Analysis
-
max time kernel
47s -
max time network
103s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
04-08-2022 13:55
Static task
static1
Behavioral task
behavioral1
Sample
Payment Receipt.exe
Resource
win7-20220715-en
General
-
Target
Payment Receipt.exe
-
Size
822KB
-
MD5
85c078ec708786cf1bdb44465afd8eeb
-
SHA1
528497fc0ab6bc410fb971e4558f56fb370036ea
-
SHA256
59c95c7e7882d8eafd5314cda19c7fd39a25da55f7ea6109025693a17d5ec6f7
-
SHA512
10c16726352536599c4cebbf570902e56d5886648be6fefe6a6a55ef73e3674f90c1199d691f47b813b86b78a55321c5bd96b99853bfb87606e22131ca40d45c
Malware Config
Extracted
netwire
185.140.53.61:3363
185.140.53.61:3365
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
move4ward
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 8 IoCs
Processes:
resource yara_rule behavioral1/memory/852-66-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/852-67-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/852-68-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/852-70-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/852-71-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/852-72-0x000000000040242D-mapping.dmp netwire behavioral1/memory/852-75-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/852-76-0x0000000000400000-0x0000000000433000-memory.dmp netwire -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Payment Receipt.exedescription pid process target process PID 1968 set thread context of 852 1968 Payment Receipt.exe Payment Receipt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
Payment Receipt.exedescription pid process target process PID 1968 wrote to memory of 1480 1968 Payment Receipt.exe schtasks.exe PID 1968 wrote to memory of 1480 1968 Payment Receipt.exe schtasks.exe PID 1968 wrote to memory of 1480 1968 Payment Receipt.exe schtasks.exe PID 1968 wrote to memory of 1480 1968 Payment Receipt.exe schtasks.exe PID 1968 wrote to memory of 852 1968 Payment Receipt.exe Payment Receipt.exe PID 1968 wrote to memory of 852 1968 Payment Receipt.exe Payment Receipt.exe PID 1968 wrote to memory of 852 1968 Payment Receipt.exe Payment Receipt.exe PID 1968 wrote to memory of 852 1968 Payment Receipt.exe Payment Receipt.exe PID 1968 wrote to memory of 852 1968 Payment Receipt.exe Payment Receipt.exe PID 1968 wrote to memory of 852 1968 Payment Receipt.exe Payment Receipt.exe PID 1968 wrote to memory of 852 1968 Payment Receipt.exe Payment Receipt.exe PID 1968 wrote to memory of 852 1968 Payment Receipt.exe Payment Receipt.exe PID 1968 wrote to memory of 852 1968 Payment Receipt.exe Payment Receipt.exe PID 1968 wrote to memory of 852 1968 Payment Receipt.exe Payment Receipt.exe PID 1968 wrote to memory of 852 1968 Payment Receipt.exe Payment Receipt.exe PID 1968 wrote to memory of 852 1968 Payment Receipt.exe Payment Receipt.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment Receipt.exe"C:\Users\Admin\AppData\Local\Temp\Payment Receipt.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TzHHooUqWc" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDCAA.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Payment Receipt.exe"{path}"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpDCAA.tmpFilesize
1KB
MD5a2404b8c84f734372736c64bed8547d2
SHA1808da1e10b5553dc1ba3535d6245ed98cb988b2a
SHA2567932c7a87d9fcdf1027e4539b97e1b4f5b4b444e42672e1878169293e96dd2b1
SHA51228f232ed107ca18b198ae1243ed9ab0ce9f5a9bbaf1f01991aeebfd53f20675cf1290edd55d5a07416adb721af360705aae1388504fa5a81d780df5f5fca88a2
-
memory/852-68-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/852-70-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/852-64-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/852-76-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/852-66-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/852-75-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/852-61-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/852-67-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/852-72-0x000000000040242D-mapping.dmp
-
memory/852-71-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/852-62-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1480-59-0x0000000000000000-mapping.dmp
-
memory/1968-54-0x0000000000F80000-0x0000000001054000-memory.dmpFilesize
848KB
-
memory/1968-56-0x00000000003D0000-0x00000000003DA000-memory.dmpFilesize
40KB
-
memory/1968-57-0x0000000005B90000-0x0000000005C0E000-memory.dmpFilesize
504KB
-
memory/1968-55-0x00000000754D1000-0x00000000754D3000-memory.dmpFilesize
8KB
-
memory/1968-58-0x0000000004460000-0x000000000448E000-memory.dmpFilesize
184KB