Analysis
-
max time kernel
143s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
16-01-2023 18:43
Static task
static1
Behavioral task
behavioral1
Sample
4f693009a539fa5179ac1d0e9c52e9f9f87c8032.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
4f693009a539fa5179ac1d0e9c52e9f9f87c8032.exe
Resource
win10v2004-20221111-en
General
-
Target
4f693009a539fa5179ac1d0e9c52e9f9f87c8032.exe
-
Size
750KB
-
MD5
278373101cd2d204770e3c8a364eab7f
-
SHA1
4f693009a539fa5179ac1d0e9c52e9f9f87c8032
-
SHA256
467ef57122a909dadc6824af7c479e429cbd53428edece7472eec5993c2568d6
-
SHA512
a9cfe1ce7ca9e10c78c2aaff8175a24567a378ebd0f45802ad63bd590c3b23b1d59be8cd35a32d5bba334dacdc93accba9169c00110a922cc705889963cd101d
-
SSDEEP
12288:YYzfWMiSSSSSSSSSSSSSSSS8SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSh:YYr7iSSSSSSSSSSSSSSSS8SSSSSSSSS5
Malware Config
Extracted
netwire
oneness.duckdns.org:3368
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
INFLOWS
-
lock_executable
false
-
offline_keylogger
false
-
password
Shedyville
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1568-139-0x0000000000400000-0x000000000044F000-memory.dmp netwire -
Executes dropped EXE 2 IoCs
Processes:
aetzw.exeaetzw.exepid process 3492 aetzw.exe 1568 aetzw.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
aetzw.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\abjewyslgnygb = "C:\\Users\\Admin\\AppData\\Roaming\\utrvljomikp\\hfifqoxdy.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\aetzw.exe\" C:\\Users\\Admin\\AppData\\Loca" aetzw.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
aetzw.exedescription pid process target process PID 3492 set thread context of 1568 3492 aetzw.exe aetzw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
aetzw.exepid process 3492 aetzw.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
4f693009a539fa5179ac1d0e9c52e9f9f87c8032.exeaetzw.exedescription pid process target process PID 2700 wrote to memory of 3492 2700 4f693009a539fa5179ac1d0e9c52e9f9f87c8032.exe aetzw.exe PID 2700 wrote to memory of 3492 2700 4f693009a539fa5179ac1d0e9c52e9f9f87c8032.exe aetzw.exe PID 2700 wrote to memory of 3492 2700 4f693009a539fa5179ac1d0e9c52e9f9f87c8032.exe aetzw.exe PID 3492 wrote to memory of 1568 3492 aetzw.exe aetzw.exe PID 3492 wrote to memory of 1568 3492 aetzw.exe aetzw.exe PID 3492 wrote to memory of 1568 3492 aetzw.exe aetzw.exe PID 3492 wrote to memory of 1568 3492 aetzw.exe aetzw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f693009a539fa5179ac1d0e9c52e9f9f87c8032.exe"C:\Users\Admin\AppData\Local\Temp\4f693009a539fa5179ac1d0e9c52e9f9f87c8032.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Users\Admin\AppData\Local\Temp\aetzw.exe"C:\Users\Admin\AppData\Local\Temp\aetzw.exe" C:\Users\Admin\AppData\Local\Temp\smxytwf.qx2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Users\Admin\AppData\Local\Temp\aetzw.exe"C:\Users\Admin\AppData\Local\Temp\aetzw.exe"3⤵
- Executes dropped EXE
PID:1568
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\aetzw.exeFilesize
53KB
MD5508c44cc4fe0cbc09ea9910c18d0cd2a
SHA1e0339a970aef3f4e7806d06a35816eb6c9fcee4d
SHA2565e12027a35d653b17c3e9ad814cca0e8bbd7d68db0fd11b4a98cdf7d1b9a61ac
SHA5126962e6239f8afbe7255a56c820435467ad74079882e28fe6d460d93cc2307b8c3fb722000c867c6020a50f01f0599444a54322ad44161d91adb4b055833e9d55
-
C:\Users\Admin\AppData\Local\Temp\aetzw.exeFilesize
53KB
MD5508c44cc4fe0cbc09ea9910c18d0cd2a
SHA1e0339a970aef3f4e7806d06a35816eb6c9fcee4d
SHA2565e12027a35d653b17c3e9ad814cca0e8bbd7d68db0fd11b4a98cdf7d1b9a61ac
SHA5126962e6239f8afbe7255a56c820435467ad74079882e28fe6d460d93cc2307b8c3fb722000c867c6020a50f01f0599444a54322ad44161d91adb4b055833e9d55
-
C:\Users\Admin\AppData\Local\Temp\aetzw.exeFilesize
53KB
MD5508c44cc4fe0cbc09ea9910c18d0cd2a
SHA1e0339a970aef3f4e7806d06a35816eb6c9fcee4d
SHA2565e12027a35d653b17c3e9ad814cca0e8bbd7d68db0fd11b4a98cdf7d1b9a61ac
SHA5126962e6239f8afbe7255a56c820435467ad74079882e28fe6d460d93cc2307b8c3fb722000c867c6020a50f01f0599444a54322ad44161d91adb4b055833e9d55
-
C:\Users\Admin\AppData\Local\Temp\kiatkujj.wmaFilesize
292KB
MD5ac29d4e9d2b825be8aed38b96e306f55
SHA1117eff1b5269061b65d1f8a21c63a94ff9d2ab04
SHA2568042a2fd282f5b166a4375d9231cc237bd3d2ff83f3e8d7472e8c85c2a915ae7
SHA5129de8bd9f2da59d8cab2d371b0a3985542d2029f5e95d1664e0615c6a01ee16ed31430cb7fd9b9247d2f8d8381aa351208624d363830efe3d044c131b31daee79
-
C:\Users\Admin\AppData\Local\Temp\smxytwf.qxFilesize
7KB
MD5acba89ee944a157d5c5e7a57a8d06980
SHA1de79abec32290a858a98e3d2ae043bced4b6f01a
SHA256aa5877d424a9ef6611da85bceacec4175469f5c6033b5ee927b98e4e2c7b8581
SHA5124f07c07c712fa6cf4ef39298425d25005923c534ce45704a40384086f2a7ec3c9e044724c50e38fbc2a94c04fb07482430596e8cf9ebcfc9b6ef8c54b98bcb71
-
memory/1568-137-0x0000000000000000-mapping.dmp
-
memory/1568-139-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/3492-132-0x0000000000000000-mapping.dmp