Analysis
-
max time kernel
49s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
04-08-2022 13:53
Static task
static1
Behavioral task
behavioral1
Sample
Payment Receipt.exe
Resource
win7-20220715-en
General
-
Target
Payment Receipt.exe
-
Size
822KB
-
MD5
85c078ec708786cf1bdb44465afd8eeb
-
SHA1
528497fc0ab6bc410fb971e4558f56fb370036ea
-
SHA256
59c95c7e7882d8eafd5314cda19c7fd39a25da55f7ea6109025693a17d5ec6f7
-
SHA512
10c16726352536599c4cebbf570902e56d5886648be6fefe6a6a55ef73e3674f90c1199d691f47b813b86b78a55321c5bd96b99853bfb87606e22131ca40d45c
Malware Config
Extracted
netwire
185.140.53.61:3363
185.140.53.61:3365
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
move4ward
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 9 IoCs
Processes:
resource yara_rule behavioral1/memory/1112-66-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1112-67-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1112-68-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1112-70-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1112-71-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1112-72-0x000000000040242D-mapping.dmp netwire behavioral1/memory/1112-75-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1112-76-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1112-77-0x0000000000400000-0x0000000000433000-memory.dmp netwire -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Payment Receipt.exedescription pid process target process PID 1704 set thread context of 1112 1704 Payment Receipt.exe Payment Receipt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
Payment Receipt.exedescription pid process target process PID 1704 wrote to memory of 1372 1704 Payment Receipt.exe schtasks.exe PID 1704 wrote to memory of 1372 1704 Payment Receipt.exe schtasks.exe PID 1704 wrote to memory of 1372 1704 Payment Receipt.exe schtasks.exe PID 1704 wrote to memory of 1372 1704 Payment Receipt.exe schtasks.exe PID 1704 wrote to memory of 1112 1704 Payment Receipt.exe Payment Receipt.exe PID 1704 wrote to memory of 1112 1704 Payment Receipt.exe Payment Receipt.exe PID 1704 wrote to memory of 1112 1704 Payment Receipt.exe Payment Receipt.exe PID 1704 wrote to memory of 1112 1704 Payment Receipt.exe Payment Receipt.exe PID 1704 wrote to memory of 1112 1704 Payment Receipt.exe Payment Receipt.exe PID 1704 wrote to memory of 1112 1704 Payment Receipt.exe Payment Receipt.exe PID 1704 wrote to memory of 1112 1704 Payment Receipt.exe Payment Receipt.exe PID 1704 wrote to memory of 1112 1704 Payment Receipt.exe Payment Receipt.exe PID 1704 wrote to memory of 1112 1704 Payment Receipt.exe Payment Receipt.exe PID 1704 wrote to memory of 1112 1704 Payment Receipt.exe Payment Receipt.exe PID 1704 wrote to memory of 1112 1704 Payment Receipt.exe Payment Receipt.exe PID 1704 wrote to memory of 1112 1704 Payment Receipt.exe Payment Receipt.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment Receipt.exe"C:\Users\Admin\AppData\Local\Temp\Payment Receipt.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TzHHooUqWc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7D6B.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Payment Receipt.exe"{path}"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp7D6B.tmpFilesize
1KB
MD5311fd88bc1bd1c0ec00ca228aaea3ac4
SHA14e93d18b52ea11b3d26cdeee6826032f6d2d8c7d
SHA2563b8570aab0024186b9f0e1a5ab9c7caf6c44e30148754a6cc99c616b10ba21ed
SHA512f4a899978b94e05592a72a74dc59315f3b9e9bfd2eb146df82986f20c8ca4a93c413a598f696f471d76d836f99b7850054db78aa80e386b29cab8bf6764ec3f6
-
memory/1112-68-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1112-71-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1112-66-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1112-67-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1112-64-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1112-61-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1112-62-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1112-77-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1112-76-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1112-75-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1112-72-0x000000000040242D-mapping.dmp
-
memory/1112-70-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1372-59-0x0000000000000000-mapping.dmp
-
memory/1704-55-0x00000000764D1000-0x00000000764D3000-memory.dmpFilesize
8KB
-
memory/1704-54-0x0000000000F60000-0x0000000001034000-memory.dmpFilesize
848KB
-
memory/1704-58-0x0000000000540000-0x000000000056E000-memory.dmpFilesize
184KB
-
memory/1704-57-0x0000000005D80000-0x0000000005DFE000-memory.dmpFilesize
504KB
-
memory/1704-56-0x0000000000490000-0x000000000049A000-memory.dmpFilesize
40KB