Analysis
-
max time kernel
122s -
max time network
154s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
13-07-2021 10:10
Static task
static1
Behavioral task
behavioral1
Sample
proof of payment.scr.exe
Resource
win7v20210408
General
-
Target
proof of payment.scr.exe
-
Size
873KB
-
MD5
693fc4eb901d82a09678e506960fd24d
-
SHA1
8fcfb6ea44062af4557b2820591f75126b5edf81
-
SHA256
59fc44577bd89c7f6ae86b0b13e7e19c4d17612b4d5696e6c70d2e88d5d8115e
-
SHA512
0c076cf5b30edb1c8f51c11e52778cd20eaf88736467e1c0f401b48154ae54ed31433efa898c0be883bab6a9ed435540d16974858eb691410787f787870d464a
Malware Config
Extracted
netwire
harold.ns01.info:3606
-
activex_autorun
false
- activex_key
-
copy_executable
true
-
delete_original
false
-
host_id
Ojoko
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
enbSUNvD
-
offline_keylogger
true
-
password
master12
-
registry_autorun
false
- startup_name
-
use_mutex
true
Signatures
-
NetWire RAT payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/584-68-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/584-69-0x000000000040242D-mapping.dmp netwire behavioral1/memory/584-71-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1276-85-0x000000000040242D-mapping.dmp netwire behavioral1/memory/1276-88-0x0000000000400000-0x0000000000433000-memory.dmp netwire -
Executes dropped EXE 2 IoCs
Processes:
Host.exeHost.exepid process 1872 Host.exe 1276 Host.exe -
Loads dropped DLL 1 IoCs
Processes:
proof of payment.scr.exepid process 584 proof of payment.scr.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
proof of payment.scr.exeHost.exedescription pid process target process PID 1652 set thread context of 584 1652 proof of payment.scr.exe proof of payment.scr.exe PID 1872 set thread context of 1276 1872 Host.exe Host.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
proof of payment.scr.exeproof of payment.scr.exeHost.exedescription pid process target process PID 1652 wrote to memory of 764 1652 proof of payment.scr.exe schtasks.exe PID 1652 wrote to memory of 764 1652 proof of payment.scr.exe schtasks.exe PID 1652 wrote to memory of 764 1652 proof of payment.scr.exe schtasks.exe PID 1652 wrote to memory of 764 1652 proof of payment.scr.exe schtasks.exe PID 1652 wrote to memory of 584 1652 proof of payment.scr.exe proof of payment.scr.exe PID 1652 wrote to memory of 584 1652 proof of payment.scr.exe proof of payment.scr.exe PID 1652 wrote to memory of 584 1652 proof of payment.scr.exe proof of payment.scr.exe PID 1652 wrote to memory of 584 1652 proof of payment.scr.exe proof of payment.scr.exe PID 1652 wrote to memory of 584 1652 proof of payment.scr.exe proof of payment.scr.exe PID 1652 wrote to memory of 584 1652 proof of payment.scr.exe proof of payment.scr.exe PID 1652 wrote to memory of 584 1652 proof of payment.scr.exe proof of payment.scr.exe PID 1652 wrote to memory of 584 1652 proof of payment.scr.exe proof of payment.scr.exe PID 1652 wrote to memory of 584 1652 proof of payment.scr.exe proof of payment.scr.exe PID 1652 wrote to memory of 584 1652 proof of payment.scr.exe proof of payment.scr.exe PID 1652 wrote to memory of 584 1652 proof of payment.scr.exe proof of payment.scr.exe PID 1652 wrote to memory of 584 1652 proof of payment.scr.exe proof of payment.scr.exe PID 584 wrote to memory of 1872 584 proof of payment.scr.exe Host.exe PID 584 wrote to memory of 1872 584 proof of payment.scr.exe Host.exe PID 584 wrote to memory of 1872 584 proof of payment.scr.exe Host.exe PID 584 wrote to memory of 1872 584 proof of payment.scr.exe Host.exe PID 1872 wrote to memory of 1472 1872 Host.exe schtasks.exe PID 1872 wrote to memory of 1472 1872 Host.exe schtasks.exe PID 1872 wrote to memory of 1472 1872 Host.exe schtasks.exe PID 1872 wrote to memory of 1472 1872 Host.exe schtasks.exe PID 1872 wrote to memory of 1276 1872 Host.exe Host.exe PID 1872 wrote to memory of 1276 1872 Host.exe Host.exe PID 1872 wrote to memory of 1276 1872 Host.exe Host.exe PID 1872 wrote to memory of 1276 1872 Host.exe Host.exe PID 1872 wrote to memory of 1276 1872 Host.exe Host.exe PID 1872 wrote to memory of 1276 1872 Host.exe Host.exe PID 1872 wrote to memory of 1276 1872 Host.exe Host.exe PID 1872 wrote to memory of 1276 1872 Host.exe Host.exe PID 1872 wrote to memory of 1276 1872 Host.exe Host.exe PID 1872 wrote to memory of 1276 1872 Host.exe Host.exe PID 1872 wrote to memory of 1276 1872 Host.exe Host.exe PID 1872 wrote to memory of 1276 1872 Host.exe Host.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\proof of payment.scr.exe"C:\Users\Admin\AppData\Local\Temp\proof of payment.scr.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\emYsBrAgw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp75EB.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\proof of payment.scr.exe"{path}"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\emYsBrAgw" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFA08.tmp"4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"{path}"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp75EB.tmpMD5
f2cc42374b8757cb9df11f904f8b8574
SHA17d2c077db7e2a5208be15092bb8a8efc97253b03
SHA256f18e66d9fb28f295141a03159e25763f2766b6d17629e8d1a13d3d07f6384cfa
SHA512ef551f59808560b34aed8f789d5fec6e8dcf35844549daf84f88cbe00d45e275e0609ed8f877d10d21f3fd6163bd28bf73f77472b62e6c88ad15a3683ff8037b
-
C:\Users\Admin\AppData\Local\Temp\tmpFA08.tmpMD5
f2cc42374b8757cb9df11f904f8b8574
SHA17d2c077db7e2a5208be15092bb8a8efc97253b03
SHA256f18e66d9fb28f295141a03159e25763f2766b6d17629e8d1a13d3d07f6384cfa
SHA512ef551f59808560b34aed8f789d5fec6e8dcf35844549daf84f88cbe00d45e275e0609ed8f877d10d21f3fd6163bd28bf73f77472b62e6c88ad15a3683ff8037b
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeMD5
693fc4eb901d82a09678e506960fd24d
SHA18fcfb6ea44062af4557b2820591f75126b5edf81
SHA25659fc44577bd89c7f6ae86b0b13e7e19c4d17612b4d5696e6c70d2e88d5d8115e
SHA5120c076cf5b30edb1c8f51c11e52778cd20eaf88736467e1c0f401b48154ae54ed31433efa898c0be883bab6a9ed435540d16974858eb691410787f787870d464a
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeMD5
693fc4eb901d82a09678e506960fd24d
SHA18fcfb6ea44062af4557b2820591f75126b5edf81
SHA25659fc44577bd89c7f6ae86b0b13e7e19c4d17612b4d5696e6c70d2e88d5d8115e
SHA5120c076cf5b30edb1c8f51c11e52778cd20eaf88736467e1c0f401b48154ae54ed31433efa898c0be883bab6a9ed435540d16974858eb691410787f787870d464a
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeMD5
693fc4eb901d82a09678e506960fd24d
SHA18fcfb6ea44062af4557b2820591f75126b5edf81
SHA25659fc44577bd89c7f6ae86b0b13e7e19c4d17612b4d5696e6c70d2e88d5d8115e
SHA5120c076cf5b30edb1c8f51c11e52778cd20eaf88736467e1c0f401b48154ae54ed31433efa898c0be883bab6a9ed435540d16974858eb691410787f787870d464a
-
\Users\Admin\AppData\Roaming\Install\Host.exeMD5
693fc4eb901d82a09678e506960fd24d
SHA18fcfb6ea44062af4557b2820591f75126b5edf81
SHA25659fc44577bd89c7f6ae86b0b13e7e19c4d17612b4d5696e6c70d2e88d5d8115e
SHA5120c076cf5b30edb1c8f51c11e52778cd20eaf88736467e1c0f401b48154ae54ed31433efa898c0be883bab6a9ed435540d16974858eb691410787f787870d464a
-
memory/584-71-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/584-68-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/584-69-0x000000000040242D-mapping.dmp
-
memory/584-70-0x0000000076641000-0x0000000076643000-memory.dmpFilesize
8KB
-
memory/764-66-0x0000000000000000-mapping.dmp
-
memory/1276-85-0x000000000040242D-mapping.dmp
-
memory/1276-88-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1472-82-0x0000000000000000-mapping.dmp
-
memory/1652-60-0x0000000000DB0000-0x0000000000DB1000-memory.dmpFilesize
4KB
-
memory/1652-65-0x0000000005160000-0x00000000051CB000-memory.dmpFilesize
428KB
-
memory/1652-64-0x00000000057E0000-0x0000000005897000-memory.dmpFilesize
732KB
-
memory/1652-63-0x0000000000220000-0x0000000000222000-memory.dmpFilesize
8KB
-
memory/1652-62-0x0000000004420000-0x0000000004421000-memory.dmpFilesize
4KB
-
memory/1872-73-0x0000000000000000-mapping.dmp
-
memory/1872-76-0x0000000001380000-0x0000000001381000-memory.dmpFilesize
4KB
-
memory/1872-79-0x0000000000410000-0x0000000000411000-memory.dmpFilesize
4KB