Analysis
-
max time kernel
102s -
max time network
115s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
06-03-2023 03:15
Static task
static1
Behavioral task
behavioral1
Sample
77d866ee2219b110e1999464f0d0c4913f4ad1d2b8dd4e2ca456da22cc18b9f2.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
77d866ee2219b110e1999464f0d0c4913f4ad1d2b8dd4e2ca456da22cc18b9f2.exe
Resource
win10v2004-20230220-en
General
-
Target
77d866ee2219b110e1999464f0d0c4913f4ad1d2b8dd4e2ca456da22cc18b9f2.exe
-
Size
312KB
-
MD5
df450053a3624d5a3ec698bbd0f36c73
-
SHA1
0b47abd8fafd93e3a511bccd02022e7ab970c267
-
SHA256
77d866ee2219b110e1999464f0d0c4913f4ad1d2b8dd4e2ca456da22cc18b9f2
-
SHA512
5ec462faf27b7dcd11eea2152d7c5d335024e596ebe1d7afb492897091f3262fb3e6be6df6e84966c0086c8596dd8d10e1bd230cad393778f940e8b6af6ccce9
-
SSDEEP
6144:WYa6AP1e4pG5Jy8Li7b/xxulxRv+lmIi7GMff56pw:WYqJQ5Jy8wklxROmT7GMIpw
Malware Config
Extracted
netwire
braboz.duckdns.org:1992
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
prosession
-
lock_executable
false
-
offline_keylogger
false
-
password
golddigger
-
registry_autorun
false
-
use_mutex
false
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
utofycuapq.exeutofycuapq.exepid process 1252 utofycuapq.exe 1032 utofycuapq.exe -
Loads dropped DLL 2 IoCs
Processes:
77d866ee2219b110e1999464f0d0c4913f4ad1d2b8dd4e2ca456da22cc18b9f2.exeutofycuapq.exepid process 1188 77d866ee2219b110e1999464f0d0c4913f4ad1d2b8dd4e2ca456da22cc18b9f2.exe 1252 utofycuapq.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
utofycuapq.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\rnwgcuuqavf = "C:\\Users\\Admin\\AppData\\Roaming\\nscxhqmvfb\\kgpyeeni.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\utofycuapq.exe\" C:\\Users\\Admin\\AppData\\L" utofycuapq.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
utofycuapq.exedescription pid process target process PID 1252 set thread context of 1032 1252 utofycuapq.exe utofycuapq.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
utofycuapq.exepid process 1252 utofycuapq.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
77d866ee2219b110e1999464f0d0c4913f4ad1d2b8dd4e2ca456da22cc18b9f2.exeutofycuapq.exedescription pid process target process PID 1188 wrote to memory of 1252 1188 77d866ee2219b110e1999464f0d0c4913f4ad1d2b8dd4e2ca456da22cc18b9f2.exe utofycuapq.exe PID 1188 wrote to memory of 1252 1188 77d866ee2219b110e1999464f0d0c4913f4ad1d2b8dd4e2ca456da22cc18b9f2.exe utofycuapq.exe PID 1188 wrote to memory of 1252 1188 77d866ee2219b110e1999464f0d0c4913f4ad1d2b8dd4e2ca456da22cc18b9f2.exe utofycuapq.exe PID 1188 wrote to memory of 1252 1188 77d866ee2219b110e1999464f0d0c4913f4ad1d2b8dd4e2ca456da22cc18b9f2.exe utofycuapq.exe PID 1252 wrote to memory of 1032 1252 utofycuapq.exe utofycuapq.exe PID 1252 wrote to memory of 1032 1252 utofycuapq.exe utofycuapq.exe PID 1252 wrote to memory of 1032 1252 utofycuapq.exe utofycuapq.exe PID 1252 wrote to memory of 1032 1252 utofycuapq.exe utofycuapq.exe PID 1252 wrote to memory of 1032 1252 utofycuapq.exe utofycuapq.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\77d866ee2219b110e1999464f0d0c4913f4ad1d2b8dd4e2ca456da22cc18b9f2.exe"C:\Users\Admin\AppData\Local\Temp\77d866ee2219b110e1999464f0d0c4913f4ad1d2b8dd4e2ca456da22cc18b9f2.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\utofycuapq.exe"C:\Users\Admin\AppData\Local\Temp\utofycuapq.exe" C:\Users\Admin\AppData\Local\Temp\trrnr.c2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\utofycuapq.exe"C:\Users\Admin\AppData\Local\Temp\utofycuapq.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\rqxtrq.dFilesize
163KB
MD5ed0d1740abcb6f94444c47913bb341c7
SHA128e621349c065d280f9742f2d707c323994e0c72
SHA25684cb13a284559679d88809bdf0b8ac8e12f761e7a993fd866800619b9292e140
SHA5124d2bff4e38cce2b67c65238231bef93bb611d746ea3cbde593461f226eb5404582d1c8979af0cfa79e8278485edcd9bd66d61127e35a0641001238ff82da7512
-
C:\Users\Admin\AppData\Local\Temp\trrnr.cFilesize
7KB
MD5f08788ddaf0f297f11eef7a9f709a479
SHA19ac5b634a406a2356028ed87ca1324451104c8e8
SHA256c71da89acfa2dcdfb385201ec7237312f62492561996d9ec61b495a29d85276a
SHA51240cc49a8e27dcc847f71a6a11f8765c7a82248e586334ff13dcf723b395320f1a8985b85549e92ebea312396ea810bf6c71b62b95cce20c4d1d158e867341407
-
C:\Users\Admin\AppData\Local\Temp\utofycuapq.exeFilesize
15KB
MD5df00ae98086d6cf0f6578a472b8c530c
SHA14cbd7896af95054b8846d59dd280ae465371d582
SHA2563c64a0eefd988fa695f4f43c8ab39b004b0931be52cfb283e82018dc8eb985ec
SHA512b8ffec91e72361788ec721d00edd8060c74a0e05b2a5ab6bd369d0ee354454f8c8fd9d867c75c8b01b02b7cf116c1f9849ba69516c34be8d44fc01f0ece074e1
-
C:\Users\Admin\AppData\Local\Temp\utofycuapq.exeFilesize
15KB
MD5df00ae98086d6cf0f6578a472b8c530c
SHA14cbd7896af95054b8846d59dd280ae465371d582
SHA2563c64a0eefd988fa695f4f43c8ab39b004b0931be52cfb283e82018dc8eb985ec
SHA512b8ffec91e72361788ec721d00edd8060c74a0e05b2a5ab6bd369d0ee354454f8c8fd9d867c75c8b01b02b7cf116c1f9849ba69516c34be8d44fc01f0ece074e1
-
C:\Users\Admin\AppData\Local\Temp\utofycuapq.exeFilesize
15KB
MD5df00ae98086d6cf0f6578a472b8c530c
SHA14cbd7896af95054b8846d59dd280ae465371d582
SHA2563c64a0eefd988fa695f4f43c8ab39b004b0931be52cfb283e82018dc8eb985ec
SHA512b8ffec91e72361788ec721d00edd8060c74a0e05b2a5ab6bd369d0ee354454f8c8fd9d867c75c8b01b02b7cf116c1f9849ba69516c34be8d44fc01f0ece074e1
-
\Users\Admin\AppData\Local\Temp\utofycuapq.exeFilesize
15KB
MD5df00ae98086d6cf0f6578a472b8c530c
SHA14cbd7896af95054b8846d59dd280ae465371d582
SHA2563c64a0eefd988fa695f4f43c8ab39b004b0931be52cfb283e82018dc8eb985ec
SHA512b8ffec91e72361788ec721d00edd8060c74a0e05b2a5ab6bd369d0ee354454f8c8fd9d867c75c8b01b02b7cf116c1f9849ba69516c34be8d44fc01f0ece074e1
-
\Users\Admin\AppData\Local\Temp\utofycuapq.exeFilesize
15KB
MD5df00ae98086d6cf0f6578a472b8c530c
SHA14cbd7896af95054b8846d59dd280ae465371d582
SHA2563c64a0eefd988fa695f4f43c8ab39b004b0931be52cfb283e82018dc8eb985ec
SHA512b8ffec91e72361788ec721d00edd8060c74a0e05b2a5ab6bd369d0ee354454f8c8fd9d867c75c8b01b02b7cf116c1f9849ba69516c34be8d44fc01f0ece074e1
-
memory/1032-67-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1032-71-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1032-72-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1252-62-0x0000000000100000-0x0000000000102000-memory.dmpFilesize
8KB