Analysis
-
max time kernel
101s -
max time network
104s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
05-01-2023 19:37
Static task
static1
Behavioral task
behavioral1
Sample
outputmalware.exe
Resource
win7-20220812-en
General
-
Target
outputmalware.exe
-
Size
2.9MB
-
MD5
2b5eca0c8dcfd123b1790a137feb4146
-
SHA1
57ba47e17ab6de85a6cefa26b3b80a0efa72d4e5
-
SHA256
1f64ef3c5f7690033cf54608c3f4ba61a99c1494a2a2d5aa06f8b6634d8e305b
-
SHA512
94058f6b34f3820130571aec3f82fc89a3ba4198b65fe80e705f82ee7187ac2027ffe054ddabf945c7fff4db36224c74c95e1756ed755de7ea13dfb142c40a94
-
SSDEEP
49152:Qmd9Cf3Vvwxrb/T2vO90d7HjmAFd4A64nsfJdVfZgXKRQHfDTJz1jStov0hlZ0Az:+3qH8qo8V0A
Malware Config
Extracted
netwire
127.0.0.1:3360
needforrat.hopto.org:3360
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
TestLink.lnk
-
lock_executable
false
-
mutex
JjkhHVmd
-
offline_keylogger
false
-
password
Password
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\go-memexec-1401419974.exe netwire C:\Users\Admin\AppData\Local\Temp\go-memexec-1401419974.exe netwire \Users\Admin\AppData\Local\Temp\go-memexec-1401419974.exe netwire -
Executes dropped EXE 1 IoCs
Processes:
go-memexec-1401419974.exepid process 748 go-memexec-1401419974.exe -
Drops startup file 1 IoCs
Processes:
go-memexec-1401419974.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TestLink.lnk go-memexec-1401419974.exe -
Loads dropped DLL 1 IoCs
Processes:
go-memexec-1401419974.exepid process 748 go-memexec-1401419974.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
outputmalware.exedescription pid process target process PID 1324 wrote to memory of 748 1324 outputmalware.exe go-memexec-1401419974.exe PID 1324 wrote to memory of 748 1324 outputmalware.exe go-memexec-1401419974.exe PID 1324 wrote to memory of 748 1324 outputmalware.exe go-memexec-1401419974.exe PID 1324 wrote to memory of 748 1324 outputmalware.exe go-memexec-1401419974.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\outputmalware.exe"C:\Users\Admin\AppData\Local\Temp\outputmalware.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Users\Admin\AppData\Local\Temp\go-memexec-1401419974.exeC:\Users\Admin\AppData\Local\Temp\go-memexec-1401419974.exe2⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
PID:748
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\go-memexec-1401419974.exeFilesize
273KB
MD58d832a17a7134571f228bc0da586a541
SHA1274f83a8874d16ff937d3e8c231bcf4916d18fe8
SHA25636b9e2e48e5f7ab4543df7f80d299bb72e65c5f343d8bb1d8bff39764a829c8f
SHA5120b5e00c88a35eb72b0f06d82fe3cd5a84c0520480f3d631ca42c7d3bc04bf33001f84943c6d4e9c8e1abb00414669a978de45b72b6bb8a002cc5c53d86d88bcb
-
C:\Users\Admin\AppData\Local\Temp\go-memexec-1401419974.exeFilesize
273KB
MD58d832a17a7134571f228bc0da586a541
SHA1274f83a8874d16ff937d3e8c231bcf4916d18fe8
SHA25636b9e2e48e5f7ab4543df7f80d299bb72e65c5f343d8bb1d8bff39764a829c8f
SHA5120b5e00c88a35eb72b0f06d82fe3cd5a84c0520480f3d631ca42c7d3bc04bf33001f84943c6d4e9c8e1abb00414669a978de45b72b6bb8a002cc5c53d86d88bcb
-
\Users\Admin\AppData\Local\Temp\go-memexec-1401419974.exeFilesize
273KB
MD58d832a17a7134571f228bc0da586a541
SHA1274f83a8874d16ff937d3e8c231bcf4916d18fe8
SHA25636b9e2e48e5f7ab4543df7f80d299bb72e65c5f343d8bb1d8bff39764a829c8f
SHA5120b5e00c88a35eb72b0f06d82fe3cd5a84c0520480f3d631ca42c7d3bc04bf33001f84943c6d4e9c8e1abb00414669a978de45b72b6bb8a002cc5c53d86d88bcb
-
memory/748-54-0x0000000000000000-mapping.dmp
-
memory/748-56-0x0000000075A11000-0x0000000075A13000-memory.dmpFilesize
8KB