Analysis
-
max time kernel
100s -
max time network
115s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
16-01-2023 18:47
Static task
static1
Behavioral task
behavioral1
Sample
4f693009a539fa5179ac1d0e9c52e9f9f87c8032.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
4f693009a539fa5179ac1d0e9c52e9f9f87c8032.exe
Resource
win10v2004-20220812-en
General
-
Target
4f693009a539fa5179ac1d0e9c52e9f9f87c8032.exe
-
Size
750KB
-
MD5
278373101cd2d204770e3c8a364eab7f
-
SHA1
4f693009a539fa5179ac1d0e9c52e9f9f87c8032
-
SHA256
467ef57122a909dadc6824af7c479e429cbd53428edece7472eec5993c2568d6
-
SHA512
a9cfe1ce7ca9e10c78c2aaff8175a24567a378ebd0f45802ad63bd590c3b23b1d59be8cd35a32d5bba334dacdc93accba9169c00110a922cc705889963cd101d
-
SSDEEP
12288:YYzfWMiSSSSSSSSSSSSSSSS8SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSh:YYr7iSSSSSSSSSSSSSSSS8SSSSSSSSS5
Malware Config
Extracted
netwire
oneness.duckdns.org:3368
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
INFLOWS
-
lock_executable
false
-
offline_keylogger
false
-
password
Shedyville
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1964-67-0x0000000000400000-0x000000000044F000-memory.dmp netwire -
Executes dropped EXE 2 IoCs
Processes:
aetzw.exeaetzw.exepid process 828 aetzw.exe 1964 aetzw.exe -
Loads dropped DLL 3 IoCs
Processes:
4f693009a539fa5179ac1d0e9c52e9f9f87c8032.exeaetzw.exepid process 2028 4f693009a539fa5179ac1d0e9c52e9f9f87c8032.exe 2028 4f693009a539fa5179ac1d0e9c52e9f9f87c8032.exe 828 aetzw.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
aetzw.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\abjewyslgnygb = "C:\\Users\\Admin\\AppData\\Roaming\\utrvljomikp\\hfifqoxdy.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\aetzw.exe\" C:\\Users\\Admin\\AppData\\Loca" aetzw.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
aetzw.exedescription pid process target process PID 828 set thread context of 1964 828 aetzw.exe aetzw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
aetzw.exepid process 828 aetzw.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
4f693009a539fa5179ac1d0e9c52e9f9f87c8032.exeaetzw.exedescription pid process target process PID 2028 wrote to memory of 828 2028 4f693009a539fa5179ac1d0e9c52e9f9f87c8032.exe aetzw.exe PID 2028 wrote to memory of 828 2028 4f693009a539fa5179ac1d0e9c52e9f9f87c8032.exe aetzw.exe PID 2028 wrote to memory of 828 2028 4f693009a539fa5179ac1d0e9c52e9f9f87c8032.exe aetzw.exe PID 2028 wrote to memory of 828 2028 4f693009a539fa5179ac1d0e9c52e9f9f87c8032.exe aetzw.exe PID 828 wrote to memory of 1964 828 aetzw.exe aetzw.exe PID 828 wrote to memory of 1964 828 aetzw.exe aetzw.exe PID 828 wrote to memory of 1964 828 aetzw.exe aetzw.exe PID 828 wrote to memory of 1964 828 aetzw.exe aetzw.exe PID 828 wrote to memory of 1964 828 aetzw.exe aetzw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f693009a539fa5179ac1d0e9c52e9f9f87c8032.exe"C:\Users\Admin\AppData\Local\Temp\4f693009a539fa5179ac1d0e9c52e9f9f87c8032.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Users\Admin\AppData\Local\Temp\aetzw.exe"C:\Users\Admin\AppData\Local\Temp\aetzw.exe" C:\Users\Admin\AppData\Local\Temp\smxytwf.qx2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Users\Admin\AppData\Local\Temp\aetzw.exe"C:\Users\Admin\AppData\Local\Temp\aetzw.exe"3⤵
- Executes dropped EXE
PID:1964
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\aetzw.exeFilesize
53KB
MD5508c44cc4fe0cbc09ea9910c18d0cd2a
SHA1e0339a970aef3f4e7806d06a35816eb6c9fcee4d
SHA2565e12027a35d653b17c3e9ad814cca0e8bbd7d68db0fd11b4a98cdf7d1b9a61ac
SHA5126962e6239f8afbe7255a56c820435467ad74079882e28fe6d460d93cc2307b8c3fb722000c867c6020a50f01f0599444a54322ad44161d91adb4b055833e9d55
-
C:\Users\Admin\AppData\Local\Temp\aetzw.exeFilesize
53KB
MD5508c44cc4fe0cbc09ea9910c18d0cd2a
SHA1e0339a970aef3f4e7806d06a35816eb6c9fcee4d
SHA2565e12027a35d653b17c3e9ad814cca0e8bbd7d68db0fd11b4a98cdf7d1b9a61ac
SHA5126962e6239f8afbe7255a56c820435467ad74079882e28fe6d460d93cc2307b8c3fb722000c867c6020a50f01f0599444a54322ad44161d91adb4b055833e9d55
-
C:\Users\Admin\AppData\Local\Temp\aetzw.exeFilesize
53KB
MD5508c44cc4fe0cbc09ea9910c18d0cd2a
SHA1e0339a970aef3f4e7806d06a35816eb6c9fcee4d
SHA2565e12027a35d653b17c3e9ad814cca0e8bbd7d68db0fd11b4a98cdf7d1b9a61ac
SHA5126962e6239f8afbe7255a56c820435467ad74079882e28fe6d460d93cc2307b8c3fb722000c867c6020a50f01f0599444a54322ad44161d91adb4b055833e9d55
-
C:\Users\Admin\AppData\Local\Temp\kiatkujj.wmaFilesize
292KB
MD5ac29d4e9d2b825be8aed38b96e306f55
SHA1117eff1b5269061b65d1f8a21c63a94ff9d2ab04
SHA2568042a2fd282f5b166a4375d9231cc237bd3d2ff83f3e8d7472e8c85c2a915ae7
SHA5129de8bd9f2da59d8cab2d371b0a3985542d2029f5e95d1664e0615c6a01ee16ed31430cb7fd9b9247d2f8d8381aa351208624d363830efe3d044c131b31daee79
-
C:\Users\Admin\AppData\Local\Temp\smxytwf.qxFilesize
7KB
MD5acba89ee944a157d5c5e7a57a8d06980
SHA1de79abec32290a858a98e3d2ae043bced4b6f01a
SHA256aa5877d424a9ef6611da85bceacec4175469f5c6033b5ee927b98e4e2c7b8581
SHA5124f07c07c712fa6cf4ef39298425d25005923c534ce45704a40384086f2a7ec3c9e044724c50e38fbc2a94c04fb07482430596e8cf9ebcfc9b6ef8c54b98bcb71
-
\Users\Admin\AppData\Local\Temp\aetzw.exeFilesize
53KB
MD5508c44cc4fe0cbc09ea9910c18d0cd2a
SHA1e0339a970aef3f4e7806d06a35816eb6c9fcee4d
SHA2565e12027a35d653b17c3e9ad814cca0e8bbd7d68db0fd11b4a98cdf7d1b9a61ac
SHA5126962e6239f8afbe7255a56c820435467ad74079882e28fe6d460d93cc2307b8c3fb722000c867c6020a50f01f0599444a54322ad44161d91adb4b055833e9d55
-
\Users\Admin\AppData\Local\Temp\aetzw.exeFilesize
53KB
MD5508c44cc4fe0cbc09ea9910c18d0cd2a
SHA1e0339a970aef3f4e7806d06a35816eb6c9fcee4d
SHA2565e12027a35d653b17c3e9ad814cca0e8bbd7d68db0fd11b4a98cdf7d1b9a61ac
SHA5126962e6239f8afbe7255a56c820435467ad74079882e28fe6d460d93cc2307b8c3fb722000c867c6020a50f01f0599444a54322ad44161d91adb4b055833e9d55
-
\Users\Admin\AppData\Local\Temp\aetzw.exeFilesize
53KB
MD5508c44cc4fe0cbc09ea9910c18d0cd2a
SHA1e0339a970aef3f4e7806d06a35816eb6c9fcee4d
SHA2565e12027a35d653b17c3e9ad814cca0e8bbd7d68db0fd11b4a98cdf7d1b9a61ac
SHA5126962e6239f8afbe7255a56c820435467ad74079882e28fe6d460d93cc2307b8c3fb722000c867c6020a50f01f0599444a54322ad44161d91adb4b055833e9d55
-
memory/828-57-0x0000000000000000-mapping.dmp
-
memory/1964-64-0x000000000041AD7B-mapping.dmp
-
memory/1964-67-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/2028-54-0x0000000075A71000-0x0000000075A73000-memory.dmpFilesize
8KB