Analysis
-
max time kernel
143s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220722-en -
resource tags
arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system -
submitted
04-08-2022 13:55
Static task
static1
Behavioral task
behavioral1
Sample
Payment Receipt.exe
Resource
win7-20220715-en
General
-
Target
Payment Receipt.exe
-
Size
822KB
-
MD5
85c078ec708786cf1bdb44465afd8eeb
-
SHA1
528497fc0ab6bc410fb971e4558f56fb370036ea
-
SHA256
59c95c7e7882d8eafd5314cda19c7fd39a25da55f7ea6109025693a17d5ec6f7
-
SHA512
10c16726352536599c4cebbf570902e56d5886648be6fefe6a6a55ef73e3674f90c1199d691f47b813b86b78a55321c5bd96b99853bfb87606e22131ca40d45c
Malware Config
Extracted
netwire
185.140.53.61:3363
185.140.53.61:3365
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
move4ward
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4116-140-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/4116-142-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/4116-143-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/4116-144-0x0000000000400000-0x0000000000433000-memory.dmp netwire -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Payment Receipt.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation Payment Receipt.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Payment Receipt.exedescription pid process target process PID 3868 set thread context of 4116 3868 Payment Receipt.exe Payment Receipt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
Payment Receipt.exedescription pid process target process PID 3868 wrote to memory of 4300 3868 Payment Receipt.exe schtasks.exe PID 3868 wrote to memory of 4300 3868 Payment Receipt.exe schtasks.exe PID 3868 wrote to memory of 4300 3868 Payment Receipt.exe schtasks.exe PID 3868 wrote to memory of 4116 3868 Payment Receipt.exe Payment Receipt.exe PID 3868 wrote to memory of 4116 3868 Payment Receipt.exe Payment Receipt.exe PID 3868 wrote to memory of 4116 3868 Payment Receipt.exe Payment Receipt.exe PID 3868 wrote to memory of 4116 3868 Payment Receipt.exe Payment Receipt.exe PID 3868 wrote to memory of 4116 3868 Payment Receipt.exe Payment Receipt.exe PID 3868 wrote to memory of 4116 3868 Payment Receipt.exe Payment Receipt.exe PID 3868 wrote to memory of 4116 3868 Payment Receipt.exe Payment Receipt.exe PID 3868 wrote to memory of 4116 3868 Payment Receipt.exe Payment Receipt.exe PID 3868 wrote to memory of 4116 3868 Payment Receipt.exe Payment Receipt.exe PID 3868 wrote to memory of 4116 3868 Payment Receipt.exe Payment Receipt.exe PID 3868 wrote to memory of 4116 3868 Payment Receipt.exe Payment Receipt.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment Receipt.exe"C:\Users\Admin\AppData\Local\Temp\Payment Receipt.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TzHHooUqWc" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDC85.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Payment Receipt.exe"{path}"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpDC85.tmpFilesize
1KB
MD5c96fca193eedb62704521dc4860e25da
SHA1b17f196c3fbe38300fcb0dfee2570b25f123e982
SHA256ae9768a974e40bc7bff271ab9c0f2ed528e549381ff0b049e5c70fbf00a91905
SHA5121d1920e78eddbc2c677c1086340df46dabfdf20381be6d998051d4dd1145596845d95fadd08a0329be84588166bd6e1d0318329a1c9a0c3ca790d6f139cd8561
-
memory/3868-132-0x0000000000890000-0x0000000000964000-memory.dmpFilesize
848KB
-
memory/3868-133-0x0000000005850000-0x0000000005DF4000-memory.dmpFilesize
5.6MB
-
memory/3868-134-0x0000000005340000-0x00000000053D2000-memory.dmpFilesize
584KB
-
memory/3868-135-0x00000000053E0000-0x000000000547C000-memory.dmpFilesize
624KB
-
memory/3868-136-0x0000000005300000-0x000000000530A000-memory.dmpFilesize
40KB
-
memory/4116-139-0x0000000000000000-mapping.dmp
-
memory/4116-140-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/4116-142-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/4116-143-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/4116-144-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/4300-137-0x0000000000000000-mapping.dmp