AttachedWaybill.exe

General
Target

AttachedWaybill.exe

Filesize

574KB

Completed

23-07-2021 06:16

Score
10 /10
MD5

33f9d631a4adcd4c64fe639352c5f76b

SHA1

8828f41d318315eb05818fce4499bffa31657160

SHA256

82e96593173c1407d138cca5418a00b0f5cd9960b32d8f03052eca9b33e68b44

Malware Config

Extracted

Family netwire
C2

nbg.myvnc.com:6655

nbg1.myvnc.com:6655

myb25.camdvr.org:6655

nbg2.myvnc.com:6655

myb27.camdvr.org:6655

nerdmusic.freeddns.org:6655

SUNWAP1.ooguy.com:6655

mynw1.hopto.org:6655

myb24.camdvr.org:6655

Attributes
activex_autorun
false
activex_key
copy_executable
false
delete_original
false
host_id
COVID-19
install_path
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
offline_keylogger
true
password
1234
registry_autorun
false
startup_name
use_mutex
false
Signatures 4

Filter: none

Defense Evasion
Persistence
  • NetWire RAT payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1164-66-0x0000000000000000-mapping.dmpnetwire
    behavioral1/memory/1164-71-0x00000000002E0000-0x0000000000313000-memory.dmpnetwire
  • Netwire

    Description

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

  • Adds Run key to start application
    AttachedWaybill.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rjwkhtt = "C:\\Users\\Public\\Libraries\\tthkwjR.url"AttachedWaybill.exe
  • Suspicious use of WriteProcessMemory
    AttachedWaybill.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1888 wrote to memory of 11641888AttachedWaybill.exeDpiScaling.exe
    PID 1888 wrote to memory of 11641888AttachedWaybill.exeDpiScaling.exe
    PID 1888 wrote to memory of 11641888AttachedWaybill.exeDpiScaling.exe
    PID 1888 wrote to memory of 11641888AttachedWaybill.exeDpiScaling.exe
    PID 1888 wrote to memory of 11641888AttachedWaybill.exeDpiScaling.exe
    PID 1888 wrote to memory of 11641888AttachedWaybill.exeDpiScaling.exe
    PID 1888 wrote to memory of 11641888AttachedWaybill.exeDpiScaling.exe
    PID 1888 wrote to memory of 11641888AttachedWaybill.exeDpiScaling.exe
    PID 1888 wrote to memory of 11641888AttachedWaybill.exeDpiScaling.exe
    PID 1888 wrote to memory of 11641888AttachedWaybill.exeDpiScaling.exe
    PID 1888 wrote to memory of 11641888AttachedWaybill.exeDpiScaling.exe
    PID 1888 wrote to memory of 11641888AttachedWaybill.exeDpiScaling.exe
    PID 1888 wrote to memory of 11641888AttachedWaybill.exeDpiScaling.exe
    PID 1888 wrote to memory of 11641888AttachedWaybill.exeDpiScaling.exe
    PID 1888 wrote to memory of 11641888AttachedWaybill.exeDpiScaling.exe
    PID 1888 wrote to memory of 11641888AttachedWaybill.exeDpiScaling.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\AttachedWaybill.exe
    "C:\Users\Admin\AppData\Local\Temp\AttachedWaybill.exe"
    Adds Run key to start application
    Suspicious use of WriteProcessMemory
    PID:1888
    • C:\Windows\SysWOW64\DpiScaling.exe
      C:\Windows\System32\DpiScaling.exe
      PID:1164
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • memory/1164-71-0x00000000002E0000-0x0000000000313000-memory.dmp

                      • memory/1164-70-0x0000000010550000-0x0000000010585000-memory.dmp

                      • memory/1164-72-0x00000000000C0000-0x00000000000C1000-memory.dmp

                      • memory/1164-66-0x0000000000000000-mapping.dmp

                      • memory/1164-69-0x0000000000180000-0x0000000000181000-memory.dmp

                      • memory/1164-68-0x0000000000100000-0x0000000000101000-memory.dmp

                      • memory/1888-60-0x0000000000330000-0x0000000000331000-memory.dmp

                      • memory/1888-62-0x00000000003D0000-0x00000000003EA000-memory.dmp

                      • memory/1888-65-0x0000000075161000-0x0000000075163000-memory.dmp