Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
20/09/2022, 07:41
General
-
Target
Payment confirmation.exe
-
Size
794KB
-
MD5
d2e1541ec3a29b282d6b0695f4d223af
-
SHA1
31e6d8ebcfb269cb6ec3422439633bc14eb22ea6
-
SHA256
a2a0a4b91cbcf08126c70586521d2e7a0d6cf744058c314ffced7bdce97a40a1
-
SHA512
86844a6d7f84b1852873f5eec28ce7b60e2d381d83b4bb25052593adfa6e5f1d1b35d6df2e4bf949f570a86b9905ac34c45fc27680e0869ee7b24c6351f0fa8f
-
SSDEEP
12288:U91Rix5fEFksZMpJqB61ap5a0kAh8ZwQmiiyqADqjJ5n:UifEFkfJoi0k4E7mkMjr
Malware Config
Extracted
netwire
37.0.14.214:3346
37.0.14.214:4478
37.0.14.214:3469
37.0.14.214:3565
-
activex_autorun
false
-
copy_executable
true
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
true
-
offline_keylogger
true
-
password
move4ward
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 6 IoCs
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Executes dropped EXE 3 IoCs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 34 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment confirmation.exe"C:\Users\Admin\AppData\Local\Temp\Payment confirmation.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ebZRGTuLr" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBE7.tmp"2⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\Temp\Payment confirmation.exe"{path}"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ebZRGTuLr" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCD04.tmp"4⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"{path}"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"{path}"4⤵
- Executes dropped EXE
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5327672dc5032bab0e6271dead8f222a0
SHA17f56f6a6d966e922e43a1f670f8a3005b1dedf10
SHA256e4d41804362711dd5b9b56640bae216303e58f8b05102fadeec465486d8d4909
SHA51299a1db7084ed66834f6544853962cb7c33475cf2c617e848ff2332019e2298846ba04bdbabd56c18d1e10928844ee5b365e92ddd82342c4283592448a9448f23
-
Filesize
1KB
MD5327672dc5032bab0e6271dead8f222a0
SHA17f56f6a6d966e922e43a1f670f8a3005b1dedf10
SHA256e4d41804362711dd5b9b56640bae216303e58f8b05102fadeec465486d8d4909
SHA51299a1db7084ed66834f6544853962cb7c33475cf2c617e848ff2332019e2298846ba04bdbabd56c18d1e10928844ee5b365e92ddd82342c4283592448a9448f23
-
Filesize
794KB
MD5d2e1541ec3a29b282d6b0695f4d223af
SHA131e6d8ebcfb269cb6ec3422439633bc14eb22ea6
SHA256a2a0a4b91cbcf08126c70586521d2e7a0d6cf744058c314ffced7bdce97a40a1
SHA51286844a6d7f84b1852873f5eec28ce7b60e2d381d83b4bb25052593adfa6e5f1d1b35d6df2e4bf949f570a86b9905ac34c45fc27680e0869ee7b24c6351f0fa8f
-
Filesize
794KB
MD5d2e1541ec3a29b282d6b0695f4d223af
SHA131e6d8ebcfb269cb6ec3422439633bc14eb22ea6
SHA256a2a0a4b91cbcf08126c70586521d2e7a0d6cf744058c314ffced7bdce97a40a1
SHA51286844a6d7f84b1852873f5eec28ce7b60e2d381d83b4bb25052593adfa6e5f1d1b35d6df2e4bf949f570a86b9905ac34c45fc27680e0869ee7b24c6351f0fa8f
-
Filesize
794KB
MD5d2e1541ec3a29b282d6b0695f4d223af
SHA131e6d8ebcfb269cb6ec3422439633bc14eb22ea6
SHA256a2a0a4b91cbcf08126c70586521d2e7a0d6cf744058c314ffced7bdce97a40a1
SHA51286844a6d7f84b1852873f5eec28ce7b60e2d381d83b4bb25052593adfa6e5f1d1b35d6df2e4bf949f570a86b9905ac34c45fc27680e0869ee7b24c6351f0fa8f
-
Filesize
794KB
MD5d2e1541ec3a29b282d6b0695f4d223af
SHA131e6d8ebcfb269cb6ec3422439633bc14eb22ea6
SHA256a2a0a4b91cbcf08126c70586521d2e7a0d6cf744058c314ffced7bdce97a40a1
SHA51286844a6d7f84b1852873f5eec28ce7b60e2d381d83b4bb25052593adfa6e5f1d1b35d6df2e4bf949f570a86b9905ac34c45fc27680e0869ee7b24c6351f0fa8f
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
624KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
40KB
-
Filesize
816KB