Overview

overview

10

Static

static

Proof of Payment.exe

windows7_x64

10

Proof of Payment.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    116s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 10:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Proof of Payment.exe

  • Size

    1.1MB

  • MD5

    5c145bcd4ec07ab79558d72affbed677

  • SHA1

    85cc76ba184adde81799ef4174d2412aba7c8dfd

  • SHA256

    90bb157f9c5241f567eb56be38e3ba9f51a0ec5a8da3c77fdb1bed1f2095c39b

  • SHA512

    24c11205a6ac4470890e68111d2a398dd60e76201ecf8f5f9c7069f76d818a432b5ae48279c2711070c7788afe8508d6983afe5fa41038fd38da9689b83691bd

Score
10/10
netwirebotnetpersistenceratstealer

Malware Config

Extracted

Family

netwire

C2

194.5.98.225:3373

194.5.98.225:3376
Attributes
  • activex_autorun

    false

  • activex_key

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

  • offline_keylogger

    true

  • password

    good01230123

  • registry_autorun

    false

  • startup_name

  • use_mutex

    false

Signatures

  • NetWire RAT payload 4 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Proof of Payment.exe
    "C:\Users\Admin\AppData\Local\Temp\Proof of Payment.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3116
    • C:\Users\Admin\AppData\Roaming\66767400\ghjn.pif
      "C:\Users\Admin\AppData\Roaming\66767400\ghjn.pif" qfcaxr.oci
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3616
      • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        3⤵
        • Executes dropped EXE
        PID:4060

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    Filesize

    44KB

    MD5

    9d352bc46709f0cb5ec974633a0c3c94

    SHA1

    1969771b2f022f9a86d77ac4d4d239becdf08d07

    SHA256

    2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

    SHA512

    13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

    Download Submit
  • C:\Users\Admin\AppData\Roaming\66767400\aifgsme.jpg
    Filesize

    378KB

    MD5

    fd8639db7eb6aa82d843d0055f7b577e

    SHA1

    c128aeb9bdc2afc42a7f2fb6b1569c0445c9ca9f

    SHA256

    c29da3eda2910518a9a93a621288cc85985659f17dae2c3f035906512effd632

    SHA512

    d33ef0f326a8b6803e8a23e97966035e198f725fa59fe4187002ad1c4909be0e6f2b74f0d9cccbced3f40cb0918e71f81c8daeec0210309dd381916db5fec340

    Download Submit
  • C:\Users\Admin\AppData\Roaming\66767400\ghjn.pif
    Filesize

    712KB

    MD5

    43e7db53ce5c130179aef5b47dcf7608

    SHA1

    5398e207d9ad301860b570d87601c1664ada9c0a

    SHA256

    9c04aab5734e2e0eea44af2584333ecc093b27ef36a586fb8873b5d4cadcd7f1

    SHA512

    a79f8094152f4f0cb5f0763bc4cdfdc9061af322dfee1bac043de0ac7581f2a7b35841924fe224ecc73b6bda1fba6811045e513d45e8f3598ca6ec313b7103f4

    Download Submit
  • C:\Users\Admin\AppData\Roaming\66767400\ghjn.pif
    Filesize

    712KB

    MD5

    43e7db53ce5c130179aef5b47dcf7608

    SHA1

    5398e207d9ad301860b570d87601c1664ada9c0a

    SHA256

    9c04aab5734e2e0eea44af2584333ecc093b27ef36a586fb8873b5d4cadcd7f1

    SHA512

    a79f8094152f4f0cb5f0763bc4cdfdc9061af322dfee1bac043de0ac7581f2a7b35841924fe224ecc73b6bda1fba6811045e513d45e8f3598ca6ec313b7103f4

    Download Submit
  • C:\Users\Admin\AppData\Roaming\66767400\qfcaxr.oci
    Filesize

    215.6MB

    MD5

    0e8f1ec86ac14d2ca746ae43d32d9b69

    SHA1

    58236722578d35b7849605b33ac8ffa779c29308

    SHA256

    a0404937068f439cace281578e4f3e1fd674f934f8f56cfe50296a9cd5397471

    SHA512

    6fb24fe879f3d8038335331fbcf3e701259a6d1419ff142b9e792e72b5664a0366c79d45af51a413c500b5a6ecc3ee87a8d247179448e79a69a8360d70184fd8

    Download Submit
  • memory/3616-130-0x0000000000000000-mapping.dmp
    Download
  • memory/4060-135-0x00000000007A0000-0x0000000000CDE000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4060-136-0x00000000007A242D-mapping.dmp
    Download
  • memory/4060-139-0x00000000007A0000-0x0000000000CDE000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4060-140-0x00000000007A0000-0x0000000000CDE000-memory.dmp
    Filesize

    5.2MB

    Download