Analysis
-
max time kernel
146s -
max time network
170s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
03-12-2022 21:28
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exe
Resource
win10v2004-20221111-en
General
-
Target
SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exe
-
Size
640KB
-
MD5
a2a0aa207be61aa7629ec65e93107316
-
SHA1
f3a582a9aff6e53d7746d6a4ee91dfe7f7ccdb76
-
SHA256
93e9e0b438bfaa0c8c140019adb0f683d7c9cf068b900fe9ce3ee319daa4071a
-
SHA512
f4e9f4abc485b9fe7fb9ab11302f4c4c40c38ba53cfabb6229f6430adb7201d87d4d763139a7da0be412d8db39f46e196dd52985df4905f2407e3b60caa1a653
-
SSDEEP
12288:jwciJ0Bke2A0uI+87nj9UsG2P5xFfPtIgQQoz0hR2H9jq:60S5AdIvj91B5xF3aZ54hRE9j
Malware Config
Extracted
netwire
podzeye2.duckdns.org:4433
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
lock_executable
false
-
offline_keylogger
false
-
password
Password
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 7 IoCs
Processes:
resource yara_rule behavioral1/memory/1512-69-0x0000000000400000-0x0000000000450000-memory.dmp netwire behavioral1/memory/1512-71-0x0000000000400000-0x0000000000450000-memory.dmp netwire behavioral1/memory/1512-72-0x0000000000400000-0x0000000000450000-memory.dmp netwire behavioral1/memory/1512-74-0x0000000000400000-0x0000000000450000-memory.dmp netwire behavioral1/memory/1512-75-0x000000000041AE7B-mapping.dmp netwire behavioral1/memory/1512-78-0x0000000000400000-0x0000000000450000-memory.dmp netwire behavioral1/memory/1512-79-0x0000000000400000-0x0000000000450000-memory.dmp netwire -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exedescription pid process target process PID 2036 set thread context of 1512 2036 SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exe SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exepowershell.exepid process 2036 SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exe 2036 SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exe 2036 SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exe 2036 SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exe 2036 SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exe 2036 SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exe 2036 SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exe 2036 SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exe 2036 SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exe 2036 SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exe 2036 SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exe 2036 SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exe 2036 SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exe 2036 SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exe 2036 SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exe 2036 SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exe 2036 SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exe 1496 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exepowershell.exedescription pid process Token: SeDebugPrivilege 2036 SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exe Token: SeDebugPrivilege 1496 powershell.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exedescription pid process target process PID 2036 wrote to memory of 1496 2036 SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exe powershell.exe PID 2036 wrote to memory of 1496 2036 SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exe powershell.exe PID 2036 wrote to memory of 1496 2036 SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exe powershell.exe PID 2036 wrote to memory of 1496 2036 SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exe powershell.exe PID 2036 wrote to memory of 1920 2036 SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exe schtasks.exe PID 2036 wrote to memory of 1920 2036 SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exe schtasks.exe PID 2036 wrote to memory of 1920 2036 SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exe schtasks.exe PID 2036 wrote to memory of 1920 2036 SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exe schtasks.exe PID 2036 wrote to memory of 1512 2036 SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exe SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exe PID 2036 wrote to memory of 1512 2036 SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exe SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exe PID 2036 wrote to memory of 1512 2036 SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exe SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exe PID 2036 wrote to memory of 1512 2036 SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exe SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exe PID 2036 wrote to memory of 1512 2036 SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exe SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exe PID 2036 wrote to memory of 1512 2036 SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exe SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exe PID 2036 wrote to memory of 1512 2036 SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exe SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exe PID 2036 wrote to memory of 1512 2036 SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exe SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exe PID 2036 wrote to memory of 1512 2036 SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exe SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exe PID 2036 wrote to memory of 1512 2036 SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exe SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exe PID 2036 wrote to memory of 1512 2036 SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exe SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DaYzQRrVVR.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DaYzQRrVVR" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF410.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.389.7639.31497.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpF410.tmpFilesize
1KB
MD5095f0e324c38a0fc74c6427d7b1d70e2
SHA1cd7156801eddf8bffb9d56344113b49a923f4a36
SHA256f605122f5345444a388fc9089c90e7c13f50c9a08848bb65b2bc3e0b98d9f6e1
SHA51253e2f5e3299dcf2d030767fd1509d68e7e6eb745651ef1a07633f91aa5c966493209fb2ec09d0fe8d72b3153a5ab5e66777087e95b3be267ece3c3736ed91802
-
memory/1496-59-0x0000000000000000-mapping.dmp
-
memory/1496-81-0x000000006DF80000-0x000000006E52B000-memory.dmpFilesize
5.7MB
-
memory/1496-80-0x000000006DF80000-0x000000006E52B000-memory.dmpFilesize
5.7MB
-
memory/1512-65-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1512-71-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1512-79-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1512-78-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1512-75-0x000000000041AE7B-mapping.dmp
-
memory/1512-64-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1512-74-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1512-67-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1512-69-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1512-72-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1920-60-0x0000000000000000-mapping.dmp
-
memory/2036-58-0x0000000005610000-0x0000000005694000-memory.dmpFilesize
528KB
-
memory/2036-54-0x00000000009F0000-0x0000000000A90000-memory.dmpFilesize
640KB
-
memory/2036-63-0x00000000045F0000-0x000000000463A000-memory.dmpFilesize
296KB
-
memory/2036-57-0x00000000003D0000-0x00000000003DE000-memory.dmpFilesize
56KB
-
memory/2036-56-0x00000000003B0000-0x00000000003C6000-memory.dmpFilesize
88KB
-
memory/2036-55-0x0000000075A91000-0x0000000075A93000-memory.dmpFilesize
8KB