Analysis
-
max time kernel
141s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
13-02-2023 03:48
Static task
static1
Behavioral task
behavioral1
Sample
c30890cf168e8b2bee51789f1c6f7fc9d5f7bb293aceb33eb674d2b4aefb2b2f.exe
Resource
win7-20220901-en
General
-
Target
c30890cf168e8b2bee51789f1c6f7fc9d5f7bb293aceb33eb674d2b4aefb2b2f.exe
-
Size
858KB
-
MD5
c51582aca3ed8628c84aa4e78a6d5521
-
SHA1
f69e5d553cd6848dc5f7de5128985beef992d98c
-
SHA256
c30890cf168e8b2bee51789f1c6f7fc9d5f7bb293aceb33eb674d2b4aefb2b2f
-
SHA512
c9dfeb3606df191870bba01c26d3d5c2c76bd2c4756d17bee0af008e537bbbe578aaaa15a553d99517dc6752fc8c5b7fb3b4f6b9cecc1210ccdf0df4541c6901
-
SSDEEP
12288:H69/qA5V8TO2R+fOD1kL9p+ThiJH2ygiNUDJOgbiZU6XgS0OKPlGwZtD:qqA5VIXbKppEUZS8UAPXgVOKP9PD
Malware Config
Extracted
netwire
212.193.30.230:3363
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
Password@2
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 8 IoCs
Processes:
resource yara_rule behavioral1/memory/1356-69-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1356-70-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1356-71-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1356-73-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1356-74-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1356-75-0x000000000040242D-mapping.dmp netwire behavioral1/memory/1356-78-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1356-80-0x0000000000400000-0x0000000000433000-memory.dmp netwire -
Suspicious use of SetThreadContext 1 IoCs
Processes:
c30890cf168e8b2bee51789f1c6f7fc9d5f7bb293aceb33eb674d2b4aefb2b2f.exedescription pid process target process PID 1408 set thread context of 1356 1408 c30890cf168e8b2bee51789f1c6f7fc9d5f7bb293aceb33eb674d2b4aefb2b2f.exe c30890cf168e8b2bee51789f1c6f7fc9d5f7bb293aceb33eb674d2b4aefb2b2f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1140 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1140 powershell.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
c30890cf168e8b2bee51789f1c6f7fc9d5f7bb293aceb33eb674d2b4aefb2b2f.exedescription pid process target process PID 1408 wrote to memory of 1140 1408 c30890cf168e8b2bee51789f1c6f7fc9d5f7bb293aceb33eb674d2b4aefb2b2f.exe powershell.exe PID 1408 wrote to memory of 1140 1408 c30890cf168e8b2bee51789f1c6f7fc9d5f7bb293aceb33eb674d2b4aefb2b2f.exe powershell.exe PID 1408 wrote to memory of 1140 1408 c30890cf168e8b2bee51789f1c6f7fc9d5f7bb293aceb33eb674d2b4aefb2b2f.exe powershell.exe PID 1408 wrote to memory of 1140 1408 c30890cf168e8b2bee51789f1c6f7fc9d5f7bb293aceb33eb674d2b4aefb2b2f.exe powershell.exe PID 1408 wrote to memory of 632 1408 c30890cf168e8b2bee51789f1c6f7fc9d5f7bb293aceb33eb674d2b4aefb2b2f.exe schtasks.exe PID 1408 wrote to memory of 632 1408 c30890cf168e8b2bee51789f1c6f7fc9d5f7bb293aceb33eb674d2b4aefb2b2f.exe schtasks.exe PID 1408 wrote to memory of 632 1408 c30890cf168e8b2bee51789f1c6f7fc9d5f7bb293aceb33eb674d2b4aefb2b2f.exe schtasks.exe PID 1408 wrote to memory of 632 1408 c30890cf168e8b2bee51789f1c6f7fc9d5f7bb293aceb33eb674d2b4aefb2b2f.exe schtasks.exe PID 1408 wrote to memory of 1356 1408 c30890cf168e8b2bee51789f1c6f7fc9d5f7bb293aceb33eb674d2b4aefb2b2f.exe c30890cf168e8b2bee51789f1c6f7fc9d5f7bb293aceb33eb674d2b4aefb2b2f.exe PID 1408 wrote to memory of 1356 1408 c30890cf168e8b2bee51789f1c6f7fc9d5f7bb293aceb33eb674d2b4aefb2b2f.exe c30890cf168e8b2bee51789f1c6f7fc9d5f7bb293aceb33eb674d2b4aefb2b2f.exe PID 1408 wrote to memory of 1356 1408 c30890cf168e8b2bee51789f1c6f7fc9d5f7bb293aceb33eb674d2b4aefb2b2f.exe c30890cf168e8b2bee51789f1c6f7fc9d5f7bb293aceb33eb674d2b4aefb2b2f.exe PID 1408 wrote to memory of 1356 1408 c30890cf168e8b2bee51789f1c6f7fc9d5f7bb293aceb33eb674d2b4aefb2b2f.exe c30890cf168e8b2bee51789f1c6f7fc9d5f7bb293aceb33eb674d2b4aefb2b2f.exe PID 1408 wrote to memory of 1356 1408 c30890cf168e8b2bee51789f1c6f7fc9d5f7bb293aceb33eb674d2b4aefb2b2f.exe c30890cf168e8b2bee51789f1c6f7fc9d5f7bb293aceb33eb674d2b4aefb2b2f.exe PID 1408 wrote to memory of 1356 1408 c30890cf168e8b2bee51789f1c6f7fc9d5f7bb293aceb33eb674d2b4aefb2b2f.exe c30890cf168e8b2bee51789f1c6f7fc9d5f7bb293aceb33eb674d2b4aefb2b2f.exe PID 1408 wrote to memory of 1356 1408 c30890cf168e8b2bee51789f1c6f7fc9d5f7bb293aceb33eb674d2b4aefb2b2f.exe c30890cf168e8b2bee51789f1c6f7fc9d5f7bb293aceb33eb674d2b4aefb2b2f.exe PID 1408 wrote to memory of 1356 1408 c30890cf168e8b2bee51789f1c6f7fc9d5f7bb293aceb33eb674d2b4aefb2b2f.exe c30890cf168e8b2bee51789f1c6f7fc9d5f7bb293aceb33eb674d2b4aefb2b2f.exe PID 1408 wrote to memory of 1356 1408 c30890cf168e8b2bee51789f1c6f7fc9d5f7bb293aceb33eb674d2b4aefb2b2f.exe c30890cf168e8b2bee51789f1c6f7fc9d5f7bb293aceb33eb674d2b4aefb2b2f.exe PID 1408 wrote to memory of 1356 1408 c30890cf168e8b2bee51789f1c6f7fc9d5f7bb293aceb33eb674d2b4aefb2b2f.exe c30890cf168e8b2bee51789f1c6f7fc9d5f7bb293aceb33eb674d2b4aefb2b2f.exe PID 1408 wrote to memory of 1356 1408 c30890cf168e8b2bee51789f1c6f7fc9d5f7bb293aceb33eb674d2b4aefb2b2f.exe c30890cf168e8b2bee51789f1c6f7fc9d5f7bb293aceb33eb674d2b4aefb2b2f.exe PID 1408 wrote to memory of 1356 1408 c30890cf168e8b2bee51789f1c6f7fc9d5f7bb293aceb33eb674d2b4aefb2b2f.exe c30890cf168e8b2bee51789f1c6f7fc9d5f7bb293aceb33eb674d2b4aefb2b2f.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c30890cf168e8b2bee51789f1c6f7fc9d5f7bb293aceb33eb674d2b4aefb2b2f.exe"C:\Users\Admin\AppData\Local\Temp\c30890cf168e8b2bee51789f1c6f7fc9d5f7bb293aceb33eb674d2b4aefb2b2f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\aUqvaV.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aUqvaV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA8CE.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\c30890cf168e8b2bee51789f1c6f7fc9d5f7bb293aceb33eb674d2b4aefb2b2f.exe"C:\Users\Admin\AppData\Local\Temp\c30890cf168e8b2bee51789f1c6f7fc9d5f7bb293aceb33eb674d2b4aefb2b2f.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpA8CE.tmpFilesize
1KB
MD5bbc8c46643085f69b54e420d1344c21c
SHA14a44e528df2d64ca6fcd435200adf87bb99e7cf1
SHA256ef696875a2bb9a433fe6194eea6423157187bea170ed0077174e30eded117625
SHA512f67f189dbf093ad0e13662895ab166d5c46bca61ea3bbe89f393f7e9efd0c09c3ae7b6670e27796b15f22bd794172942240f987c3fc18ca3c80cdd3974b98122
-
memory/632-60-0x0000000000000000-mapping.dmp
-
memory/1140-59-0x0000000000000000-mapping.dmp
-
memory/1140-81-0x000000006E4F0000-0x000000006EA9B000-memory.dmpFilesize
5.7MB
-
memory/1140-79-0x000000006E4F0000-0x000000006EA9B000-memory.dmpFilesize
5.7MB
-
memory/1356-65-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1356-78-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1356-80-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1356-75-0x000000000040242D-mapping.dmp
-
memory/1356-64-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1356-74-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1356-67-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1356-69-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1356-70-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1356-71-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1356-73-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1408-54-0x00000000000F0000-0x00000000001CE000-memory.dmpFilesize
888KB
-
memory/1408-63-0x0000000004140000-0x000000000418C000-memory.dmpFilesize
304KB
-
memory/1408-58-0x0000000005420000-0x00000000054A6000-memory.dmpFilesize
536KB
-
memory/1408-56-0x00000000003E0000-0x00000000003F6000-memory.dmpFilesize
88KB
-
memory/1408-57-0x0000000000500000-0x000000000050A000-memory.dmpFilesize
40KB
-
memory/1408-55-0x0000000074B51000-0x0000000074B53000-memory.dmpFilesize
8KB