Analysis
-
max time kernel
98s -
max time network
111s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
03-04-2023 07:38
Behavioral task
behavioral1
Sample
0300c77c84aa4e40c3bafd3f04a4c54a2f3bf2069db60e255fe4edf3d675fe7d.exe
Resource
win7-20230220-en
General
-
Target
0300c77c84aa4e40c3bafd3f04a4c54a2f3bf2069db60e255fe4edf3d675fe7d.exe
-
Size
272KB
-
MD5
c392e134b254a10d3007c4860ac06d95
-
SHA1
0b50a024e07b0da75e5080486e2d41634ef6a971
-
SHA256
0300c77c84aa4e40c3bafd3f04a4c54a2f3bf2069db60e255fe4edf3d675fe7d
-
SHA512
3c7dbde9e79bf60de935d26de42c17cef1d81938eb2e08256e0be2f72646a21cb9daf34866bd54725c330f90fea106e10f500922de4f34135d6c187bee871a09
-
SSDEEP
6144:wcCmiQfipBKWzkeHrb08rTj6aBpSYdS1wjzcoeqqD9dIx:wcXiQfipPrb08rTj6+pGWq4x
Malware Config
Extracted
netwire
94.156.189.115:53
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Router\CheckLink.exe
-
keylogger_dir
TestLink.lnk
-
lock_executable
false
-
mutex
pHGKnPeU
-
offline_keylogger
false
-
password
1qaz2wsx.
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Router\CheckLink.exe netwire C:\Users\Admin\AppData\Roaming\Router\CheckLink.exe netwire \Users\Admin\AppData\Roaming\Router\CheckLink.exe netwire C:\Users\Admin\AppData\Roaming\Router\CheckLink.exe netwire -
Deletes itself 1 IoCs
Processes:
CheckLink.exepid process 1680 CheckLink.exe -
Drops startup file 1 IoCs
Processes:
CheckLink.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TestLink.lnk CheckLink.exe -
Executes dropped EXE 1 IoCs
Processes:
CheckLink.exepid process 1680 CheckLink.exe -
Loads dropped DLL 2 IoCs
Processes:
0300c77c84aa4e40c3bafd3f04a4c54a2f3bf2069db60e255fe4edf3d675fe7d.exeCheckLink.exepid process 1948 0300c77c84aa4e40c3bafd3f04a4c54a2f3bf2069db60e255fe4edf3d675fe7d.exe 1680 CheckLink.exe -
Unexpected DNS network traffic destination 2 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 94.156.189.115 Destination IP 94.156.189.115 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
0300c77c84aa4e40c3bafd3f04a4c54a2f3bf2069db60e255fe4edf3d675fe7d.exedescription pid process target process PID 1948 wrote to memory of 1680 1948 0300c77c84aa4e40c3bafd3f04a4c54a2f3bf2069db60e255fe4edf3d675fe7d.exe CheckLink.exe PID 1948 wrote to memory of 1680 1948 0300c77c84aa4e40c3bafd3f04a4c54a2f3bf2069db60e255fe4edf3d675fe7d.exe CheckLink.exe PID 1948 wrote to memory of 1680 1948 0300c77c84aa4e40c3bafd3f04a4c54a2f3bf2069db60e255fe4edf3d675fe7d.exe CheckLink.exe PID 1948 wrote to memory of 1680 1948 0300c77c84aa4e40c3bafd3f04a4c54a2f3bf2069db60e255fe4edf3d675fe7d.exe CheckLink.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0300c77c84aa4e40c3bafd3f04a4c54a2f3bf2069db60e255fe4edf3d675fe7d.exe"C:\Users\Admin\AppData\Local\Temp\0300c77c84aa4e40c3bafd3f04a4c54a2f3bf2069db60e255fe4edf3d675fe7d.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Router\CheckLink.exe"C:\Users\Admin\AppData\Roaming\Router\CheckLink.exe" -m "C:\Users\Admin\AppData\Local\Temp\0300c77c84aa4e40c3bafd3f04a4c54a2f3bf2069db60e255fe4edf3d675fe7d.exe"2⤵
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Router\CheckLink.exeFilesize
272KB
MD5c392e134b254a10d3007c4860ac06d95
SHA10b50a024e07b0da75e5080486e2d41634ef6a971
SHA2560300c77c84aa4e40c3bafd3f04a4c54a2f3bf2069db60e255fe4edf3d675fe7d
SHA5123c7dbde9e79bf60de935d26de42c17cef1d81938eb2e08256e0be2f72646a21cb9daf34866bd54725c330f90fea106e10f500922de4f34135d6c187bee871a09
-
C:\Users\Admin\AppData\Roaming\Router\CheckLink.exeFilesize
272KB
MD5c392e134b254a10d3007c4860ac06d95
SHA10b50a024e07b0da75e5080486e2d41634ef6a971
SHA2560300c77c84aa4e40c3bafd3f04a4c54a2f3bf2069db60e255fe4edf3d675fe7d
SHA5123c7dbde9e79bf60de935d26de42c17cef1d81938eb2e08256e0be2f72646a21cb9daf34866bd54725c330f90fea106e10f500922de4f34135d6c187bee871a09
-
\Users\Admin\AppData\Roaming\Router\CheckLink.exeFilesize
272KB
MD5c392e134b254a10d3007c4860ac06d95
SHA10b50a024e07b0da75e5080486e2d41634ef6a971
SHA2560300c77c84aa4e40c3bafd3f04a4c54a2f3bf2069db60e255fe4edf3d675fe7d
SHA5123c7dbde9e79bf60de935d26de42c17cef1d81938eb2e08256e0be2f72646a21cb9daf34866bd54725c330f90fea106e10f500922de4f34135d6c187bee871a09
-
\Users\Admin\AppData\Roaming\Router\CheckLink.exeFilesize
272KB
MD5c392e134b254a10d3007c4860ac06d95
SHA10b50a024e07b0da75e5080486e2d41634ef6a971
SHA2560300c77c84aa4e40c3bafd3f04a4c54a2f3bf2069db60e255fe4edf3d675fe7d
SHA5123c7dbde9e79bf60de935d26de42c17cef1d81938eb2e08256e0be2f72646a21cb9daf34866bd54725c330f90fea106e10f500922de4f34135d6c187bee871a09