Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 18:26
Static task
static1
Behavioral task
behavioral1
Sample
Proof Of Payment.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Proof Of Payment.exe
Resource
win10v2004-20220414-en
General
-
Target
Proof Of Payment.exe
-
Size
1021KB
-
MD5
121b665f158aa269dfdd6d701c4af31d
-
SHA1
81b94a9e9af1258dd5074adc7077c0fca2de7e79
-
SHA256
9e1de81ecb080a9d970953a62de72b6a83cc61776409098f1429c11032cbfa14
-
SHA512
af293c732eea9d928e9bcfefc35fbee68ad3af3392503dd3d051ef9dc54df630f6a5a965d364f255c9c25a19465e58ed630edc644eed99c370924aec837b5b68
Malware Config
Signatures
-
NetWire RAT payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/2996-135-0x0000000001300000-0x0000000001979000-memory.dmp netwire behavioral2/memory/2996-136-0x0000000001302BCB-mapping.dmp netwire behavioral2/memory/2996-139-0x0000000001300000-0x0000000001979000-memory.dmp netwire behavioral2/memory/2996-140-0x0000000001300000-0x0000000001979000-memory.dmp netwire -
Executes dropped EXE 2 IoCs
Processes:
pptbga.pifRegSvcs.exepid process 824 pptbga.pif 2996 RegSvcs.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Proof Of Payment.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation Proof Of Payment.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
pptbga.pifdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run pptbga.pif Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "0\\22643517\\pptbga.pif 0\\22643517\\orktcam.foo" pptbga.pif -
Suspicious use of SetThreadContext 1 IoCs
Processes:
pptbga.pifdescription pid process target process PID 824 set thread context of 2996 824 pptbga.pif RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
pptbga.pifpid process 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif 824 pptbga.pif -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Proof Of Payment.exepptbga.pifdescription pid process target process PID 2736 wrote to memory of 824 2736 Proof Of Payment.exe pptbga.pif PID 2736 wrote to memory of 824 2736 Proof Of Payment.exe pptbga.pif PID 2736 wrote to memory of 824 2736 Proof Of Payment.exe pptbga.pif PID 824 wrote to memory of 2996 824 pptbga.pif RegSvcs.exe PID 824 wrote to memory of 2996 824 pptbga.pif RegSvcs.exe PID 824 wrote to memory of 2996 824 pptbga.pif RegSvcs.exe PID 824 wrote to memory of 2996 824 pptbga.pif RegSvcs.exe PID 824 wrote to memory of 2996 824 pptbga.pif RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Proof Of Payment.exe"C:\Users\Admin\AppData\Local\Temp\Proof Of Payment.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\22643517\pptbga.pif"C:\Users\Admin\22643517\pptbga.pif" orktcam.foo2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\22643517\kafxg.logFilesize
316KB
MD544edc15f20d20f4b425f033cc387c165
SHA15e7a2ac4953cd0b23b8fee744b63104dfe346427
SHA256eb1ccd0b6b3494951dc1046e417d9a5c695c17b0eba57800bef5b19d6d0cb3cb
SHA512c204c8ce99f06568e1c9578c1c8b48ebab55e030617b17d007f4e77ab83aca71870411def521aa97e65958d5b3d82589c11a1b08d24e3af87d7573fc7f92e0fc
-
C:\Users\Admin\22643517\orktcam.fooFilesize
155.4MB
MD57cb2ccd674dc1d18b2082f00ae7e5bd7
SHA1b4bdafe2f36f93ce5dd6534944ac07ac821d7322
SHA2560ccab4907ee3d12de4a40e74ea7197d7d16dab37ef4f0ee740c9b75e23cd555c
SHA5129149f6a91fea98234fdf57a3ae578f530b002e74f7a99b9b9b74ac1cb388d1087905ad05775b26ddfbd1327174a7fe8fe1bc1d674f59769000879e1d8c07a11a
-
C:\Users\Admin\22643517\pptbga.pifFilesize
910KB
MD5503fbeaa015418e1a57880f8a0306d43
SHA1bd05b27424688e8d8aad7f99ea0d6aa1efbbe8a0
SHA256ad6a04f8a27507d42f7aa6a668d4892352142be6701ea83b2e0d49d222b586f9
SHA51217367cdcf5db8d9ca23d8b20a02bcc9e4880a2d62cf1be13eed2b7ccb8848acd50c194f2b864e655dde9ff1e9e9e14412b04d40ce4749bd2e68fdaba9bd29900
-
C:\Users\Admin\22643517\pptbga.pifFilesize
910KB
MD5503fbeaa015418e1a57880f8a0306d43
SHA1bd05b27424688e8d8aad7f99ea0d6aa1efbbe8a0
SHA256ad6a04f8a27507d42f7aa6a668d4892352142be6701ea83b2e0d49d222b586f9
SHA51217367cdcf5db8d9ca23d8b20a02bcc9e4880a2d62cf1be13eed2b7ccb8848acd50c194f2b864e655dde9ff1e9e9e14412b04d40ce4749bd2e68fdaba9bd29900
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeFilesize
44KB
MD59d352bc46709f0cb5ec974633a0c3c94
SHA11969771b2f022f9a86d77ac4d4d239becdf08d07
SHA2562c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA51213c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b
-
memory/824-130-0x0000000000000000-mapping.dmp
-
memory/2996-135-0x0000000001300000-0x0000000001979000-memory.dmpFilesize
6.5MB
-
memory/2996-136-0x0000000001302BCB-mapping.dmp
-
memory/2996-139-0x0000000001300000-0x0000000001979000-memory.dmpFilesize
6.5MB
-
memory/2996-140-0x0000000001300000-0x0000000001979000-memory.dmpFilesize
6.5MB