Analysis
-
max time kernel
148s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 12:03
Static task
static1
Behavioral task
behavioral1
Sample
PAYMENT_.scr
Resource
win7-20220414-en
General
-
Target
PAYMENT_.scr
-
Size
3.3MB
-
MD5
e379f065a86da6a2a18d295e6c761567
-
SHA1
70c1118d216adb364d1779f429bb74f62b02e625
-
SHA256
43ff3fea39b1e9ca2ebc2f714057bb50d14b4c76d46e31ee58ada74ded595eed
-
SHA512
419e75c799d8b94b28b789573ab15b44c970470e0a0046dd1d5fa28b7529b6dac5f48676b355070fbcaed5c32af0f8c6f1d31f48ad00cc849a88fe8b4ad56a0c
Malware Config
Extracted
netwire
alkaline.publicvm.com:1777
-
activex_autorun
false
- activex_key
-
copy_executable
false
-
delete_original
false
-
host_id
home198
- install_path
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
EEwpRdkL
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
- startup_name
-
use_mutex
true
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
PAYMENT_.scrdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\PAYMENT_.scr\"" PAYMENT_.scr -
NetWire RAT payload 9 IoCs
Processes:
resource yara_rule behavioral1/memory/1992-60-0x0000000000C00000-0x0000000000C2E000-memory.dmp netwire behavioral1/memory/1964-66-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1964-67-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1964-68-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1964-70-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1964-71-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1964-72-0x000000000040242D-mapping.dmp netwire behavioral1/memory/1964-75-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1964-76-0x0000000000400000-0x0000000000433000-memory.dmp netwire -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
PAYMENT_.scrdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion PAYMENT_.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion PAYMENT_.scr -
Drops startup file 2 IoCs
Processes:
PAYMENT_.scrdescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PAYMENT_.scr PAYMENT_.scr File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PAYMENT_.scr PAYMENT_.scr -
Processes:
PAYMENT_.scrdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features PAYMENT_.scr Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" PAYMENT_.scr -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
PAYMENT_.scrdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\PAYMENT_.scr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PAYMENT_.scr" PAYMENT_.scr -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
PAYMENT_.scrdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum PAYMENT_.scr Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 PAYMENT_.scr -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PAYMENT_.scrdescription pid process target process PID 1992 set thread context of 1964 1992 PAYMENT_.scr aspnet_wp.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exePAYMENT_.scrpid process 1664 powershell.exe 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr 1992 PAYMENT_.scr -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exePAYMENT_.scrdescription pid process Token: SeDebugPrivilege 1664 powershell.exe Token: SeDebugPrivilege 1992 PAYMENT_.scr -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
PAYMENT_.scrdescription pid process target process PID 1992 wrote to memory of 1664 1992 PAYMENT_.scr powershell.exe PID 1992 wrote to memory of 1664 1992 PAYMENT_.scr powershell.exe PID 1992 wrote to memory of 1664 1992 PAYMENT_.scr powershell.exe PID 1992 wrote to memory of 1664 1992 PAYMENT_.scr powershell.exe PID 1992 wrote to memory of 1964 1992 PAYMENT_.scr aspnet_wp.exe PID 1992 wrote to memory of 1964 1992 PAYMENT_.scr aspnet_wp.exe PID 1992 wrote to memory of 1964 1992 PAYMENT_.scr aspnet_wp.exe PID 1992 wrote to memory of 1964 1992 PAYMENT_.scr aspnet_wp.exe PID 1992 wrote to memory of 1964 1992 PAYMENT_.scr aspnet_wp.exe PID 1992 wrote to memory of 1964 1992 PAYMENT_.scr aspnet_wp.exe PID 1992 wrote to memory of 1964 1992 PAYMENT_.scr aspnet_wp.exe PID 1992 wrote to memory of 1964 1992 PAYMENT_.scr aspnet_wp.exe PID 1992 wrote to memory of 1964 1992 PAYMENT_.scr aspnet_wp.exe PID 1992 wrote to memory of 1964 1992 PAYMENT_.scr aspnet_wp.exe PID 1992 wrote to memory of 1964 1992 PAYMENT_.scr aspnet_wp.exe PID 1992 wrote to memory of 1964 1992 PAYMENT_.scr aspnet_wp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PAYMENT_.scr"C:\Users\Admin\AppData\Local\Temp\PAYMENT_.scr" /S1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Winlogon Helper DLL
1Modify Existing Service
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
4Disabling Security Tools
2Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1664-57-0x0000000000000000-mapping.dmp
-
memory/1664-59-0x000000006FB60000-0x000000007010B000-memory.dmpFilesize
5.7MB
-
memory/1964-64-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1964-66-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1964-76-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1964-75-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1964-61-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1964-62-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1964-72-0x000000000040242D-mapping.dmp
-
memory/1964-71-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1964-67-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1964-68-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1964-70-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1992-56-0x0000000074E91000-0x0000000074E93000-memory.dmpFilesize
8KB
-
memory/1992-54-0x0000000001280000-0x00000000015D8000-memory.dmpFilesize
3.3MB
-
memory/1992-60-0x0000000000C00000-0x0000000000C2E000-memory.dmpFilesize
184KB
-
memory/1992-55-0x0000000000BA0000-0x0000000000BFA000-memory.dmpFilesize
360KB