Analysis
-
max time kernel
220s -
max time network
292s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
01-12-2022 23:19
Static task
static1
Behavioral task
behavioral1
Sample
63d1fc92e09e8534cb2ee7d788ce2ee3bad69af64ef7386562569359167605d0.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
63d1fc92e09e8534cb2ee7d788ce2ee3bad69af64ef7386562569359167605d0.exe
Resource
win10v2004-20220812-en
General
-
Target
63d1fc92e09e8534cb2ee7d788ce2ee3bad69af64ef7386562569359167605d0.exe
-
Size
189KB
-
MD5
31040235dc0438cef3c784d48a898cfb
-
SHA1
4dc4a414dcb19e82dd2d89dde626e02e42553933
-
SHA256
63d1fc92e09e8534cb2ee7d788ce2ee3bad69af64ef7386562569359167605d0
-
SHA512
4ae2a495a958ebfdf950919659305d5f703131961d0bb06beb01599b7a59e2fe01107291c2a2bf343d0c046c5ba5a8ab4c3b21aabd5ebff4ff1411b8e3eeba4f
-
SSDEEP
3072:DuoFPHAkER5odYLyof0hiMWiDdN4dv9ZsA8zQS6666660:XvNEFlMtAcA8i
Malware Config
Signatures
-
NetWire RAT payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1068-66-0x0000000000400000-0x0000000000417000-memory.dmp netwire behavioral1/memory/1296-85-0x0000000000400000-0x0000000000417000-memory.dmp netwire -
Executes dropped EXE 2 IoCs
Processes:
Host.exeHost.exepid process 1152 Host.exe 1296 Host.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
Host.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{QJQ8KS21-G70T-U444-DEIE-871BIJ57MA26} Host.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{QJQ8KS21-G70T-U444-DEIE-871BIJ57MA26}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe\"" Host.exe -
Loads dropped DLL 2 IoCs
Processes:
63d1fc92e09e8534cb2ee7d788ce2ee3bad69af64ef7386562569359167605d0.exepid process 1068 63d1fc92e09e8534cb2ee7d788ce2ee3bad69af64ef7386562569359167605d0.exe 1068 63d1fc92e09e8534cb2ee7d788ce2ee3bad69af64ef7386562569359167605d0.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Host.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Host.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe" Host.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
63d1fc92e09e8534cb2ee7d788ce2ee3bad69af64ef7386562569359167605d0.exeHost.exedescription pid process target process PID 1492 set thread context of 1068 1492 63d1fc92e09e8534cb2ee7d788ce2ee3bad69af64ef7386562569359167605d0.exe 63d1fc92e09e8534cb2ee7d788ce2ee3bad69af64ef7386562569359167605d0.exe PID 1152 set thread context of 1296 1152 Host.exe Host.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
63d1fc92e09e8534cb2ee7d788ce2ee3bad69af64ef7386562569359167605d0.exe63d1fc92e09e8534cb2ee7d788ce2ee3bad69af64ef7386562569359167605d0.exeHost.exedescription pid process target process PID 1492 wrote to memory of 1068 1492 63d1fc92e09e8534cb2ee7d788ce2ee3bad69af64ef7386562569359167605d0.exe 63d1fc92e09e8534cb2ee7d788ce2ee3bad69af64ef7386562569359167605d0.exe PID 1492 wrote to memory of 1068 1492 63d1fc92e09e8534cb2ee7d788ce2ee3bad69af64ef7386562569359167605d0.exe 63d1fc92e09e8534cb2ee7d788ce2ee3bad69af64ef7386562569359167605d0.exe PID 1492 wrote to memory of 1068 1492 63d1fc92e09e8534cb2ee7d788ce2ee3bad69af64ef7386562569359167605d0.exe 63d1fc92e09e8534cb2ee7d788ce2ee3bad69af64ef7386562569359167605d0.exe PID 1492 wrote to memory of 1068 1492 63d1fc92e09e8534cb2ee7d788ce2ee3bad69af64ef7386562569359167605d0.exe 63d1fc92e09e8534cb2ee7d788ce2ee3bad69af64ef7386562569359167605d0.exe PID 1492 wrote to memory of 1068 1492 63d1fc92e09e8534cb2ee7d788ce2ee3bad69af64ef7386562569359167605d0.exe 63d1fc92e09e8534cb2ee7d788ce2ee3bad69af64ef7386562569359167605d0.exe PID 1492 wrote to memory of 1068 1492 63d1fc92e09e8534cb2ee7d788ce2ee3bad69af64ef7386562569359167605d0.exe 63d1fc92e09e8534cb2ee7d788ce2ee3bad69af64ef7386562569359167605d0.exe PID 1492 wrote to memory of 1068 1492 63d1fc92e09e8534cb2ee7d788ce2ee3bad69af64ef7386562569359167605d0.exe 63d1fc92e09e8534cb2ee7d788ce2ee3bad69af64ef7386562569359167605d0.exe PID 1492 wrote to memory of 1068 1492 63d1fc92e09e8534cb2ee7d788ce2ee3bad69af64ef7386562569359167605d0.exe 63d1fc92e09e8534cb2ee7d788ce2ee3bad69af64ef7386562569359167605d0.exe PID 1068 wrote to memory of 1152 1068 63d1fc92e09e8534cb2ee7d788ce2ee3bad69af64ef7386562569359167605d0.exe Host.exe PID 1068 wrote to memory of 1152 1068 63d1fc92e09e8534cb2ee7d788ce2ee3bad69af64ef7386562569359167605d0.exe Host.exe PID 1068 wrote to memory of 1152 1068 63d1fc92e09e8534cb2ee7d788ce2ee3bad69af64ef7386562569359167605d0.exe Host.exe PID 1068 wrote to memory of 1152 1068 63d1fc92e09e8534cb2ee7d788ce2ee3bad69af64ef7386562569359167605d0.exe Host.exe PID 1152 wrote to memory of 1296 1152 Host.exe Host.exe PID 1152 wrote to memory of 1296 1152 Host.exe Host.exe PID 1152 wrote to memory of 1296 1152 Host.exe Host.exe PID 1152 wrote to memory of 1296 1152 Host.exe Host.exe PID 1152 wrote to memory of 1296 1152 Host.exe Host.exe PID 1152 wrote to memory of 1296 1152 Host.exe Host.exe PID 1152 wrote to memory of 1296 1152 Host.exe Host.exe PID 1152 wrote to memory of 1296 1152 Host.exe Host.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\63d1fc92e09e8534cb2ee7d788ce2ee3bad69af64ef7386562569359167605d0.exe"C:\Users\Admin\AppData\Local\Temp\63d1fc92e09e8534cb2ee7d788ce2ee3bad69af64ef7386562569359167605d0.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\63d1fc92e09e8534cb2ee7d788ce2ee3bad69af64ef7386562569359167605d0.exe"C:\Users\Admin\AppData\Local\Temp\63d1fc92e09e8534cb2ee7d788ce2ee3bad69af64ef7386562569359167605d0.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"4⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
189KB
MD531040235dc0438cef3c784d48a898cfb
SHA14dc4a414dcb19e82dd2d89dde626e02e42553933
SHA25663d1fc92e09e8534cb2ee7d788ce2ee3bad69af64ef7386562569359167605d0
SHA5124ae2a495a958ebfdf950919659305d5f703131961d0bb06beb01599b7a59e2fe01107291c2a2bf343d0c046c5ba5a8ab4c3b21aabd5ebff4ff1411b8e3eeba4f
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
189KB
MD531040235dc0438cef3c784d48a898cfb
SHA14dc4a414dcb19e82dd2d89dde626e02e42553933
SHA25663d1fc92e09e8534cb2ee7d788ce2ee3bad69af64ef7386562569359167605d0
SHA5124ae2a495a958ebfdf950919659305d5f703131961d0bb06beb01599b7a59e2fe01107291c2a2bf343d0c046c5ba5a8ab4c3b21aabd5ebff4ff1411b8e3eeba4f
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
189KB
MD531040235dc0438cef3c784d48a898cfb
SHA14dc4a414dcb19e82dd2d89dde626e02e42553933
SHA25663d1fc92e09e8534cb2ee7d788ce2ee3bad69af64ef7386562569359167605d0
SHA5124ae2a495a958ebfdf950919659305d5f703131961d0bb06beb01599b7a59e2fe01107291c2a2bf343d0c046c5ba5a8ab4c3b21aabd5ebff4ff1411b8e3eeba4f
-
\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
189KB
MD531040235dc0438cef3c784d48a898cfb
SHA14dc4a414dcb19e82dd2d89dde626e02e42553933
SHA25663d1fc92e09e8534cb2ee7d788ce2ee3bad69af64ef7386562569359167605d0
SHA5124ae2a495a958ebfdf950919659305d5f703131961d0bb06beb01599b7a59e2fe01107291c2a2bf343d0c046c5ba5a8ab4c3b21aabd5ebff4ff1411b8e3eeba4f
-
\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
189KB
MD531040235dc0438cef3c784d48a898cfb
SHA14dc4a414dcb19e82dd2d89dde626e02e42553933
SHA25663d1fc92e09e8534cb2ee7d788ce2ee3bad69af64ef7386562569359167605d0
SHA5124ae2a495a958ebfdf950919659305d5f703131961d0bb06beb01599b7a59e2fe01107291c2a2bf343d0c046c5ba5a8ab4c3b21aabd5ebff4ff1411b8e3eeba4f
-
memory/1068-61-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/1068-64-0x0000000075491000-0x0000000075493000-memory.dmpFilesize
8KB
-
memory/1068-65-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/1068-66-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/1068-62-0x0000000000401D82-mapping.dmp
-
memory/1068-54-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/1068-59-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/1068-57-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/1068-55-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/1152-69-0x0000000000000000-mapping.dmp
-
memory/1296-80-0x0000000000401D82-mapping.dmp
-
memory/1296-85-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB