Overview

overview

10

Static

static

Payment co...pt.exe

windows7-x64

10

Payment co...pt.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    65s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-08-2022 10:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Payment confirmation receipt.exe

  • Size

    656KB

  • MD5

    5bcabd87ebebbda71b4012952d329bb5

  • SHA1

    c91200acf9e01b42663f68efde07c24bf4404f1f

  • SHA256

    6ace19befa598ac3913865abf5fea0eac3d66b77425a9700274094d58b50630f

  • SHA512

    ca2c36d0a9cb1fcd2587072617d9081a67bcc5d291a55c9fdf84afa93f42031addf754606b0c8e0ddcd6703e3d50a50f9acc456fc38f49647270258cd0acb386

Score
10/10
netwirebotnetratstealer

Malware Config

Extracted

Family

netwire

C2

185.140.53.61:3363

185.140.53.61:3365
Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    move4ward

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • NetWire RAT payload 4 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Payment confirmation receipt.exe
    "C:\Users\Admin\AppData\Local\Temp\Payment confirmation receipt.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2600
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Payment confirmation receipt.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:396
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QCWiwvBYtEYGjo.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2216
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QCWiwvBYtEYGjo" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2078.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3192
    • C:\Users\Admin\AppData\Local\Temp\Payment confirmation receipt.exe
      "C:\Users\Admin\AppData\Local\Temp\Payment confirmation receipt.exe"
      2⤵
        PID:4908

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      968cb9309758126772781b83adb8a28f

      SHA1

      8da30e71accf186b2ba11da1797cf67f8f78b47c

      SHA256

      92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

      SHA512

      4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      18KB

      MD5

      e4661b2303c0b05ba8d0af535568a25f

      SHA1

      692501672c3f0b947737c9fd289430ac92ee4941

      SHA256

      218e0d8a1628e89187a47b6942c4eca1778cb8b81ca008a6df7fa8409fe0be72

      SHA512

      1c3532c4ba65cf04476f30128829680e1f6b42982f82652d3b661bf41bb4431daeedc66b6cdd67e334d9e102131be6af44b2eac80d2d29c2b2e976fde43ffaa5

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tmp2078.tmp
      Filesize

      1KB

      MD5

      bf4917f7f10a7fd3b3cfece4b600e389

      SHA1

      24e2538bf64c4672a309ef64dfca76c930618dde

      SHA256

      9b1605507e5a1a16957dd90876b47bd5746f7c4b6ef7410617b35730dc925aca

      SHA512

      ccd32d6dc3591a1008d6ac9d54781d83a718729349670958ac14d1f8015c1bde979a16b22f9a0672c622437998d225c3544b847f685b1a40d9eaa37ed69126dd

      Download Submit
    • memory/396-157-0x00000000073E0000-0x00000000073FA000-memory.dmp
      Filesize

      104KB

      Download
    • memory/396-137-0x0000000000000000-mapping.dmp
      Download
    • memory/396-162-0x0000000007700000-0x0000000007708000-memory.dmp
      Filesize

      32KB

      Download
    • memory/396-161-0x0000000007720000-0x000000000773A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/396-160-0x0000000007610000-0x000000000761E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/396-140-0x0000000004B30000-0x0000000004B66000-memory.dmp
      Filesize

      216KB

      Download
    • memory/396-141-0x0000000005240000-0x0000000005868000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/396-142-0x0000000005870000-0x0000000005892000-memory.dmp
      Filesize

      136KB

      Download
    • memory/396-156-0x0000000007A20000-0x000000000809A000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/396-155-0x00000000066A0000-0x00000000066BE000-memory.dmp
      Filesize

      120KB

      Download
    • memory/396-145-0x0000000005AE0000-0x0000000005B46000-memory.dmp
      Filesize

      408KB

      Download
    • memory/396-153-0x0000000071190000-0x00000000711DC000-memory.dmp
      Filesize

      304KB

      Download
    • memory/2216-143-0x00000000059D0000-0x0000000005A36000-memory.dmp
      Filesize

      408KB

      Download
    • memory/2216-154-0x0000000071190000-0x00000000711DC000-memory.dmp
      Filesize

      304KB

      Download
    • memory/2216-150-0x00000000060A0000-0x00000000060BE000-memory.dmp
      Filesize

      120KB

      Download
    • memory/2216-138-0x0000000000000000-mapping.dmp
      Download
    • memory/2216-152-0x0000000007040000-0x0000000007072000-memory.dmp
      Filesize

      200KB

      Download
    • memory/2216-159-0x0000000007630000-0x00000000076C6000-memory.dmp
      Filesize

      600KB

      Download
    • memory/2216-158-0x0000000007430000-0x000000000743A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2600-132-0x0000000000A90000-0x0000000000B3A000-memory.dmp
      Filesize

      680KB

      Download
    • memory/2600-136-0x000000000A530000-0x000000000A5CC000-memory.dmp
      Filesize

      624KB

      Download
    • memory/2600-135-0x0000000005580000-0x000000000558A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2600-134-0x00000000054C0000-0x0000000005552000-memory.dmp
      Filesize

      584KB

      Download
    • memory/2600-133-0x0000000005B60000-0x0000000006104000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/3192-139-0x0000000000000000-mapping.dmp
      Download
    • memory/4908-149-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/4908-146-0x0000000000000000-mapping.dmp
      Download
    • memory/4908-147-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/4908-151-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/4908-165-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download