Overview

overview

10

Static

static

Proof of payment.exe

windows7_x64

10

Proof of payment.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    91s
  • max time network
    95s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 18:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Proof of payment.exe

  • Size

    1.0MB

  • MD5

    328549191a15865db4e088aa1375a7b2

  • SHA1

    5b2128274c3c069c90fe14b13c95ee1339873048

  • SHA256

    ff0ebb75a316c61d851a3edfb2ec49a5c05a2054032dbb9f175b7990fd8959dc

  • SHA512

    b646c21e687e0efa75913d21b3403f9ff0945d91158a9dbd318685d2eecacbc4f79f24f2cf3420045c1dee6161b71d084703277e8a4e2df79fa1177b7b42d205

Score
10/10
netwirebotnetpersistenceratstealer

Malware Config

Signatures

  • NetWire RAT payload 4 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Proof of payment.exe
    "C:\Users\Admin\AppData\Local\Temp\Proof of payment.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1884
    • C:\Users\Admin\02912207\sghgbomj.pif
      "C:\Users\Admin\02912207\sghgbomj.pif" vasck.bcd
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:912
      • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        3⤵
        • Executes dropped EXE
        PID:744

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\02912207\nbcpasvxvo.dll
    Filesize

    318KB

    MD5

    8233b25d769f41d9fda1facf016002f1

    SHA1

    2a559587d53cba17648fe81fdbaac17f35aa249b

    SHA256

    7042cb233ee355aa3df68ba8de4b5705b3e8ed0df7074d3eb2506b8e49cd5360

    SHA512

    9d5f95695d0fad97fa792101c8f30a497cd74f533d5610256312ca8ff62f10389483b9fa461216efac1760f60eeeaaa59e295390962c7d0acdad4c851d68bdae

    Download Submit
  • C:\Users\Admin\02912207\sghgbomj.pif
    Filesize

    910KB

    MD5

    503fbeaa015418e1a57880f8a0306d43

    SHA1

    bd05b27424688e8d8aad7f99ea0d6aa1efbbe8a0

    SHA256

    ad6a04f8a27507d42f7aa6a668d4892352142be6701ea83b2e0d49d222b586f9

    SHA512

    17367cdcf5db8d9ca23d8b20a02bcc9e4880a2d62cf1be13eed2b7ccb8848acd50c194f2b864e655dde9ff1e9e9e14412b04d40ce4749bd2e68fdaba9bd29900

    Download Submit
  • C:\Users\Admin\02912207\vasck.bcd
    Filesize

    165.7MB

    MD5

    b6460ffa0134f8e2afe01ffdff40234b

    SHA1

    142c559f4aa305bfae13f15a7b328532fb6d08dc

    SHA256

    b6c3a92a0493fa3edda22081daeb442efb6eaffc830b958c76959f8ed6666363

    SHA512

    9201d911bcdbd43e3149192e09a604202fbb1956f5fc410d3ac2016490209b0a3e6c59085c6e6015465ccd1f72dc4b71ee001e7e4dc46227aee12e19d3f51ed2

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    Filesize

    44KB

    MD5

    0e06054beb13192588e745ee63a84173

    SHA1

    30b7d4d1277bafd04a83779fd566a1f834a8d113

    SHA256

    c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

    SHA512

    251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

    Download Submit
  • \Users\Admin\02912207\sghgbomj.pif
    Filesize

    910KB

    MD5

    503fbeaa015418e1a57880f8a0306d43

    SHA1

    bd05b27424688e8d8aad7f99ea0d6aa1efbbe8a0

    SHA256

    ad6a04f8a27507d42f7aa6a668d4892352142be6701ea83b2e0d49d222b586f9

    SHA512

    17367cdcf5db8d9ca23d8b20a02bcc9e4880a2d62cf1be13eed2b7ccb8848acd50c194f2b864e655dde9ff1e9e9e14412b04d40ce4749bd2e68fdaba9bd29900

    Download Submit
  • \Users\Admin\02912207\sghgbomj.pif
    Filesize

    910KB

    MD5

    503fbeaa015418e1a57880f8a0306d43

    SHA1

    bd05b27424688e8d8aad7f99ea0d6aa1efbbe8a0

    SHA256

    ad6a04f8a27507d42f7aa6a668d4892352142be6701ea83b2e0d49d222b586f9

    SHA512

    17367cdcf5db8d9ca23d8b20a02bcc9e4880a2d62cf1be13eed2b7ccb8848acd50c194f2b864e655dde9ff1e9e9e14412b04d40ce4749bd2e68fdaba9bd29900

    Download Submit
  • \Users\Admin\02912207\sghgbomj.pif
    Filesize

    910KB

    MD5

    503fbeaa015418e1a57880f8a0306d43

    SHA1

    bd05b27424688e8d8aad7f99ea0d6aa1efbbe8a0

    SHA256

    ad6a04f8a27507d42f7aa6a668d4892352142be6701ea83b2e0d49d222b586f9

    SHA512

    17367cdcf5db8d9ca23d8b20a02bcc9e4880a2d62cf1be13eed2b7ccb8848acd50c194f2b864e655dde9ff1e9e9e14412b04d40ce4749bd2e68fdaba9bd29900

    Download Submit
  • \Users\Admin\02912207\sghgbomj.pif
    Filesize

    910KB

    MD5

    503fbeaa015418e1a57880f8a0306d43

    SHA1

    bd05b27424688e8d8aad7f99ea0d6aa1efbbe8a0

    SHA256

    ad6a04f8a27507d42f7aa6a668d4892352142be6701ea83b2e0d49d222b586f9

    SHA512

    17367cdcf5db8d9ca23d8b20a02bcc9e4880a2d62cf1be13eed2b7ccb8848acd50c194f2b864e655dde9ff1e9e9e14412b04d40ce4749bd2e68fdaba9bd29900

    Download Submit
  • \Users\Admin\AppData\Local\Temp\RegSvcs.exe
    Filesize

    44KB

    MD5

    0e06054beb13192588e745ee63a84173

    SHA1

    30b7d4d1277bafd04a83779fd566a1f834a8d113

    SHA256

    c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

    SHA512

    251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

    Download Submit
  • memory/744-65-0x00000000003F0000-0x00000000008A4000-memory.dmp
    Filesize

    4.7MB

    Download
  • memory/744-68-0x00000000003F2BCB-mapping.dmp
    Download
  • memory/744-67-0x00000000003F0000-0x00000000008A4000-memory.dmp
    Filesize

    4.7MB

    Download
  • memory/744-72-0x00000000003F0000-0x00000000008A4000-memory.dmp
    Filesize

    4.7MB

    Download
  • memory/744-73-0x00000000003F0000-0x00000000008A4000-memory.dmp
    Filesize

    4.7MB

    Download
  • memory/912-59-0x0000000000000000-mapping.dmp
    Download
  • memory/1884-54-0x0000000075191000-0x0000000075193000-memory.dmp
    Filesize

    8KB

    Download