Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 12:03
Static task
static1
Behavioral task
behavioral1
Sample
15-08-2020 - SOFT COPY_PAYMENT SLIP.exe
Resource
win7-20220414-en
General
-
Target
15-08-2020 - SOFT COPY_PAYMENT SLIP.exe
-
Size
234KB
-
MD5
e792eb4a972110714df6761ef60284c6
-
SHA1
91bb096d730ca536a0f18534acdec271bdd0eefa
-
SHA256
b6f5a289ab47b790c1bc57a5a3b35871fc968da66ebb3fdd7669de18c2ba3dd5
-
SHA512
40ebe7bd5b18845710cfb3116888d16da8a9fd6c1d53a39000103feac45c1dfeaa4efa05104072313973d5fb87b62b06ea3c697513b4303c45124d020b22eead
Malware Config
Extracted
netwire
iphanyi.duckdns.org:3360
-
activex_autorun
false
- activex_key
-
copy_executable
false
-
delete_original
false
-
host_id
SMS_Group
- install_path
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
- mutex
-
offline_keylogger
true
-
password
caster123
-
registry_autorun
false
- startup_name
-
use_mutex
false
Signatures
-
NetWire RAT payload 5 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\tmp.exe netwire C:\Users\Admin\AppData\Local\Temp\tmp.exe netwire behavioral2/memory/1312-137-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/1312-140-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/1312-145-0x0000000000400000-0x0000000000433000-memory.dmp netwire -
Executes dropped EXE 2 IoCs
Processes:
tmp.exesvhost.exepid process 3332 tmp.exe 1312 svhost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
15-08-2020 - SOFT COPY_PAYMENT SLIP.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 15-08-2020 - SOFT COPY_PAYMENT SLIP.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
15-08-2020 - SOFT COPY_PAYMENT SLIP.exedescription pid process target process PID 444 set thread context of 1312 444 15-08-2020 - SOFT COPY_PAYMENT SLIP.exe svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1092 timeout.exe -
NTFS ADS 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Local\Temp\FolderN\word.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
15-08-2020 - SOFT COPY_PAYMENT SLIP.exepid process 444 15-08-2020 - SOFT COPY_PAYMENT SLIP.exe 444 15-08-2020 - SOFT COPY_PAYMENT SLIP.exe 444 15-08-2020 - SOFT COPY_PAYMENT SLIP.exe 444 15-08-2020 - SOFT COPY_PAYMENT SLIP.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
15-08-2020 - SOFT COPY_PAYMENT SLIP.exepid process 444 15-08-2020 - SOFT COPY_PAYMENT SLIP.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
15-08-2020 - SOFT COPY_PAYMENT SLIP.exedescription pid process Token: SeDebugPrivilege 444 15-08-2020 - SOFT COPY_PAYMENT SLIP.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
15-08-2020 - SOFT COPY_PAYMENT SLIP.execmd.execmd.exedescription pid process target process PID 444 wrote to memory of 3332 444 15-08-2020 - SOFT COPY_PAYMENT SLIP.exe tmp.exe PID 444 wrote to memory of 3332 444 15-08-2020 - SOFT COPY_PAYMENT SLIP.exe tmp.exe PID 444 wrote to memory of 3332 444 15-08-2020 - SOFT COPY_PAYMENT SLIP.exe tmp.exe PID 444 wrote to memory of 1312 444 15-08-2020 - SOFT COPY_PAYMENT SLIP.exe svhost.exe PID 444 wrote to memory of 1312 444 15-08-2020 - SOFT COPY_PAYMENT SLIP.exe svhost.exe PID 444 wrote to memory of 1312 444 15-08-2020 - SOFT COPY_PAYMENT SLIP.exe svhost.exe PID 444 wrote to memory of 1312 444 15-08-2020 - SOFT COPY_PAYMENT SLIP.exe svhost.exe PID 444 wrote to memory of 1312 444 15-08-2020 - SOFT COPY_PAYMENT SLIP.exe svhost.exe PID 444 wrote to memory of 1312 444 15-08-2020 - SOFT COPY_PAYMENT SLIP.exe svhost.exe PID 444 wrote to memory of 1312 444 15-08-2020 - SOFT COPY_PAYMENT SLIP.exe svhost.exe PID 444 wrote to memory of 1312 444 15-08-2020 - SOFT COPY_PAYMENT SLIP.exe svhost.exe PID 444 wrote to memory of 1312 444 15-08-2020 - SOFT COPY_PAYMENT SLIP.exe svhost.exe PID 444 wrote to memory of 1312 444 15-08-2020 - SOFT COPY_PAYMENT SLIP.exe svhost.exe PID 444 wrote to memory of 1312 444 15-08-2020 - SOFT COPY_PAYMENT SLIP.exe svhost.exe PID 444 wrote to memory of 5080 444 15-08-2020 - SOFT COPY_PAYMENT SLIP.exe cmd.exe PID 444 wrote to memory of 5080 444 15-08-2020 - SOFT COPY_PAYMENT SLIP.exe cmd.exe PID 444 wrote to memory of 5080 444 15-08-2020 - SOFT COPY_PAYMENT SLIP.exe cmd.exe PID 5080 wrote to memory of 388 5080 cmd.exe reg.exe PID 5080 wrote to memory of 388 5080 cmd.exe reg.exe PID 5080 wrote to memory of 388 5080 cmd.exe reg.exe PID 444 wrote to memory of 4328 444 15-08-2020 - SOFT COPY_PAYMENT SLIP.exe cmd.exe PID 444 wrote to memory of 4328 444 15-08-2020 - SOFT COPY_PAYMENT SLIP.exe cmd.exe PID 444 wrote to memory of 4328 444 15-08-2020 - SOFT COPY_PAYMENT SLIP.exe cmd.exe PID 444 wrote to memory of 4304 444 15-08-2020 - SOFT COPY_PAYMENT SLIP.exe cmd.exe PID 444 wrote to memory of 4304 444 15-08-2020 - SOFT COPY_PAYMENT SLIP.exe cmd.exe PID 444 wrote to memory of 4304 444 15-08-2020 - SOFT COPY_PAYMENT SLIP.exe cmd.exe PID 4304 wrote to memory of 1092 4304 cmd.exe timeout.exe PID 4304 wrote to memory of 1092 4304 cmd.exe timeout.exe PID 4304 wrote to memory of 1092 4304 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\15-08-2020 - SOFT COPY_PAYMENT SLIP.exe"C:\Users\Admin\AppData\Local\Temp\15-08-2020 - SOFT COPY_PAYMENT SLIP.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\word.exe.lnk" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\word.exe.lnk" /f3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\word.exe:Zone.Identifier2⤵
- NTFS ADS
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\FolderN\word.exe.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 3003⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\FolderN\word.exe.batFilesize
192B
MD5c3d5aa05aa173009bf0eb7dfd0379f59
SHA10c91da5a0b5338603bd8d48a7722f5055b076b4f
SHA2560156e2fc804a0b7a370953ed2e044b539b03b84c0fe478d85b4a908c1dd289ec
SHA5128e2d751990bfab7b033e0b3077e744a7cc37d357d374bb6ab1b93e26ff377c13a251df33f5927d3afe8bf7e9d65f8903a2987da3904edefee7f8f6bbcb0b0046
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeFilesize
256KB
MD58fdf47e0ff70c40ed3a17014aeea4232
SHA1e6256a0159688f0560b015da4d967f41cbf8c9bd
SHA256ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82
SHA512bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be
-
C:\Users\Admin\AppData\Local\Temp\tmp.exeFilesize
160KB
MD5692dcec5b869cd8c2a4752baf58300a7
SHA13b99f3ee911d244b0d177953b19ef520f64728c2
SHA256d9d83f0730977389fcae495d498364494f6b5948e1d8f184f7578f378215386d
SHA5129e3b69902cc51f95b0ee694148d6bac0f7b4b318b06a94c187080294102b85af831898ec99ed3a8f200a219a5cd4d4c6debc5b313148bdc754fbabc94783b0a5
-
C:\Users\Admin\AppData\Local\Temp\tmp.exeFilesize
160KB
MD5692dcec5b869cd8c2a4752baf58300a7
SHA13b99f3ee911d244b0d177953b19ef520f64728c2
SHA256d9d83f0730977389fcae495d498364494f6b5948e1d8f184f7578f378215386d
SHA5129e3b69902cc51f95b0ee694148d6bac0f7b4b318b06a94c187080294102b85af831898ec99ed3a8f200a219a5cd4d4c6debc5b313148bdc754fbabc94783b0a5
-
memory/388-142-0x0000000000000000-mapping.dmp
-
memory/444-131-0x0000000005800000-0x000000000589C000-memory.dmpFilesize
624KB
-
memory/444-135-0x0000000006B00000-0x00000000070A4000-memory.dmpFilesize
5.6MB
-
memory/444-130-0x0000000000ED0000-0x0000000000F10000-memory.dmpFilesize
256KB
-
memory/1092-147-0x0000000000000000-mapping.dmp
-
memory/1312-137-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1312-140-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1312-145-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1312-136-0x0000000000000000-mapping.dmp
-
memory/3332-132-0x0000000000000000-mapping.dmp
-
memory/4304-144-0x0000000000000000-mapping.dmp
-
memory/4328-143-0x0000000000000000-mapping.dmp
-
memory/5080-141-0x0000000000000000-mapping.dmp