Analysis
-
max time kernel
92s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 18:25
Static task
static1
Behavioral task
behavioral1
Sample
Proof of payment.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Proof of payment.exe
Resource
win10v2004-20220414-en
General
-
Target
Proof of payment.exe
-
Size
980KB
-
MD5
4bc9ed4383e90e5e4d2c38deae0d58e4
-
SHA1
b9a519e8b70886ee003132e3cdda2006f5b1be9c
-
SHA256
e8ac69b242f87152457399a019803c892209200c3951f6a0efc05cde5dd5edf5
-
SHA512
29722a913cb2f2fd45268ff6c56d98b4419b996a7fb633dda11bb31a05a9b43eb0b5f14df92868c7ee08045de07a3e9ece815d331acdc3c6080482bcfcad73a7
Malware Config
Signatures
-
NetWire RAT payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4136-136-0x0000000000502BCB-mapping.dmp netwire behavioral2/memory/4136-135-0x0000000000500000-0x0000000000A66000-memory.dmp netwire behavioral2/memory/4136-139-0x0000000000500000-0x0000000000A66000-memory.dmp netwire behavioral2/memory/4136-140-0x0000000000500000-0x0000000000A66000-memory.dmp netwire -
Executes dropped EXE 2 IoCs
Processes:
sxfqonaid.pifRegSvcs.exepid process 4144 sxfqonaid.pif 4136 RegSvcs.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Proof of payment.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation Proof of payment.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
sxfqonaid.pifdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run sxfqonaid.pif Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\85695789\\SXFQON~1.PIF c:\\85695789\\iqlpc.qlm" sxfqonaid.pif -
Suspicious use of SetThreadContext 1 IoCs
Processes:
sxfqonaid.pifdescription pid process target process PID 4144 set thread context of 4136 4144 sxfqonaid.pif RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Proof of payment.exesxfqonaid.pifdescription pid process target process PID 5008 wrote to memory of 4144 5008 Proof of payment.exe sxfqonaid.pif PID 5008 wrote to memory of 4144 5008 Proof of payment.exe sxfqonaid.pif PID 5008 wrote to memory of 4144 5008 Proof of payment.exe sxfqonaid.pif PID 4144 wrote to memory of 4136 4144 sxfqonaid.pif RegSvcs.exe PID 4144 wrote to memory of 4136 4144 sxfqonaid.pif RegSvcs.exe PID 4144 wrote to memory of 4136 4144 sxfqonaid.pif RegSvcs.exe PID 4144 wrote to memory of 4136 4144 sxfqonaid.pif RegSvcs.exe PID 4144 wrote to memory of 4136 4144 sxfqonaid.pif RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Proof of payment.exe"C:\Users\Admin\AppData\Local\Temp\Proof of payment.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\85695789\sxfqonaid.pif"C:\85695789\sxfqonaid.pif" iqlpc.qlm2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\85695789\iqlpc.qlmFilesize
167.7MB
MD5dfd73cc48aa9e426c42db96b81593a34
SHA1ee33bc31493718e482f51c90a1720e284f19cd0c
SHA25667333b0d13f34e62787765d8cbbdfde15c754865edebf9ed600c0b590cc3e4ac
SHA512d5bb0e12c17a9a78ca364312861ebe4d5e1f925fbc056407c1f2fd7ac43d8411f0cf0a53f038a1c7b86dc27fccdc41e62853a229633acd80f1d2f98da9b44e43
-
C:\85695789\qdjdjgobx.bmpFilesize
312KB
MD5161601794c6283ab24988659fd79202c
SHA19db71f209a524731d8edf694fe53b36304122b01
SHA256f6d47b1c614ab3c398e86140cab65918018bcc43ebd0a6438c096e3c885b50c2
SHA5123ec39f6f688eb7658628f1e590d434b859003f800dedbe47d276e4ba628f5cb68f8523871e603198c124371448db030f246cc59ee9935e34900cd4c24f4a9f0e
-
C:\85695789\sxfqonaid.pifFilesize
655KB
MD5a75bc752c50fb74f7597c2bb59b93d43
SHA1d2dcd3d104b6b04f0828844aeda188798669b41f
SHA256877365dfcbe9d4896e9ca544c7d19e106ab78339edbc1bd410f2e11bd32cd2ee
SHA512e856238e3cb519786365faf17d0d590692fa991d9ca81e2fb8ce094cd090583f4ed1823b7ca9c0f702320398054ba682644a02f8d99d4e0f53733564611d3f97
-
C:\85695789\sxfqonaid.pifFilesize
655KB
MD5a75bc752c50fb74f7597c2bb59b93d43
SHA1d2dcd3d104b6b04f0828844aeda188798669b41f
SHA256877365dfcbe9d4896e9ca544c7d19e106ab78339edbc1bd410f2e11bd32cd2ee
SHA512e856238e3cb519786365faf17d0d590692fa991d9ca81e2fb8ce094cd090583f4ed1823b7ca9c0f702320398054ba682644a02f8d99d4e0f53733564611d3f97
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeFilesize
44KB
MD59d352bc46709f0cb5ec974633a0c3c94
SHA11969771b2f022f9a86d77ac4d4d239becdf08d07
SHA2562c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA51213c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b
-
memory/4136-136-0x0000000000502BCB-mapping.dmp
-
memory/4136-135-0x0000000000500000-0x0000000000A66000-memory.dmpFilesize
5.4MB
-
memory/4136-139-0x0000000000500000-0x0000000000A66000-memory.dmpFilesize
5.4MB
-
memory/4136-140-0x0000000000500000-0x0000000000A66000-memory.dmpFilesize
5.4MB
-
memory/4144-130-0x0000000000000000-mapping.dmp