set thread context of 2008 3836 0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe 0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe -
Drops file in Windows directory 3 IoCs
Processes:
0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exedescription ioc process File opened for modification C:\Windows\assembly\Desktop.ini 0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe File opened for modification C:\Windows\assembly 0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe File created C:\Windows\assembly\Desktop.ini 0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5112 2008 WerFault.exe 0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exepid process 3836 0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe 3836 0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe 3836 0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe 3836 0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe 3836 0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exedescription pid process Token: SeDebugPrivilege 3836 0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.execmd.exewscript.execmd.exedescription pid process target process PID 3836 wrote to memory of 5080 3836 0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe cmd.exe PID 3836 wrote to memory of 5080 3836 0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe cmd.exe PID 3836 wrote to memory of 5080 3836 0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe cmd.exe PID 5080 wrote to memory of 5076 5080 cmd.exe wscript.exe PID 5080 wrote to memory of 5076 5080 cmd.exe wscript.exe PID 5080 wrote to memory of 5076 5080 cmd.exe wscript.exe PID 5076 wrote to memory of 1104 5076 wscript.exe cmd.exe PID 5076 wrote to memory of 1104 5076 wscript.exe cmd.exe PID 5076 wrote to memory of 1104 5076 wscript.exe cmd.exe PID 3836 wrote to memory of 1936 3836 0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe tmp.exe PID 3836 wrote to memory of 1936 3836 0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe tmp.exe PID 3836 wrote to memory of 1936 3836 0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe tmp.exe PID 3836 wrote to memory of 2008 3836 0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe 0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe PID 3836 wrote to memory of 2008 3836 0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe 0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe PID 3836 wrote to memory of 2008 3836 0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe 0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe PID 3836 wrote to memory of 2008 3836 0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe 0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe PID 3836 wrote to memory of 2008 3836 0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe 0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe PID 3836 wrote to memory of 2008 3836 0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe 0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe PID 3836 wrote to memory of 2008 3836 0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe 0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe PID 3836 wrote to memory of 2008 3836 0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe 0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe PID 3836 wrote to memory of 2008 3836 0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe 0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe PID 1104 wrote to memory of 2200 1104 cmd.exe reg.exe PID 1104 wrote to memory of 2200 1104 cmd.exe reg.exe PID 1104 wrote to memory of 2200 1104 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe"C:\Users\Admin\AppData\Local\Temp\0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe"1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\FolderName\mata.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\FolderName\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderName\file.exe" /f5⤵
- Modifies WinLogon for persistence
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exeC:\Users\Admin\AppData\Local\Temp\0007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 3123⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2008 -ip 20081⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\FolderName\file.exeFilesize
533KB
MD59ef3eb3bdfc86bfdb5c131fe229d6c6c
SHA1cb86276276349a1b973869aa84bb44048b2cdfe5
SHA2560007e545a4e50f361d6ae2a708b0f8c92ce66736bcd334267da7e3951deef3f1
SHA5123ab04c41784f70299969d22c4fb076c15c5178d6765c72269246790197421ba142ca624d4cbb41db2a8f9bcd929fff9a4e207933d3beb64fddf43b86103ec31a
-
C:\Users\Admin\AppData\Local\Temp\FolderName\invs.vbsFilesize
78B
MD5c578d9653b22800c3eb6b6a51219bbb8
SHA1a97aa251901bbe179a48dbc7a0c1872e163b1f2d
SHA25620a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2
SHA5123ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d
-
C:\Users\Admin\AppData\Local\Temp\FolderName\mata.batFilesize
70B
MD523f72401196919748c14cb64c1d55c3b
SHA1869e3809cb4391e6f5aee5349a871e40a1e1fb22
SHA256d09c4054568f89c5de2bd9bae9cbcbcb3ef2dda9a9ded0153e29da26dc405d11
SHA5122ab844717c31c4819d8773d7604dfc831e950ae9e38fe311acf8178d46f39fafb54b448ebb6b9cf5d1edd47ed36eae11d649c1be346b0a35d380dd07101c79f1
-
C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.batFilesize
264B
MD5e124c4434aca9a49f8207d1fa30128e4
SHA1d1e70b4238f594ece857ca1a417d4a5c8b28b62e
SHA256b1c0fd1f562cc9dab8db39eb0c1c2dcc44cd2277e6e3ae55730602f4cc14f79c
SHA5127cfedaf6e6acce3aad0b206d80be8b28cde9b14dabb9143907934b848ea972c27a282e78c976d1d2a365256bbd4ac275d9bd3e765a448a447df8f9e9ad6b086e
-
C:\Users\Admin\AppData\Local\Temp\tmp.exeFilesize
81KB
MD56e490dfa724c6f4edf62202deead93da
SHA184f0ede9796fb43bd5f47a10d0a0b5303588c22b
SHA25642754fd77a139452c87f3b214aa910c718ce0bac372c522995351c8ce49d2109
SHA512f20058d5973b6a612d57971f5babf1340dce29c411a7e29406b7163c7d5744dbc8e605f79fb99bc1d3d38a65ab9d7fd3e893483eda59bf2114069b8924ca1d0a
-
C:\Users\Admin\AppData\Local\Temp\tmp.exeFilesize
81KB
MD56e490dfa724c6f4edf62202deead93da
SHA184f0ede9796fb43bd5f47a10d0a0b5303588c22b
SHA25642754fd77a139452c87f3b214aa910c718ce0bac372c522995351c8ce49d2109
SHA512f20058d5973b6a612d57971f5babf1340dce29c411a7e29406b7163c7d5744dbc8e605f79fb99bc1d3d38a65ab9d7fd3e893483eda59bf2114069b8924ca1d0a
-
memory/1104-138-0x0000000000000000-mapping.dmp
-
memory/1936-139-0x0000000000000000-mapping.dmp
-
memory/2008-142-0x0000000000000000-mapping.dmp
-
memory/2008-143-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2008-145-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2200-146-0x0000000000000000-mapping.dmp
-
memory/3836-132-0x0000000074890000-0x0000000074E41000-memory.dmpFilesize
5.7MB
-
memory/3836-148-0x0000000074890000-0x0000000074E41000-memory.dmpFilesize
5.7MB
-
memory/5076-135-0x0000000000000000-mapping.dmp
-
memory/5080-133-0x0000000000000000-mapping.dmp