Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
04-05-2024 04:04
Static task
static1
Behavioral task
behavioral1
Sample
New Order.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
New Order.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral3
Sample
order list.exe
Resource
win7-20240215-en
Behavioral task
behavioral4
Sample
order list.exe
Resource
win10v2004-20240419-en
General
-
Target
order list.exe
-
Size
644KB
-
MD5
d2bdfbfa39edbb7b3823e241290a567b
-
SHA1
2a36ff5df72bbcc71ae4a47c6db12d3f36e47eec
-
SHA256
94b7faaa8caa0ffc8b44bce17629f8f758d79db26276a2b2844d6ac1fde122d3
-
SHA512
02be573dfe4e12505404973d55f196e088e2663940317e849eefad49c0a22a5f6b5d34230e2285bbe500716774f19851cb608edd614789c03574eec0cb602a70
-
SSDEEP
12288:QNHoLQeRh4W8ZJ76qXIvhMPmMXCiQ3dGfAWipVzCqo1r9zu4V:2HoLQeRh4P/6qXIv6+MXT+cizdgr9zuQ
Malware Config
Extracted
netwire
213.183.58.34:1030
blackhills.ddns.net:1030
blackhills.ddns.net:1031
213.183.58.34:1031
-
activex_autorun
true
-
activex_key
{P2HS6W4T-M16S-63O5-N061-BDQICW15LK6G}
-
copy_executable
true
-
delete_original
true
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
true
-
mutex
HxAduTti
-
offline_keylogger
true
-
password
Password
-
registry_autorun
true
-
startup_name
svchost
-
use_mutex
true
Signatures
-
Babylon RAT
Babylon RAT is remote access trojan written in C++.
-
NetWire RAT payload 6 IoCs
Processes:
resource yara_rule behavioral3/files/0x0008000000015c85-48.dat netwire behavioral3/memory/2432-87-0x0000000000400000-0x0000000000420000-memory.dmp netwire behavioral3/memory/1672-98-0x0000000000400000-0x0000000000420000-memory.dmp netwire behavioral3/memory/1672-100-0x0000000000400000-0x0000000000420000-memory.dmp netwire behavioral3/memory/1672-107-0x0000000000400000-0x0000000000420000-memory.dmp netwire behavioral3/memory/1672-109-0x0000000000400000-0x0000000000420000-memory.dmp netwire -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
Host.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P2HS6W4T-M16S-63O5-N061-BDQICW15LK6G} Host.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P2HS6W4T-M16S-63O5-N061-BDQICW15LK6G}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe\"" Host.exe -
Executes dropped EXE 6 IoCs
Processes:
c496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exeorder list.exeHost.exeHost.exec496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exeHost.exerundll.exepid Process 2936 c496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exe 2712 order list.exe 2432 Host.exeHost.exe 2836 c496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exe 1672 Host.exe 1968 rundll.exe -
Loads dropped DLL 17 IoCs
Processes:
order list.exeWerFault.exec496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exeHost.exeHost.exec496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exepid Process 1772 order list.exe 1772 order list.exe 1772 order list.exe 2196 WerFault.exe 2196 WerFault.exe 2196 WerFault.exe 2196 WerFault.exe 2196 WerFault.exe 2196 WerFault.exe 2196 WerFault.exe 2936 c496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exe 2936 c496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exe 2936 c496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exe 2432 Host.exeHost.exe 2432 Host.exeHost.exe 2836 c496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exe 2836 c496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exe -
Processes:
resource yara_rule behavioral3/memory/2712-22-0x0000000000400000-0x00000000004C9000-memory.dmp upx behavioral3/memory/2712-20-0x0000000000400000-0x00000000004C9000-memory.dmp upx behavioral3/memory/2712-18-0x0000000000400000-0x00000000004C9000-memory.dmp upx behavioral3/memory/2712-28-0x0000000000400000-0x00000000004C9000-memory.dmp upx behavioral3/memory/2712-31-0x0000000000400000-0x00000000004C9000-memory.dmp upx behavioral3/memory/2712-29-0x0000000000400000-0x00000000004C9000-memory.dmp upx behavioral3/memory/2712-30-0x0000000000400000-0x00000000004C9000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Host.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe" Host.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
order list.exec496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exedescription pid Process procid_target PID 1772 set thread context of 2712 1772 order list.exe 31 PID 2936 set thread context of 2836 2936 c496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exe 36 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 2196 2712 WerFault.exe 31 -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid Process 2600 schtasks.exe 1276 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
order list.exec496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exerundll.exepid Process 1772 order list.exe 1772 order list.exe 2936 c496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exe 2936 c496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exe 1968 rundll.exe 1968 rundll.exe 1968 rundll.exe 1968 rundll.exe 1968 rundll.exe 1968 rundll.exe 1968 rundll.exe 1968 rundll.exe 1968 rundll.exe 1968 rundll.exe 1968 rundll.exe 1968 rundll.exe 1968 rundll.exe 1968 rundll.exe 1968 rundll.exe 1968 rundll.exe 1968 rundll.exe 1968 rundll.exe 1968 rundll.exe 1968 rundll.exe 1968 rundll.exe 1968 rundll.exe 1968 rundll.exe 1968 rundll.exe 1968 rundll.exe 1968 rundll.exe 1968 rundll.exe 1968 rundll.exe 1968 rundll.exe 1968 rundll.exe 1968 rundll.exe 1968 rundll.exe 1968 rundll.exe 1968 rundll.exe 1968 rundll.exe 1968 rundll.exe 1968 rundll.exe 1968 rundll.exe 1968 rundll.exe 1968 rundll.exe 1968 rundll.exe 1968 rundll.exe 1968 rundll.exe 1968 rundll.exe 1968 rundll.exe 1968 rundll.exe 1968 rundll.exe 1968 rundll.exe 1968 rundll.exe 1968 rundll.exe 1968 rundll.exe 1968 rundll.exe 1968 rundll.exe 1968 rundll.exe 1968 rundll.exe 1968 rundll.exe 1968 rundll.exe 1968 rundll.exe 1968 rundll.exe 1968 rundll.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
order list.exec496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exerundll.exedescription pid Process Token: SeDebugPrivilege 1772 order list.exe Token: SeDebugPrivilege 2936 c496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exe Token: SeDebugPrivilege 1968 rundll.exe -
Suspicious use of WriteProcessMemory 49 IoCs
Processes:
order list.exeorder list.exec496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exeHost.exeHost.exec496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exedescription pid Process procid_target PID 1772 wrote to memory of 2600 1772 order list.exe 28 PID 1772 wrote to memory of 2600 1772 order list.exe 28 PID 1772 wrote to memory of 2600 1772 order list.exe 28 PID 1772 wrote to memory of 2600 1772 order list.exe 28 PID 1772 wrote to memory of 2936 1772 order list.exe 30 PID 1772 wrote to memory of 2936 1772 order list.exe 30 PID 1772 wrote to memory of 2936 1772 order list.exe 30 PID 1772 wrote to memory of 2936 1772 order list.exe 30 PID 1772 wrote to memory of 2712 1772 order list.exe 31 PID 1772 wrote to memory of 2712 1772 order list.exe 31 PID 1772 wrote to memory of 2712 1772 order list.exe 31 PID 1772 wrote to memory of 2712 1772 order list.exe 31 PID 1772 wrote to memory of 2712 1772 order list.exe 31 PID 1772 wrote to memory of 2712 1772 order list.exe 31 PID 1772 wrote to memory of 2712 1772 order list.exe 31 PID 1772 wrote to memory of 2712 1772 order list.exe 31 PID 2712 wrote to memory of 2196 2712 order list.exe 32 PID 2712 wrote to memory of 2196 2712 order list.exe 32 PID 2712 wrote to memory of 2196 2712 order list.exe 32 PID 2712 wrote to memory of 2196 2712 order list.exe 32 PID 2936 wrote to memory of 1276 2936 c496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exe 33 PID 2936 wrote to memory of 1276 2936 c496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exe 33 PID 2936 wrote to memory of 1276 2936 c496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exe 33 PID 2936 wrote to memory of 1276 2936 c496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exe 33 PID 2936 wrote to memory of 2432 2936 c496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exe 35 PID 2936 wrote to memory of 2432 2936 c496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exe 35 PID 2936 wrote to memory of 2432 2936 c496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exe 35 PID 2936 wrote to memory of 2432 2936 c496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exe 35 PID 2936 wrote to memory of 2836 2936 c496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exe 36 PID 2936 wrote to memory of 2836 2936 c496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exe 36 PID 2936 wrote to memory of 2836 2936 c496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exe 36 PID 2936 wrote to memory of 2836 2936 c496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exe 36 PID 2936 wrote to memory of 2836 2936 c496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exe 36 PID 2936 wrote to memory of 2836 2936 c496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exe 36 PID 2936 wrote to memory of 2836 2936 c496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exe 36 PID 2936 wrote to memory of 2836 2936 c496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exe 36 PID 2936 wrote to memory of 2836 2936 c496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exe 36 PID 2936 wrote to memory of 2836 2936 c496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exe 36 PID 2936 wrote to memory of 2836 2936 c496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exe 36 PID 2936 wrote to memory of 2836 2936 c496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exe 36 PID 2936 wrote to memory of 2836 2936 c496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exe 36 PID 2432 wrote to memory of 1672 2432 Host.exeHost.exe 37 PID 2432 wrote to memory of 1672 2432 Host.exeHost.exe 37 PID 2432 wrote to memory of 1672 2432 Host.exeHost.exe 37 PID 2432 wrote to memory of 1672 2432 Host.exeHost.exe 37 PID 2836 wrote to memory of 1968 2836 c496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exe 38 PID 2836 wrote to memory of 1968 2836 c496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exe 38 PID 2836 wrote to memory of 1968 2836 c496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exe 38 PID 2836 wrote to memory of 1968 2836 c496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Update\conhost" /XML "C:\Users\Admin\AppData\Local\Temp\z809"2⤵
- Creates scheduled task(s)
PID:2600
-
-
C:\Users\Admin\AppData\Local\Temp\c496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exe"C:\Users\Admin\AppData\Local\Temp\c496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Update\conhost" /XML "C:\Users\Admin\AppData\Local\Temp\z287"3⤵
- Creates scheduled task(s)
PID:1276
-
-
C:\Users\Admin\AppData\Local\Temp\Host.exeHost.exe"C:\Users\Admin\AppData\Local\Temp\Host.exeHost.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Users\Admin\AppData\Roaming\Install\Host.exe-m "C:\Users\Admin\AppData\Local\Temp\Host.exeHost.exe"4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:1672
-
-
-
C:\Users\Admin\AppData\Local\Temp\c496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exe"C:\Users\Admin\AppData\Local\Temp\c496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Users\Admin\AppData\Local\Temp\rundll.exeC:\Users\Admin\AppData\Local\Temp\rundll.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1968
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 2203⤵
- Loads dropped DLL
- Program crash
PID:2196
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
88KB
MD5886a38f318cf5d03cda1b7b97e9746d4
SHA1809f6d9069515c0c43d8dde63e574bca1a9dd597
SHA256109d87b79191cc55290af0244a3ade9c07f28c3d375919cefd2a5b1fcc9596ea
SHA512aa07d656ed059187cfc0fd3f8498517a9df0fe80facb670b89584a2bfc2898e7b08fcb29342636fcc629921c0bef5a2e7ec762be478de1ae2f96407d71b947d6
-
Filesize
1KB
MD5f83d0914de81d8ca1c4e45156860c25e
SHA1b018c91c46874a9a1f314ecb607e0212cf0ea882
SHA2566255f77fa3bf3fc4c021e886f31d5540869f1d6818842ee31fdf2be1278ca7c2
SHA512ccfd8749244652e3abc4abbf525f34115ae860ee8fb60dd94c0dcb36ef852aea4baf784e3eccfc7c243bcaf256c25f641498c78d93b33f5b40e70506527d6e12
-
\Users\Admin\AppData\Local\Temp\c496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exe
Filesize216KB
MD5221ec94084afaafc916a271b13f75d09
SHA1b1fc96ac5f482e0451ed9a493e6db577e29b1304
SHA256de9d8f4d7ff65c81d3a2dd9c1b75a327ee24fffba25926a912f4d287d8999ccf
SHA51287f89d64bcb4d3295c4ac0b483062e700374129b830415d64b9d9b90820abc967b5520bf2ef8df0d96083d1671fbb30d19a6fd51ffbb9a30a02a111263c9187f
-
Filesize
644KB
MD5d2bdfbfa39edbb7b3823e241290a567b
SHA12a36ff5df72bbcc71ae4a47c6db12d3f36e47eec
SHA25694b7faaa8caa0ffc8b44bce17629f8f758d79db26276a2b2844d6ac1fde122d3
SHA51202be573dfe4e12505404973d55f196e088e2663940317e849eefad49c0a22a5f6b5d34230e2285bbe500716774f19851cb608edd614789c03574eec0cb602a70
-
Filesize
8KB
MD53b43488997e498313ddf322481621b2b
SHA1ca9329e3129fe83fe0b084b91a6016a16edcb9c0
SHA2563a5bf0b0c1650b75a6cc29186456666bee4be6cb0573377bb8e1af777eed169c
SHA5124931eb21aa376d6b0728f75ee97020d0ec14d1aec5773e29fa61a7a087ecc1e960837a39a5563d789e680d0c94389f383d35d7c074df133c2aa964c0d514f8ec