netwire | 87ce6467d71023d696315cd06d578f2a17218012beba5502744779614fc67f08

Virtualization/Sandbox Evasion

Processes:

Proof of payment.exeHost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	Proof of payment.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	Host.exe

Executes dropped EXE 2 IoCs

Processes:

Host.exeHost.exe

pid process

816 Host.exe
1472 Host.exe

pid	process
816	Host.exe
1472	Host.exe

Looks for VMWare Tools registry key 2 TTPs 2 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

Proof of payment.exeHost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	Proof of payment.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	Host.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

T1082

Processes:

Proof of payment.exeHost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Proof of payment.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Proof of payment.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Host.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Host.exe

Loads dropped DLL 1 IoCs

Processes:

Proof of payment.exe

pid process

1720 Proof of payment.exe

pid	process
1720	Proof of payment.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Proof of payment.exeHost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Proof of payment.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	Proof of payment.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Host.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	Host.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Proof of payment.exeHost.exe

description	pid	process	target process
PID 364 set thread context of 1720	364	Proof of payment.exe	Proof of payment.exe
PID 816 set thread context of 1472	816	Host.exe	Host.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1132 schtasks.exe
1976 schtasks.exe

pid	process
1132	schtasks.exe
1976	schtasks.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

Proof of payment.exeProof of payment.exeHost.exe

description	pid	process	target process
PID 364 wrote to memory of 1132	364	Proof of payment.exe	schtasks.exe
PID 364 wrote to memory of 1132	364	Proof of payment.exe	schtasks.exe
PID 364 wrote to memory of 1132	364	Proof of payment.exe	schtasks.exe
PID 364 wrote to memory of 1132	364	Proof of payment.exe	schtasks.exe
PID 364 wrote to memory of 1720	364	Proof of payment.exe	Proof of payment.exe
PID 364 wrote to memory of 1720	364	Proof of payment.exe	Proof of payment.exe
PID 364 wrote to memory of 1720	364	Proof of payment.exe	Proof of payment.exe
PID 364 wrote to memory of 1720	364	Proof of payment.exe	Proof of payment.exe
PID 364 wrote to memory of 1720	364	Proof of payment.exe	Proof of payment.exe
PID 364 wrote to memory of 1720	364	Proof of payment.exe	Proof of payment.exe
PID 364 wrote to memory of 1720	364	Proof of payment.exe	Proof of payment.exe
PID 364 wrote to memory of 1720	364	Proof of payment.exe	Proof of payment.exe
PID 364 wrote to memory of 1720	364	Proof of payment.exe	Proof of payment.exe
PID 364 wrote to memory of 1720	364	Proof of payment.exe	Proof of payment.exe
PID 364 wrote to memory of 1720	364	Proof of payment.exe	Proof of payment.exe
PID 364 wrote to memory of 1720	364	Proof of payment.exe	Proof of payment.exe
PID 1720 wrote to memory of 816	1720	Proof of payment.exe	Host.exe
PID 1720 wrote to memory of 816	1720	Proof of payment.exe	Host.exe
PID 1720 wrote to memory of 816	1720	Proof of payment.exe	Host.exe
PID 1720 wrote to memory of 816	1720	Proof of payment.exe	Host.exe
PID 816 wrote to memory of 1976	816	Host.exe	schtasks.exe
PID 816 wrote to memory of 1976	816	Host.exe	schtasks.exe
PID 816 wrote to memory of 1976	816	Host.exe	schtasks.exe
PID 816 wrote to memory of 1976	816	Host.exe	schtasks.exe
PID 816 wrote to memory of 1472	816	Host.exe	Host.exe
PID 816 wrote to memory of 1472	816	Host.exe	Host.exe
PID 816 wrote to memory of 1472	816	Host.exe	Host.exe
PID 816 wrote to memory of 1472	816	Host.exe	Host.exe
PID 816 wrote to memory of 1472	816	Host.exe	Host.exe
PID 816 wrote to memory of 1472	816	Host.exe	Host.exe
PID 816 wrote to memory of 1472	816	Host.exe	Host.exe
PID 816 wrote to memory of 1472	816	Host.exe	Host.exe
PID 816 wrote to memory of 1472	816	Host.exe	Host.exe
PID 816 wrote to memory of 1472	816	Host.exe	Host.exe
PID 816 wrote to memory of 1472	816	Host.exe	Host.exe
PID 816 wrote to memory of 1472	816	Host.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\Proof of payment.exe
"C:\Users\Admin\AppData\Local\Temp\Proof of payment.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:364

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WxAKJsr" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEFAD.tmp"
2⤵
- Creates scheduled task(s)
PID:1132

C:\Users\Admin\AppData\Local\Temp\Proof of payment.exe
"{path}"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:816

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WxAKJsr" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5E76.tmp"
4⤵
- Creates scheduled task(s)
PID:1976

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"{path}"
4⤵
- Executes dropped EXE
PID:1472

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

Credential Access

Discovery

Query Registry

4

Virtualization/Sandbox Evasion

2

System Information Discovery

3

T1082

Peripheral Device Discovery