Analysis
-
max time kernel
60s -
max time network
70s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
15-09-2022 09:53
Static task
static1
Behavioral task
behavioral1
Sample
proof of payment.exe
Resource
win7-20220812-en
General
-
Target
proof of payment.exe
-
Size
661KB
-
MD5
af0b6c0b096bc0a9a6c6da19b3340a4c
-
SHA1
4bc68ca3cd282e9c711c6b9a452a425af4fdf8d8
-
SHA256
0b069c7e87aeb1802c8a83bf595bdf68040faf36bb5f607f4d1a20b8b8f45403
-
SHA512
b33da09ded4c519566e9277cc4b10c4f5553246dd587c74c6c212430b45d4c188221d65f4357a6a5ff97202e1429378dd903c7f23217a16acf876c0bf3ab0ba1
-
SSDEEP
12288:m5VF75e1ZsTyxRM2wfQy/FhucmJcTQJW0OkzKJfhd45/B:KVZ52ZX/OX9hDUcTOW5eAHW
Malware Config
Signatures
-
NetWire RAT payload 7 IoCs
Processes:
resource yara_rule behavioral1/memory/1056-69-0x0000000000400000-0x000000000042B000-memory.dmp netwire behavioral1/memory/1056-70-0x0000000000400000-0x000000000042B000-memory.dmp netwire behavioral1/memory/1056-72-0x0000000000400000-0x000000000042B000-memory.dmp netwire behavioral1/memory/1056-75-0x00000000004026D0-mapping.dmp netwire behavioral1/memory/1056-74-0x0000000000400000-0x000000000042B000-memory.dmp netwire behavioral1/memory/1056-78-0x0000000000400000-0x000000000042B000-memory.dmp netwire behavioral1/memory/1056-79-0x0000000000400000-0x000000000042B000-memory.dmp netwire -
Suspicious use of SetThreadContext 1 IoCs
Processes:
proof of payment.exedescription pid process target process PID 1612 set thread context of 1056 1612 proof of payment.exe proof of payment.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 940 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 940 powershell.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
proof of payment.exedescription pid process target process PID 1612 wrote to memory of 940 1612 proof of payment.exe powershell.exe PID 1612 wrote to memory of 940 1612 proof of payment.exe powershell.exe PID 1612 wrote to memory of 940 1612 proof of payment.exe powershell.exe PID 1612 wrote to memory of 940 1612 proof of payment.exe powershell.exe PID 1612 wrote to memory of 1460 1612 proof of payment.exe schtasks.exe PID 1612 wrote to memory of 1460 1612 proof of payment.exe schtasks.exe PID 1612 wrote to memory of 1460 1612 proof of payment.exe schtasks.exe PID 1612 wrote to memory of 1460 1612 proof of payment.exe schtasks.exe PID 1612 wrote to memory of 1056 1612 proof of payment.exe proof of payment.exe PID 1612 wrote to memory of 1056 1612 proof of payment.exe proof of payment.exe PID 1612 wrote to memory of 1056 1612 proof of payment.exe proof of payment.exe PID 1612 wrote to memory of 1056 1612 proof of payment.exe proof of payment.exe PID 1612 wrote to memory of 1056 1612 proof of payment.exe proof of payment.exe PID 1612 wrote to memory of 1056 1612 proof of payment.exe proof of payment.exe PID 1612 wrote to memory of 1056 1612 proof of payment.exe proof of payment.exe PID 1612 wrote to memory of 1056 1612 proof of payment.exe proof of payment.exe PID 1612 wrote to memory of 1056 1612 proof of payment.exe proof of payment.exe PID 1612 wrote to memory of 1056 1612 proof of payment.exe proof of payment.exe PID 1612 wrote to memory of 1056 1612 proof of payment.exe proof of payment.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\proof of payment.exe"C:\Users\Admin\AppData\Local\Temp\proof of payment.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uVDXDtwcCw.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uVDXDtwcCw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp41E1.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\proof of payment.exe"C:\Users\Admin\AppData\Local\Temp\proof of payment.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp41E1.tmpFilesize
1KB
MD5b215e3625ce490e05e68acf4341487d8
SHA192321d2f51562bf6139aa6e28da8071cf24660f7
SHA256d83b6279c176d78833cc722ca4bab17fbe9b5d32e8533bc85797d88c56046332
SHA512d542a7fa5509740c979873f0af7ba2b2cad609b308cdeae1d9ec0f0d3398efe024ef93dc7c2d6f8e84189d7f706ea266da9be8c57d7e27d8508d3a27884c48c7
-
memory/940-59-0x0000000000000000-mapping.dmp
-
memory/940-81-0x000000006F520000-0x000000006FACB000-memory.dmpFilesize
5.7MB
-
memory/940-80-0x000000006F520000-0x000000006FACB000-memory.dmpFilesize
5.7MB
-
memory/1056-65-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1056-70-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1056-79-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1056-78-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1056-74-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1056-64-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1056-75-0x00000000004026D0-mapping.dmp
-
memory/1056-67-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1056-69-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1056-72-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1460-60-0x0000000000000000-mapping.dmp
-
memory/1612-58-0x0000000007F30000-0x0000000007FB0000-memory.dmpFilesize
512KB
-
memory/1612-54-0x0000000001140000-0x00000000011EA000-memory.dmpFilesize
680KB
-
memory/1612-63-0x0000000004CE0000-0x0000000004D06000-memory.dmpFilesize
152KB
-
memory/1612-57-0x0000000000530000-0x000000000053C000-memory.dmpFilesize
48KB
-
memory/1612-56-0x00000000005E0000-0x00000000005F8000-memory.dmpFilesize
96KB
-
memory/1612-55-0x0000000076681000-0x0000000076683000-memory.dmpFilesize
8KB