Analysis
-
max time kernel
137s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 18:26
Static task
static1
Behavioral task
behavioral1
Sample
Proof of payment.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Proof of payment.exe
Resource
win10v2004-20220414-en
General
-
Target
Proof of payment.exe
-
Size
1.0MB
-
MD5
328549191a15865db4e088aa1375a7b2
-
SHA1
5b2128274c3c069c90fe14b13c95ee1339873048
-
SHA256
ff0ebb75a316c61d851a3edfb2ec49a5c05a2054032dbb9f175b7990fd8959dc
-
SHA512
b646c21e687e0efa75913d21b3403f9ff0945d91158a9dbd318685d2eecacbc4f79f24f2cf3420045c1dee6161b71d084703277e8a4e2df79fa1177b7b42d205
Malware Config
Signatures
-
NetWire RAT payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4476-135-0x0000000000900000-0x0000000000E66000-memory.dmp netwire behavioral2/memory/4476-136-0x0000000000902BCB-mapping.dmp netwire behavioral2/memory/4476-139-0x0000000000900000-0x0000000000E66000-memory.dmp netwire behavioral2/memory/4476-140-0x0000000000900000-0x0000000000E66000-memory.dmp netwire -
Executes dropped EXE 2 IoCs
Processes:
sghgbomj.pifRegSvcs.exepid process 64 sghgbomj.pif 4476 RegSvcs.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Proof of payment.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation Proof of payment.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
sghgbomj.pifdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run sghgbomj.pif Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "0\\02912207\\sghgbomj.pif 0\\02912207\\vasck.bcd" sghgbomj.pif -
Suspicious use of SetThreadContext 1 IoCs
Processes:
sghgbomj.pifdescription pid process target process PID 64 set thread context of 4476 64 sghgbomj.pif RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Proof of payment.exesghgbomj.pifdescription pid process target process PID 2272 wrote to memory of 64 2272 Proof of payment.exe sghgbomj.pif PID 2272 wrote to memory of 64 2272 Proof of payment.exe sghgbomj.pif PID 2272 wrote to memory of 64 2272 Proof of payment.exe sghgbomj.pif PID 64 wrote to memory of 4476 64 sghgbomj.pif RegSvcs.exe PID 64 wrote to memory of 4476 64 sghgbomj.pif RegSvcs.exe PID 64 wrote to memory of 4476 64 sghgbomj.pif RegSvcs.exe PID 64 wrote to memory of 4476 64 sghgbomj.pif RegSvcs.exe PID 64 wrote to memory of 4476 64 sghgbomj.pif RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Proof of payment.exe"C:\Users\Admin\AppData\Local\Temp\Proof of payment.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\02912207\sghgbomj.pif"C:\Users\Admin\02912207\sghgbomj.pif" vasck.bcd2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\02912207\nbcpasvxvo.dllFilesize
318KB
MD58233b25d769f41d9fda1facf016002f1
SHA12a559587d53cba17648fe81fdbaac17f35aa249b
SHA2567042cb233ee355aa3df68ba8de4b5705b3e8ed0df7074d3eb2506b8e49cd5360
SHA5129d5f95695d0fad97fa792101c8f30a497cd74f533d5610256312ca8ff62f10389483b9fa461216efac1760f60eeeaaa59e295390962c7d0acdad4c851d68bdae
-
C:\Users\Admin\02912207\sghgbomj.pifFilesize
910KB
MD5503fbeaa015418e1a57880f8a0306d43
SHA1bd05b27424688e8d8aad7f99ea0d6aa1efbbe8a0
SHA256ad6a04f8a27507d42f7aa6a668d4892352142be6701ea83b2e0d49d222b586f9
SHA51217367cdcf5db8d9ca23d8b20a02bcc9e4880a2d62cf1be13eed2b7ccb8848acd50c194f2b864e655dde9ff1e9e9e14412b04d40ce4749bd2e68fdaba9bd29900
-
C:\Users\Admin\02912207\sghgbomj.pifFilesize
910KB
MD5503fbeaa015418e1a57880f8a0306d43
SHA1bd05b27424688e8d8aad7f99ea0d6aa1efbbe8a0
SHA256ad6a04f8a27507d42f7aa6a668d4892352142be6701ea83b2e0d49d222b586f9
SHA51217367cdcf5db8d9ca23d8b20a02bcc9e4880a2d62cf1be13eed2b7ccb8848acd50c194f2b864e655dde9ff1e9e9e14412b04d40ce4749bd2e68fdaba9bd29900
-
C:\Users\Admin\02912207\vasck.bcdFilesize
165.7MB
MD5b6460ffa0134f8e2afe01ffdff40234b
SHA1142c559f4aa305bfae13f15a7b328532fb6d08dc
SHA256b6c3a92a0493fa3edda22081daeb442efb6eaffc830b958c76959f8ed6666363
SHA5129201d911bcdbd43e3149192e09a604202fbb1956f5fc410d3ac2016490209b0a3e6c59085c6e6015465ccd1f72dc4b71ee001e7e4dc46227aee12e19d3f51ed2
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeFilesize
44KB
MD59d352bc46709f0cb5ec974633a0c3c94
SHA11969771b2f022f9a86d77ac4d4d239becdf08d07
SHA2562c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA51213c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b
-
memory/64-130-0x0000000000000000-mapping.dmp
-
memory/4476-135-0x0000000000900000-0x0000000000E66000-memory.dmpFilesize
5.4MB
-
memory/4476-136-0x0000000000902BCB-mapping.dmp
-
memory/4476-139-0x0000000000900000-0x0000000000E66000-memory.dmpFilesize
5.4MB
-
memory/4476-140-0x0000000000900000-0x0000000000E66000-memory.dmpFilesize
5.4MB