Analysis
-
max time kernel
167s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 12:03
Static task
static1
Behavioral task
behavioral1
Sample
PAYMENT_.scr
Resource
win7-20220414-en
General
-
Target
PAYMENT_.scr
-
Size
3.3MB
-
MD5
e379f065a86da6a2a18d295e6c761567
-
SHA1
70c1118d216adb364d1779f429bb74f62b02e625
-
SHA256
43ff3fea39b1e9ca2ebc2f714057bb50d14b4c76d46e31ee58ada74ded595eed
-
SHA512
419e75c799d8b94b28b789573ab15b44c970470e0a0046dd1d5fa28b7529b6dac5f48676b355070fbcaed5c32af0f8c6f1d31f48ad00cc849a88fe8b4ad56a0c
Malware Config
Extracted
netwire
alkaline.publicvm.com:1777
-
activex_autorun
false
- activex_key
-
copy_executable
false
-
delete_original
false
-
host_id
home198
- install_path
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
EEwpRdkL
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
- startup_name
-
use_mutex
true
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
PAYMENT_.scrdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\PAYMENT_.scr\"" PAYMENT_.scr -
NetWire RAT payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4576-151-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/4576-153-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/4576-154-0x0000000000400000-0x0000000000433000-memory.dmp netwire -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
PAYMENT_.scrdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion PAYMENT_.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion PAYMENT_.scr -
Drops startup file 2 IoCs
Processes:
PAYMENT_.scrdescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PAYMENT_.scr PAYMENT_.scr File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PAYMENT_.scr PAYMENT_.scr -
Processes:
PAYMENT_.scrdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features PAYMENT_.scr Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" PAYMENT_.scr -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
PAYMENT_.scrdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PAYMENT_.scr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PAYMENT_.scr" PAYMENT_.scr -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
PAYMENT_.scrdescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 PAYMENT_.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum PAYMENT_.scr -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PAYMENT_.scrdescription pid process target process PID 2236 set thread context of 4576 2236 PAYMENT_.scr aspnet_wp.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exePAYMENT_.scrpid process 2412 powershell.exe 2412 powershell.exe 2236 PAYMENT_.scr 2236 PAYMENT_.scr 2236 PAYMENT_.scr 2236 PAYMENT_.scr 2236 PAYMENT_.scr 2236 PAYMENT_.scr 2236 PAYMENT_.scr 2236 PAYMENT_.scr 2236 PAYMENT_.scr 2236 PAYMENT_.scr 2236 PAYMENT_.scr 2236 PAYMENT_.scr 2236 PAYMENT_.scr 2236 PAYMENT_.scr 2236 PAYMENT_.scr 2236 PAYMENT_.scr 2236 PAYMENT_.scr 2236 PAYMENT_.scr 2236 PAYMENT_.scr 2236 PAYMENT_.scr 2236 PAYMENT_.scr 2236 PAYMENT_.scr 2236 PAYMENT_.scr 2236 PAYMENT_.scr 2236 PAYMENT_.scr 2236 PAYMENT_.scr 2236 PAYMENT_.scr 2236 PAYMENT_.scr 2236 PAYMENT_.scr 2236 PAYMENT_.scr 2236 PAYMENT_.scr 2236 PAYMENT_.scr 2236 PAYMENT_.scr 2236 PAYMENT_.scr 2236 PAYMENT_.scr 2236 PAYMENT_.scr 2236 PAYMENT_.scr 2236 PAYMENT_.scr 2236 PAYMENT_.scr 2236 PAYMENT_.scr 2236 PAYMENT_.scr 2236 PAYMENT_.scr 2236 PAYMENT_.scr 2236 PAYMENT_.scr 2236 PAYMENT_.scr 2236 PAYMENT_.scr 2236 PAYMENT_.scr 2236 PAYMENT_.scr 2236 PAYMENT_.scr 2236 PAYMENT_.scr 2236 PAYMENT_.scr 2236 PAYMENT_.scr 2236 PAYMENT_.scr 2236 PAYMENT_.scr 2236 PAYMENT_.scr 2236 PAYMENT_.scr 2236 PAYMENT_.scr 2236 PAYMENT_.scr 2236 PAYMENT_.scr 2236 PAYMENT_.scr 2236 PAYMENT_.scr 2236 PAYMENT_.scr -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exePAYMENT_.scrdescription pid process Token: SeDebugPrivilege 2412 powershell.exe Token: SeDebugPrivilege 2236 PAYMENT_.scr -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
PAYMENT_.scrdescription pid process target process PID 2236 wrote to memory of 2412 2236 PAYMENT_.scr powershell.exe PID 2236 wrote to memory of 2412 2236 PAYMENT_.scr powershell.exe PID 2236 wrote to memory of 2412 2236 PAYMENT_.scr powershell.exe PID 2236 wrote to memory of 4576 2236 PAYMENT_.scr aspnet_wp.exe PID 2236 wrote to memory of 4576 2236 PAYMENT_.scr aspnet_wp.exe PID 2236 wrote to memory of 4576 2236 PAYMENT_.scr aspnet_wp.exe PID 2236 wrote to memory of 4576 2236 PAYMENT_.scr aspnet_wp.exe PID 2236 wrote to memory of 4576 2236 PAYMENT_.scr aspnet_wp.exe PID 2236 wrote to memory of 4576 2236 PAYMENT_.scr aspnet_wp.exe PID 2236 wrote to memory of 4576 2236 PAYMENT_.scr aspnet_wp.exe PID 2236 wrote to memory of 4576 2236 PAYMENT_.scr aspnet_wp.exe PID 2236 wrote to memory of 4576 2236 PAYMENT_.scr aspnet_wp.exe PID 2236 wrote to memory of 4576 2236 PAYMENT_.scr aspnet_wp.exe PID 2236 wrote to memory of 4576 2236 PAYMENT_.scr aspnet_wp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PAYMENT_.scr"C:\Users\Admin\AppData\Local\Temp\PAYMENT_.scr" /S1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Winlogon Helper DLL
1Modify Existing Service
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
4Disabling Security Tools
2Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2236-130-0x0000000000B30000-0x0000000000E88000-memory.dmpFilesize
3.3MB
-
memory/2236-131-0x00000000057D0000-0x000000000586C000-memory.dmpFilesize
624KB
-
memory/2236-132-0x0000000005F70000-0x0000000006514000-memory.dmpFilesize
5.6MB
-
memory/2412-133-0x0000000000000000-mapping.dmp
-
memory/2412-134-0x0000000002370000-0x00000000023A6000-memory.dmpFilesize
216KB
-
memory/2412-135-0x0000000004EE0000-0x0000000005508000-memory.dmpFilesize
6.2MB
-
memory/2412-136-0x0000000004CF0000-0x0000000004D12000-memory.dmpFilesize
136KB
-
memory/2412-137-0x0000000005610000-0x0000000005676000-memory.dmpFilesize
408KB
-
memory/2412-138-0x0000000005680000-0x00000000056E6000-memory.dmpFilesize
408KB
-
memory/2412-139-0x0000000005C90000-0x0000000005CAE000-memory.dmpFilesize
120KB
-
memory/2412-140-0x0000000006260000-0x0000000006292000-memory.dmpFilesize
200KB
-
memory/2412-141-0x0000000070C90000-0x0000000070CDC000-memory.dmpFilesize
304KB
-
memory/2412-142-0x0000000006240000-0x000000000625E000-memory.dmpFilesize
120KB
-
memory/2412-143-0x00000000075F0000-0x0000000007C6A000-memory.dmpFilesize
6.5MB
-
memory/2412-144-0x0000000006FA0000-0x0000000006FBA000-memory.dmpFilesize
104KB
-
memory/2412-145-0x0000000004A30000-0x0000000004A3A000-memory.dmpFilesize
40KB
-
memory/2412-146-0x0000000007230000-0x00000000072C6000-memory.dmpFilesize
600KB
-
memory/2412-147-0x00000000071E0000-0x00000000071EE000-memory.dmpFilesize
56KB
-
memory/2412-148-0x00000000072F0000-0x000000000730A000-memory.dmpFilesize
104KB
-
memory/2412-149-0x00000000072D0000-0x00000000072D8000-memory.dmpFilesize
32KB
-
memory/4576-150-0x0000000000000000-mapping.dmp
-
memory/4576-151-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/4576-153-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/4576-154-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB