Analysis
-
max time kernel
130s -
max time network
163s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 14:36
Static task
static1
Behavioral task
behavioral1
Sample
Proof of Payment.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Proof of Payment.exe
Resource
win10v2004-20220414-en
General
-
Target
Proof of Payment.exe
-
Size
1.1MB
-
MD5
f818cb764aab5e0d02545172edf9d6a3
-
SHA1
019ed52ad6f7026e83ce7ed2c63d3ca62f3d9276
-
SHA256
5f2b6faf1de19342f874c50bad45b66727e24218cd8d2610f7d3fbb5d47cccab
-
SHA512
f4d635f57e2ed13b2f3a3ed057ed9da08bcda819c8925049d0b0fb60f3c9c461646c353d39f85766e6309b324a27f091aef3591fcdc49a1765648635a0acf1ab
Malware Config
Extracted
netwire
154.16.93.182:3361
154.16.93.182:3368
-
activex_autorun
false
- activex_key
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
- install_path
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
- mutex
-
offline_keylogger
true
-
password
south123456
-
registry_autorun
false
- startup_name
-
use_mutex
false
Signatures
-
NetWire RAT payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1340-67-0x0000000000250000-0x0000000000812000-memory.dmp netwire behavioral1/memory/1340-68-0x000000000025242D-mapping.dmp netwire behavioral1/memory/1340-72-0x0000000000250000-0x0000000000812000-memory.dmp netwire behavioral1/memory/1340-73-0x0000000000250000-0x0000000000812000-memory.dmp netwire -
Executes dropped EXE 2 IoCs
Processes:
lblhvtsgb.pifRegSvcs.exepid process 2008 lblhvtsgb.pif 1340 RegSvcs.exe -
Loads dropped DLL 5 IoCs
Processes:
Proof of Payment.exelblhvtsgb.pifpid process 1884 Proof of Payment.exe 1884 Proof of Payment.exe 1884 Proof of Payment.exe 1884 Proof of Payment.exe 2008 lblhvtsgb.pif -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
lblhvtsgb.pifdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run lblhvtsgb.pif Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\89835103\\LBLHVT~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\89835103\\dfvgx.mvn" lblhvtsgb.pif -
Suspicious use of SetThreadContext 1 IoCs
Processes:
lblhvtsgb.pifdescription pid process target process PID 2008 set thread context of 1340 2008 lblhvtsgb.pif RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Proof of Payment.exelblhvtsgb.pifdescription pid process target process PID 1884 wrote to memory of 2008 1884 Proof of Payment.exe lblhvtsgb.pif PID 1884 wrote to memory of 2008 1884 Proof of Payment.exe lblhvtsgb.pif PID 1884 wrote to memory of 2008 1884 Proof of Payment.exe lblhvtsgb.pif PID 1884 wrote to memory of 2008 1884 Proof of Payment.exe lblhvtsgb.pif PID 2008 wrote to memory of 1340 2008 lblhvtsgb.pif RegSvcs.exe PID 2008 wrote to memory of 1340 2008 lblhvtsgb.pif RegSvcs.exe PID 2008 wrote to memory of 1340 2008 lblhvtsgb.pif RegSvcs.exe PID 2008 wrote to memory of 1340 2008 lblhvtsgb.pif RegSvcs.exe PID 2008 wrote to memory of 1340 2008 lblhvtsgb.pif RegSvcs.exe PID 2008 wrote to memory of 1340 2008 lblhvtsgb.pif RegSvcs.exe PID 2008 wrote to memory of 1340 2008 lblhvtsgb.pif RegSvcs.exe PID 2008 wrote to memory of 1340 2008 lblhvtsgb.pif RegSvcs.exe PID 2008 wrote to memory of 1340 2008 lblhvtsgb.pif RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Proof of Payment.exe"C:\Users\Admin\AppData\Local\Temp\Proof of Payment.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\89835103\lblhvtsgb.pif"C:\Users\Admin\AppData\Local\Temp\89835103\lblhvtsgb.pif" dfvgx.mvn2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\89835103\dfvgx.mvnFilesize
200.5MB
MD5f71424726a0bbed041b9a75800af0741
SHA1466d0636296ca0aaf6164ed2e0d92354ec79e18d
SHA2567b34608b3c4c2fbc141e6deebb87df9c92d26533713e4ce00aae9f7a756f1fc9
SHA5127b6b96c2a0f7ec0374cbf7fed42af7851c84a198f92e9b513ca9c8d7e3cd8cfc0f0409ed91981a6c2761d490067b5af23b0815a1282ee09a0ff95cdffeea4a5a
-
C:\Users\Admin\AppData\Local\Temp\89835103\lblhvtsgb.pifFilesize
655KB
MD5a75bc752c50fb74f7597c2bb59b93d43
SHA1d2dcd3d104b6b04f0828844aeda188798669b41f
SHA256877365dfcbe9d4896e9ca544c7d19e106ab78339edbc1bd410f2e11bd32cd2ee
SHA512e856238e3cb519786365faf17d0d590692fa991d9ca81e2fb8ce094cd090583f4ed1823b7ca9c0f702320398054ba682644a02f8d99d4e0f53733564611d3f97
-
C:\Users\Admin\AppData\Local\Temp\89835103\sjsxnhqkmb.bmpFilesize
375KB
MD5500f2c5f0d04596b91e6a3ea5f1d5cfd
SHA107f36f97f40d4ffd1c4f18f47af950a95ffd1ad7
SHA256f86645f528a3073e5f490d627dc35130f815ec0cf72fd1a3ddadd2830dbbd6e1
SHA5123e18f06f47c2ae0e65f5af88c7c51c1b46ba57c5fd374da9dc2f99069a11a80c9b6bb44f084e02b239c542cf12fb656109eece97243dc4f0ff1bfc36043404cd
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeFilesize
44KB
MD50e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
\Users\Admin\AppData\Local\Temp\89835103\lblhvtsgb.pifFilesize
655KB
MD5a75bc752c50fb74f7597c2bb59b93d43
SHA1d2dcd3d104b6b04f0828844aeda188798669b41f
SHA256877365dfcbe9d4896e9ca544c7d19e106ab78339edbc1bd410f2e11bd32cd2ee
SHA512e856238e3cb519786365faf17d0d590692fa991d9ca81e2fb8ce094cd090583f4ed1823b7ca9c0f702320398054ba682644a02f8d99d4e0f53733564611d3f97
-
\Users\Admin\AppData\Local\Temp\89835103\lblhvtsgb.pifFilesize
655KB
MD5a75bc752c50fb74f7597c2bb59b93d43
SHA1d2dcd3d104b6b04f0828844aeda188798669b41f
SHA256877365dfcbe9d4896e9ca544c7d19e106ab78339edbc1bd410f2e11bd32cd2ee
SHA512e856238e3cb519786365faf17d0d590692fa991d9ca81e2fb8ce094cd090583f4ed1823b7ca9c0f702320398054ba682644a02f8d99d4e0f53733564611d3f97
-
\Users\Admin\AppData\Local\Temp\89835103\lblhvtsgb.pifFilesize
655KB
MD5a75bc752c50fb74f7597c2bb59b93d43
SHA1d2dcd3d104b6b04f0828844aeda188798669b41f
SHA256877365dfcbe9d4896e9ca544c7d19e106ab78339edbc1bd410f2e11bd32cd2ee
SHA512e856238e3cb519786365faf17d0d590692fa991d9ca81e2fb8ce094cd090583f4ed1823b7ca9c0f702320398054ba682644a02f8d99d4e0f53733564611d3f97
-
\Users\Admin\AppData\Local\Temp\89835103\lblhvtsgb.pifFilesize
655KB
MD5a75bc752c50fb74f7597c2bb59b93d43
SHA1d2dcd3d104b6b04f0828844aeda188798669b41f
SHA256877365dfcbe9d4896e9ca544c7d19e106ab78339edbc1bd410f2e11bd32cd2ee
SHA512e856238e3cb519786365faf17d0d590692fa991d9ca81e2fb8ce094cd090583f4ed1823b7ca9c0f702320398054ba682644a02f8d99d4e0f53733564611d3f97
-
\Users\Admin\AppData\Local\Temp\RegSvcs.exeFilesize
44KB
MD50e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
memory/1340-65-0x0000000000250000-0x0000000000812000-memory.dmpFilesize
5.8MB
-
memory/1340-67-0x0000000000250000-0x0000000000812000-memory.dmpFilesize
5.8MB
-
memory/1340-68-0x000000000025242D-mapping.dmp
-
memory/1340-72-0x0000000000250000-0x0000000000812000-memory.dmpFilesize
5.8MB
-
memory/1340-73-0x0000000000250000-0x0000000000812000-memory.dmpFilesize
5.8MB
-
memory/1884-54-0x0000000075D21000-0x0000000075D23000-memory.dmpFilesize
8KB
-
memory/2008-59-0x0000000000000000-mapping.dmp