Analysis
-
max time kernel
151s -
max time network
116s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 10:30
Static task
static1
Behavioral task
behavioral1
Sample
Proof of Payment.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Proof of Payment.exe
Resource
win10v2004-20220414-en
General
-
Target
Proof of Payment.exe
-
Size
1.1MB
-
MD5
5c145bcd4ec07ab79558d72affbed677
-
SHA1
85cc76ba184adde81799ef4174d2412aba7c8dfd
-
SHA256
90bb157f9c5241f567eb56be38e3ba9f51a0ec5a8da3c77fdb1bed1f2095c39b
-
SHA512
24c11205a6ac4470890e68111d2a398dd60e76201ecf8f5f9c7069f76d818a432b5ae48279c2711070c7788afe8508d6983afe5fa41038fd38da9689b83691bd
Malware Config
Extracted
netwire
194.5.98.225:3373
194.5.98.225:3376
-
activex_autorun
false
- activex_key
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
- install_path
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
- mutex
-
offline_keylogger
true
-
password
good01230123
-
registry_autorun
false
- startup_name
-
use_mutex
false
Signatures
-
NetWire RAT payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4060-135-0x00000000007A0000-0x0000000000CDE000-memory.dmp netwire behavioral2/memory/4060-136-0x00000000007A242D-mapping.dmp netwire behavioral2/memory/4060-139-0x00000000007A0000-0x0000000000CDE000-memory.dmp netwire behavioral2/memory/4060-140-0x00000000007A0000-0x0000000000CDE000-memory.dmp netwire -
Executes dropped EXE 2 IoCs
Processes:
ghjn.pifRegSvcs.exepid process 3616 ghjn.pif 4060 RegSvcs.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Proof of Payment.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation Proof of Payment.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ghjn.pifdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ghjn.pif Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\66767400\\ghjn.pif C:\\Users\\Admin\\AppData\\Roaming\\66767400\\qfcaxr.oci" ghjn.pif -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ghjn.pifdescription pid process target process PID 3616 set thread context of 4060 3616 ghjn.pif RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ghjn.pifpid process 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif 3616 ghjn.pif -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Proof of Payment.exeghjn.pifdescription pid process target process PID 3116 wrote to memory of 3616 3116 Proof of Payment.exe ghjn.pif PID 3116 wrote to memory of 3616 3116 Proof of Payment.exe ghjn.pif PID 3116 wrote to memory of 3616 3116 Proof of Payment.exe ghjn.pif PID 3616 wrote to memory of 4060 3616 ghjn.pif RegSvcs.exe PID 3616 wrote to memory of 4060 3616 ghjn.pif RegSvcs.exe PID 3616 wrote to memory of 4060 3616 ghjn.pif RegSvcs.exe PID 3616 wrote to memory of 4060 3616 ghjn.pif RegSvcs.exe PID 3616 wrote to memory of 4060 3616 ghjn.pif RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Proof of Payment.exe"C:\Users\Admin\AppData\Local\Temp\Proof of Payment.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\66767400\ghjn.pif"C:\Users\Admin\AppData\Roaming\66767400\ghjn.pif" qfcaxr.oci2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeFilesize
44KB
MD59d352bc46709f0cb5ec974633a0c3c94
SHA11969771b2f022f9a86d77ac4d4d239becdf08d07
SHA2562c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA51213c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b
-
C:\Users\Admin\AppData\Roaming\66767400\aifgsme.jpgFilesize
378KB
MD5fd8639db7eb6aa82d843d0055f7b577e
SHA1c128aeb9bdc2afc42a7f2fb6b1569c0445c9ca9f
SHA256c29da3eda2910518a9a93a621288cc85985659f17dae2c3f035906512effd632
SHA512d33ef0f326a8b6803e8a23e97966035e198f725fa59fe4187002ad1c4909be0e6f2b74f0d9cccbced3f40cb0918e71f81c8daeec0210309dd381916db5fec340
-
C:\Users\Admin\AppData\Roaming\66767400\ghjn.pifFilesize
712KB
MD543e7db53ce5c130179aef5b47dcf7608
SHA15398e207d9ad301860b570d87601c1664ada9c0a
SHA2569c04aab5734e2e0eea44af2584333ecc093b27ef36a586fb8873b5d4cadcd7f1
SHA512a79f8094152f4f0cb5f0763bc4cdfdc9061af322dfee1bac043de0ac7581f2a7b35841924fe224ecc73b6bda1fba6811045e513d45e8f3598ca6ec313b7103f4
-
C:\Users\Admin\AppData\Roaming\66767400\ghjn.pifFilesize
712KB
MD543e7db53ce5c130179aef5b47dcf7608
SHA15398e207d9ad301860b570d87601c1664ada9c0a
SHA2569c04aab5734e2e0eea44af2584333ecc093b27ef36a586fb8873b5d4cadcd7f1
SHA512a79f8094152f4f0cb5f0763bc4cdfdc9061af322dfee1bac043de0ac7581f2a7b35841924fe224ecc73b6bda1fba6811045e513d45e8f3598ca6ec313b7103f4
-
C:\Users\Admin\AppData\Roaming\66767400\qfcaxr.ociFilesize
215.6MB
MD50e8f1ec86ac14d2ca746ae43d32d9b69
SHA158236722578d35b7849605b33ac8ffa779c29308
SHA256a0404937068f439cace281578e4f3e1fd674f934f8f56cfe50296a9cd5397471
SHA5126fb24fe879f3d8038335331fbcf3e701259a6d1419ff142b9e792e72b5664a0366c79d45af51a413c500b5a6ecc3ee87a8d247179448e79a69a8360d70184fd8
-
memory/3616-130-0x0000000000000000-mapping.dmp
-
memory/4060-135-0x00000000007A0000-0x0000000000CDE000-memory.dmpFilesize
5.2MB
-
memory/4060-136-0x00000000007A242D-mapping.dmp
-
memory/4060-139-0x00000000007A0000-0x0000000000CDE000-memory.dmpFilesize
5.2MB
-
memory/4060-140-0x00000000007A0000-0x0000000000CDE000-memory.dmpFilesize
5.2MB