Analysis
-
max time kernel
65s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
15-08-2022 10:41
Static task
static1
Behavioral task
behavioral1
Sample
Payment confirmation receipt.exe
Resource
win7-20220812-en
General
-
Target
Payment confirmation receipt.exe
-
Size
656KB
-
MD5
5bcabd87ebebbda71b4012952d329bb5
-
SHA1
c91200acf9e01b42663f68efde07c24bf4404f1f
-
SHA256
6ace19befa598ac3913865abf5fea0eac3d66b77425a9700274094d58b50630f
-
SHA512
ca2c36d0a9cb1fcd2587072617d9081a67bcc5d291a55c9fdf84afa93f42031addf754606b0c8e0ddcd6703e3d50a50f9acc456fc38f49647270258cd0acb386
Malware Config
Extracted
netwire
185.140.53.61:3363
185.140.53.61:3365
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
move4ward
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4908-147-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/4908-149-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/4908-151-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/4908-165-0x0000000000400000-0x0000000000433000-memory.dmp netwire -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Payment confirmation receipt.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation Payment confirmation receipt.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Payment confirmation receipt.exedescription pid process target process PID 2600 set thread context of 4908 2600 Payment confirmation receipt.exe Payment confirmation receipt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepid process 396 powershell.exe 2216 powershell.exe 2216 powershell.exe 396 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2216 powershell.exe Token: SeDebugPrivilege 396 powershell.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
Payment confirmation receipt.exedescription pid process target process PID 2600 wrote to memory of 396 2600 Payment confirmation receipt.exe powershell.exe PID 2600 wrote to memory of 396 2600 Payment confirmation receipt.exe powershell.exe PID 2600 wrote to memory of 396 2600 Payment confirmation receipt.exe powershell.exe PID 2600 wrote to memory of 2216 2600 Payment confirmation receipt.exe powershell.exe PID 2600 wrote to memory of 2216 2600 Payment confirmation receipt.exe powershell.exe PID 2600 wrote to memory of 2216 2600 Payment confirmation receipt.exe powershell.exe PID 2600 wrote to memory of 3192 2600 Payment confirmation receipt.exe schtasks.exe PID 2600 wrote to memory of 3192 2600 Payment confirmation receipt.exe schtasks.exe PID 2600 wrote to memory of 3192 2600 Payment confirmation receipt.exe schtasks.exe PID 2600 wrote to memory of 4908 2600 Payment confirmation receipt.exe Payment confirmation receipt.exe PID 2600 wrote to memory of 4908 2600 Payment confirmation receipt.exe Payment confirmation receipt.exe PID 2600 wrote to memory of 4908 2600 Payment confirmation receipt.exe Payment confirmation receipt.exe PID 2600 wrote to memory of 4908 2600 Payment confirmation receipt.exe Payment confirmation receipt.exe PID 2600 wrote to memory of 4908 2600 Payment confirmation receipt.exe Payment confirmation receipt.exe PID 2600 wrote to memory of 4908 2600 Payment confirmation receipt.exe Payment confirmation receipt.exe PID 2600 wrote to memory of 4908 2600 Payment confirmation receipt.exe Payment confirmation receipt.exe PID 2600 wrote to memory of 4908 2600 Payment confirmation receipt.exe Payment confirmation receipt.exe PID 2600 wrote to memory of 4908 2600 Payment confirmation receipt.exe Payment confirmation receipt.exe PID 2600 wrote to memory of 4908 2600 Payment confirmation receipt.exe Payment confirmation receipt.exe PID 2600 wrote to memory of 4908 2600 Payment confirmation receipt.exe Payment confirmation receipt.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment confirmation receipt.exe"C:\Users\Admin\AppData\Local\Temp\Payment confirmation receipt.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Payment confirmation receipt.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QCWiwvBYtEYGjo.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QCWiwvBYtEYGjo" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2078.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Payment confirmation receipt.exe"C:\Users\Admin\AppData\Local\Temp\Payment confirmation receipt.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5e4661b2303c0b05ba8d0af535568a25f
SHA1692501672c3f0b947737c9fd289430ac92ee4941
SHA256218e0d8a1628e89187a47b6942c4eca1778cb8b81ca008a6df7fa8409fe0be72
SHA5121c3532c4ba65cf04476f30128829680e1f6b42982f82652d3b661bf41bb4431daeedc66b6cdd67e334d9e102131be6af44b2eac80d2d29c2b2e976fde43ffaa5
-
C:\Users\Admin\AppData\Local\Temp\tmp2078.tmpFilesize
1KB
MD5bf4917f7f10a7fd3b3cfece4b600e389
SHA124e2538bf64c4672a309ef64dfca76c930618dde
SHA2569b1605507e5a1a16957dd90876b47bd5746f7c4b6ef7410617b35730dc925aca
SHA512ccd32d6dc3591a1008d6ac9d54781d83a718729349670958ac14d1f8015c1bde979a16b22f9a0672c622437998d225c3544b847f685b1a40d9eaa37ed69126dd
-
memory/396-157-0x00000000073E0000-0x00000000073FA000-memory.dmpFilesize
104KB
-
memory/396-137-0x0000000000000000-mapping.dmp
-
memory/396-162-0x0000000007700000-0x0000000007708000-memory.dmpFilesize
32KB
-
memory/396-161-0x0000000007720000-0x000000000773A000-memory.dmpFilesize
104KB
-
memory/396-160-0x0000000007610000-0x000000000761E000-memory.dmpFilesize
56KB
-
memory/396-140-0x0000000004B30000-0x0000000004B66000-memory.dmpFilesize
216KB
-
memory/396-141-0x0000000005240000-0x0000000005868000-memory.dmpFilesize
6.2MB
-
memory/396-142-0x0000000005870000-0x0000000005892000-memory.dmpFilesize
136KB
-
memory/396-156-0x0000000007A20000-0x000000000809A000-memory.dmpFilesize
6.5MB
-
memory/396-155-0x00000000066A0000-0x00000000066BE000-memory.dmpFilesize
120KB
-
memory/396-145-0x0000000005AE0000-0x0000000005B46000-memory.dmpFilesize
408KB
-
memory/396-153-0x0000000071190000-0x00000000711DC000-memory.dmpFilesize
304KB
-
memory/2216-143-0x00000000059D0000-0x0000000005A36000-memory.dmpFilesize
408KB
-
memory/2216-154-0x0000000071190000-0x00000000711DC000-memory.dmpFilesize
304KB
-
memory/2216-150-0x00000000060A0000-0x00000000060BE000-memory.dmpFilesize
120KB
-
memory/2216-138-0x0000000000000000-mapping.dmp
-
memory/2216-152-0x0000000007040000-0x0000000007072000-memory.dmpFilesize
200KB
-
memory/2216-159-0x0000000007630000-0x00000000076C6000-memory.dmpFilesize
600KB
-
memory/2216-158-0x0000000007430000-0x000000000743A000-memory.dmpFilesize
40KB
-
memory/2600-132-0x0000000000A90000-0x0000000000B3A000-memory.dmpFilesize
680KB
-
memory/2600-136-0x000000000A530000-0x000000000A5CC000-memory.dmpFilesize
624KB
-
memory/2600-135-0x0000000005580000-0x000000000558A000-memory.dmpFilesize
40KB
-
memory/2600-134-0x00000000054C0000-0x0000000005552000-memory.dmpFilesize
584KB
-
memory/2600-133-0x0000000005B60000-0x0000000006104000-memory.dmpFilesize
5.6MB
-
memory/3192-139-0x0000000000000000-mapping.dmp
-
memory/4908-149-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/4908-146-0x0000000000000000-mapping.dmp
-
memory/4908-147-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/4908-151-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/4908-165-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB