Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
75s -
max time network
101s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
20/09/2022, 07:41
Static task
static1
Behavioral task
behavioral1
Sample
Payment confirmation.exe
Resource
win7-20220901-en
General
-
Target
Payment confirmation.exe
-
Size
794KB
-
MD5
d2e1541ec3a29b282d6b0695f4d223af
-
SHA1
31e6d8ebcfb269cb6ec3422439633bc14eb22ea6
-
SHA256
a2a0a4b91cbcf08126c70586521d2e7a0d6cf744058c314ffced7bdce97a40a1
-
SHA512
86844a6d7f84b1852873f5eec28ce7b60e2d381d83b4bb25052593adfa6e5f1d1b35d6df2e4bf949f570a86b9905ac34c45fc27680e0869ee7b24c6351f0fa8f
-
SSDEEP
12288:U91Rix5fEFksZMpJqB61ap5a0kAh8ZwQmiiyqADqjJ5n:UifEFkfJoi0k4E7mkMjr
Malware Config
Extracted
netwire
37.0.14.214:3346
37.0.14.214:4478
37.0.14.214:3469
37.0.14.214:3565
-
activex_autorun
false
-
copy_executable
true
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
true
-
offline_keylogger
true
-
password
move4ward
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 12 IoCs
resource yara_rule behavioral1/memory/1872-66-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1872-67-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1872-68-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1872-70-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1872-71-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1872-72-0x000000000040242D-mapping.dmp netwire behavioral1/memory/1872-75-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1872-79-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1740-96-0x000000000040242D-mapping.dmp netwire behavioral1/memory/1740-100-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1740-101-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1740-102-0x0000000000400000-0x0000000000433000-memory.dmp netwire -
Executes dropped EXE 2 IoCs
pid Process 1368 Host.exe 1740 Host.exe -
Loads dropped DLL 1 IoCs
pid Process 1872 Payment confirmation.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1900 set thread context of 1872 1900 Payment confirmation.exe 29 PID 1368 set thread context of 1740 1368 Host.exe 33 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 860 schtasks.exe 764 schtasks.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 1900 wrote to memory of 860 1900 Payment confirmation.exe 27 PID 1900 wrote to memory of 860 1900 Payment confirmation.exe 27 PID 1900 wrote to memory of 860 1900 Payment confirmation.exe 27 PID 1900 wrote to memory of 860 1900 Payment confirmation.exe 27 PID 1900 wrote to memory of 1872 1900 Payment confirmation.exe 29 PID 1900 wrote to memory of 1872 1900 Payment confirmation.exe 29 PID 1900 wrote to memory of 1872 1900 Payment confirmation.exe 29 PID 1900 wrote to memory of 1872 1900 Payment confirmation.exe 29 PID 1900 wrote to memory of 1872 1900 Payment confirmation.exe 29 PID 1900 wrote to memory of 1872 1900 Payment confirmation.exe 29 PID 1900 wrote to memory of 1872 1900 Payment confirmation.exe 29 PID 1900 wrote to memory of 1872 1900 Payment confirmation.exe 29 PID 1900 wrote to memory of 1872 1900 Payment confirmation.exe 29 PID 1900 wrote to memory of 1872 1900 Payment confirmation.exe 29 PID 1900 wrote to memory of 1872 1900 Payment confirmation.exe 29 PID 1900 wrote to memory of 1872 1900 Payment confirmation.exe 29 PID 1872 wrote to memory of 1368 1872 Payment confirmation.exe 30 PID 1872 wrote to memory of 1368 1872 Payment confirmation.exe 30 PID 1872 wrote to memory of 1368 1872 Payment confirmation.exe 30 PID 1872 wrote to memory of 1368 1872 Payment confirmation.exe 30 PID 1368 wrote to memory of 764 1368 Host.exe 31 PID 1368 wrote to memory of 764 1368 Host.exe 31 PID 1368 wrote to memory of 764 1368 Host.exe 31 PID 1368 wrote to memory of 764 1368 Host.exe 31 PID 1368 wrote to memory of 1740 1368 Host.exe 33 PID 1368 wrote to memory of 1740 1368 Host.exe 33 PID 1368 wrote to memory of 1740 1368 Host.exe 33 PID 1368 wrote to memory of 1740 1368 Host.exe 33 PID 1368 wrote to memory of 1740 1368 Host.exe 33 PID 1368 wrote to memory of 1740 1368 Host.exe 33 PID 1368 wrote to memory of 1740 1368 Host.exe 33 PID 1368 wrote to memory of 1740 1368 Host.exe 33 PID 1368 wrote to memory of 1740 1368 Host.exe 33 PID 1368 wrote to memory of 1740 1368 Host.exe 33 PID 1368 wrote to memory of 1740 1368 Host.exe 33 PID 1368 wrote to memory of 1740 1368 Host.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment confirmation.exe"C:\Users\Admin\AppData\Local\Temp\Payment confirmation.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ebZRGTuLr" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7733.tmp"2⤵
- Creates scheduled task(s)
PID:860
-
-
C:\Users\Admin\AppData\Local\Temp\Payment confirmation.exe"{path}"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ebZRGTuLr" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE541.tmp"4⤵
- Creates scheduled task(s)
PID:764
-
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"{path}"4⤵
- Executes dropped EXE
PID:1740
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e607b9a8501ee1671dd8bccfd92bd076
SHA17b76fab6a0db919f8e378bb59839df7817791e5e
SHA256cd9eea0928f0d0cfe33ad1eb7ad76e47abd4255372ebc0dccac33c028d71092e
SHA5127fb28c046b45fd63bf8a22ef2bf969c99ace845c0bd80c0f97f0be389384d87bd4b454f6a04630fd596579b51b0fdc56a3fc8969f04582ac3facf7d5ea4b0018
-
Filesize
1KB
MD5e607b9a8501ee1671dd8bccfd92bd076
SHA17b76fab6a0db919f8e378bb59839df7817791e5e
SHA256cd9eea0928f0d0cfe33ad1eb7ad76e47abd4255372ebc0dccac33c028d71092e
SHA5127fb28c046b45fd63bf8a22ef2bf969c99ace845c0bd80c0f97f0be389384d87bd4b454f6a04630fd596579b51b0fdc56a3fc8969f04582ac3facf7d5ea4b0018
-
Filesize
794KB
MD5d2e1541ec3a29b282d6b0695f4d223af
SHA131e6d8ebcfb269cb6ec3422439633bc14eb22ea6
SHA256a2a0a4b91cbcf08126c70586521d2e7a0d6cf744058c314ffced7bdce97a40a1
SHA51286844a6d7f84b1852873f5eec28ce7b60e2d381d83b4bb25052593adfa6e5f1d1b35d6df2e4bf949f570a86b9905ac34c45fc27680e0869ee7b24c6351f0fa8f
-
Filesize
794KB
MD5d2e1541ec3a29b282d6b0695f4d223af
SHA131e6d8ebcfb269cb6ec3422439633bc14eb22ea6
SHA256a2a0a4b91cbcf08126c70586521d2e7a0d6cf744058c314ffced7bdce97a40a1
SHA51286844a6d7f84b1852873f5eec28ce7b60e2d381d83b4bb25052593adfa6e5f1d1b35d6df2e4bf949f570a86b9905ac34c45fc27680e0869ee7b24c6351f0fa8f
-
Filesize
794KB
MD5d2e1541ec3a29b282d6b0695f4d223af
SHA131e6d8ebcfb269cb6ec3422439633bc14eb22ea6
SHA256a2a0a4b91cbcf08126c70586521d2e7a0d6cf744058c314ffced7bdce97a40a1
SHA51286844a6d7f84b1852873f5eec28ce7b60e2d381d83b4bb25052593adfa6e5f1d1b35d6df2e4bf949f570a86b9905ac34c45fc27680e0869ee7b24c6351f0fa8f
-
Filesize
794KB
MD5d2e1541ec3a29b282d6b0695f4d223af
SHA131e6d8ebcfb269cb6ec3422439633bc14eb22ea6
SHA256a2a0a4b91cbcf08126c70586521d2e7a0d6cf744058c314ffced7bdce97a40a1
SHA51286844a6d7f84b1852873f5eec28ce7b60e2d381d83b4bb25052593adfa6e5f1d1b35d6df2e4bf949f570a86b9905ac34c45fc27680e0869ee7b24c6351f0fa8f