Analysis
-
max time kernel
124s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 14:36
Static task
static1
Behavioral task
behavioral1
Sample
Proof of Payment.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Proof of Payment.exe
Resource
win10v2004-20220414-en
General
-
Target
Proof of Payment.exe
-
Size
1.1MB
-
MD5
f818cb764aab5e0d02545172edf9d6a3
-
SHA1
019ed52ad6f7026e83ce7ed2c63d3ca62f3d9276
-
SHA256
5f2b6faf1de19342f874c50bad45b66727e24218cd8d2610f7d3fbb5d47cccab
-
SHA512
f4d635f57e2ed13b2f3a3ed057ed9da08bcda819c8925049d0b0fb60f3c9c461646c353d39f85766e6309b324a27f091aef3591fcdc49a1765648635a0acf1ab
Malware Config
Extracted
netwire
154.16.93.182:3361
154.16.93.182:3368
-
activex_autorun
false
- activex_key
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
- install_path
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
- mutex
-
offline_keylogger
true
-
password
south123456
-
registry_autorun
false
- startup_name
-
use_mutex
false
Signatures
-
NetWire RAT payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4448-138-0x0000000000500000-0x0000000000AC1000-memory.dmp netwire behavioral2/memory/4448-139-0x000000000050242D-mapping.dmp netwire behavioral2/memory/4448-142-0x0000000000500000-0x0000000000AC1000-memory.dmp netwire -
Executes dropped EXE 2 IoCs
Processes:
lblhvtsgb.pifRegSvcs.exepid process 1696 lblhvtsgb.pif 4448 RegSvcs.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Proof of Payment.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation Proof of Payment.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
lblhvtsgb.pifdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run lblhvtsgb.pif Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\89835103\\LBLHVT~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\89835103\\dfvgx.mvn" lblhvtsgb.pif -
Suspicious use of SetThreadContext 1 IoCs
Processes:
lblhvtsgb.pifdescription pid process target process PID 1696 set thread context of 4448 1696 lblhvtsgb.pif RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Proof of Payment.exelblhvtsgb.pifdescription pid process target process PID 3148 wrote to memory of 1696 3148 Proof of Payment.exe lblhvtsgb.pif PID 3148 wrote to memory of 1696 3148 Proof of Payment.exe lblhvtsgb.pif PID 3148 wrote to memory of 1696 3148 Proof of Payment.exe lblhvtsgb.pif PID 1696 wrote to memory of 4448 1696 lblhvtsgb.pif RegSvcs.exe PID 1696 wrote to memory of 4448 1696 lblhvtsgb.pif RegSvcs.exe PID 1696 wrote to memory of 4448 1696 lblhvtsgb.pif RegSvcs.exe PID 1696 wrote to memory of 4448 1696 lblhvtsgb.pif RegSvcs.exe PID 1696 wrote to memory of 4448 1696 lblhvtsgb.pif RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Proof of Payment.exe"C:\Users\Admin\AppData\Local\Temp\Proof of Payment.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\89835103\lblhvtsgb.pif"C:\Users\Admin\AppData\Local\Temp\89835103\lblhvtsgb.pif" dfvgx.mvn2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\89835103\dfvgx.mvnFilesize
200.5MB
MD5f71424726a0bbed041b9a75800af0741
SHA1466d0636296ca0aaf6164ed2e0d92354ec79e18d
SHA2567b34608b3c4c2fbc141e6deebb87df9c92d26533713e4ce00aae9f7a756f1fc9
SHA5127b6b96c2a0f7ec0374cbf7fed42af7851c84a198f92e9b513ca9c8d7e3cd8cfc0f0409ed91981a6c2761d490067b5af23b0815a1282ee09a0ff95cdffeea4a5a
-
C:\Users\Admin\AppData\Local\Temp\89835103\lblhvtsgb.pifFilesize
655KB
MD5a75bc752c50fb74f7597c2bb59b93d43
SHA1d2dcd3d104b6b04f0828844aeda188798669b41f
SHA256877365dfcbe9d4896e9ca544c7d19e106ab78339edbc1bd410f2e11bd32cd2ee
SHA512e856238e3cb519786365faf17d0d590692fa991d9ca81e2fb8ce094cd090583f4ed1823b7ca9c0f702320398054ba682644a02f8d99d4e0f53733564611d3f97
-
C:\Users\Admin\AppData\Local\Temp\89835103\lblhvtsgb.pifFilesize
655KB
MD5a75bc752c50fb74f7597c2bb59b93d43
SHA1d2dcd3d104b6b04f0828844aeda188798669b41f
SHA256877365dfcbe9d4896e9ca544c7d19e106ab78339edbc1bd410f2e11bd32cd2ee
SHA512e856238e3cb519786365faf17d0d590692fa991d9ca81e2fb8ce094cd090583f4ed1823b7ca9c0f702320398054ba682644a02f8d99d4e0f53733564611d3f97
-
C:\Users\Admin\AppData\Local\Temp\89835103\sjsxnhqkmb.bmpFilesize
375KB
MD5500f2c5f0d04596b91e6a3ea5f1d5cfd
SHA107f36f97f40d4ffd1c4f18f47af950a95ffd1ad7
SHA256f86645f528a3073e5f490d627dc35130f815ec0cf72fd1a3ddadd2830dbbd6e1
SHA5123e18f06f47c2ae0e65f5af88c7c51c1b46ba57c5fd374da9dc2f99069a11a80c9b6bb44f084e02b239c542cf12fb656109eece97243dc4f0ff1bfc36043404cd
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeFilesize
44KB
MD59d352bc46709f0cb5ec974633a0c3c94
SHA11969771b2f022f9a86d77ac4d4d239becdf08d07
SHA2562c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA51213c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b
-
memory/1696-133-0x0000000000000000-mapping.dmp
-
memory/4448-138-0x0000000000500000-0x0000000000AC1000-memory.dmpFilesize
5.8MB
-
memory/4448-139-0x000000000050242D-mapping.dmp
-
memory/4448-142-0x0000000000500000-0x0000000000AC1000-memory.dmpFilesize
5.8MB