Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
24-09-2022 02:05
Static task
static1
Behavioral task
behavioral1
Sample
invoice_7833.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
invoice_7833.exe
Resource
win10v2004-20220901-en
General
-
Target
invoice_7833.exe
-
Size
1MB
-
MD5
2bb20b6123c38e8980b9f92e9a16f957
-
SHA1
3097deacf4adcdb35d8cb9d726cdf9f62efeaca6
-
SHA256
c43c2232e4c6cf97b7bd145ab5a72c8d5c408c77b7a56725160c192a6f6434a3
-
SHA512
f402382f7d5802130c6db3ada51678304b4d51558dacbfcd4237012153b2e66f88d525f6c23383a7792a2d70daab5cd8117c8347c85d34eabbd37d222b3879d4
-
SSDEEP
24576:5AOcZgAgB9ZkeKEptML955rCmtMyGpLAWDXxo8FVCaWXZWcVX:zTAgBgApyLseZG/VokCp79
Malware Config
Extracted
Family |
netwire |
C2 |
212.193.30.230:3345 |
Attributes |
activex_autorun false
copy_executable false
delete_original false
host_id HostId-%Rand%
keylogger_dir %AppData%\Logs\
lock_executable false
offline_keylogger true
password Password@9
registry_autorun false
use_mutex false |
Signatures
-
NetWire RAT payload ⋅ 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1500-68-0x0000000000290000-0x000000000086C000-memory.dmp netwire behavioral1/memory/1500-69-0x000000000029242D-mapping.dmp netwire behavioral1/memory/1500-73-0x0000000000290000-0x000000000086C000-memory.dmp netwire behavioral1/memory/1500-74-0x0000000000290000-0x000000000086C000-memory.dmp netwire -
Executes dropped EXE ⋅ 2 IoCs
Processes:
btlawc.pifRegSvcs.exepid process 1656 btlawc.pif 1500 RegSvcs.exe -
Loads dropped DLL ⋅ 5 IoCs
Processes:
invoice_7833.exebtlawc.pifpid process 1404 invoice_7833.exe 1404 invoice_7833.exe 1404 invoice_7833.exe 1404 invoice_7833.exe 1656 btlawc.pif -
Adds Run key to start application ⋅ 2 TTPs 2 IoCs
Processes:
btlawc.pifdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run btlawc.pif Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8_410\\btlawc.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\8_410\\RVKJVX~1.ADO" btlawc.pif -
Suspicious use of SetThreadContext ⋅ 1 IoCs
Processes:
btlawc.pifdescription pid process target process PID 1656 set thread context of 1500 1656 btlawc.pif RegSvcs.exe -
Enumerates physical storage devices ⋅ 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses ⋅ 64 IoCs
Processes:
btlawc.pifpid process 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif -
Suspicious use of WriteProcessMemory ⋅ 16 IoCs
Processes:
invoice_7833.exebtlawc.pifdescription pid process target process PID 1404 wrote to memory of 1656 1404 invoice_7833.exe btlawc.pif PID 1404 wrote to memory of 1656 1404 invoice_7833.exe btlawc.pif PID 1404 wrote to memory of 1656 1404 invoice_7833.exe btlawc.pif PID 1404 wrote to memory of 1656 1404 invoice_7833.exe btlawc.pif PID 1404 wrote to memory of 1656 1404 invoice_7833.exe btlawc.pif PID 1404 wrote to memory of 1656 1404 invoice_7833.exe btlawc.pif PID 1404 wrote to memory of 1656 1404 invoice_7833.exe btlawc.pif PID 1656 wrote to memory of 1500 1656 btlawc.pif RegSvcs.exe PID 1656 wrote to memory of 1500 1656 btlawc.pif RegSvcs.exe PID 1656 wrote to memory of 1500 1656 btlawc.pif RegSvcs.exe PID 1656 wrote to memory of 1500 1656 btlawc.pif RegSvcs.exe PID 1656 wrote to memory of 1500 1656 btlawc.pif RegSvcs.exe PID 1656 wrote to memory of 1500 1656 btlawc.pif RegSvcs.exe PID 1656 wrote to memory of 1500 1656 btlawc.pif RegSvcs.exe PID 1656 wrote to memory of 1500 1656 btlawc.pif RegSvcs.exe PID 1656 wrote to memory of 1500 1656 btlawc.pif RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\invoice_7833.exe"C:\Users\Admin\AppData\Local\Temp\invoice_7833.exe"Loads dropped DLLSuspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8_410\btlawc.pif"C:\Users\Admin\AppData\Local\Temp\8_410\btlawc.pif" rvkjvxgjb.adoExecutes dropped EXELoads dropped DLLAdds Run key to start applicationSuspicious use of SetThreadContextSuspicious behavior: EnumeratesProcessesSuspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"Executes dropped EXE
Network
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Replay Monitor
Downloads
-
C:\Users\Admin\AppData\Local\Temp\8_410\btlawc.pifMD5
f28aa08788132e64db4b8918ee2430b1
SHA1ef32b1023a89dc36d7c5e98e22845fe87c5efef2
SHA256f99b9fc041c177f0bee2c82d09f451ef0833696111b1b37cbfff8c975232ece2
SHA512689cf6118061aa9e7d4b78118db99338aa767433df511610d471a989825a84a53119310248ed3870b10e48e77b47c429ef5a276dbc9c4ec53a7588e16093b50f
-
C:\Users\Admin\AppData\Local\Temp\8_410\iehqknoxj.logMD5
2700e5dc7d99daa1226ecc071fc14848
SHA1df0e9b8fcacf21a8d28a9121f83b0a83224b1a69
SHA256813ba7f9ced0f45900fffbf4cf07c9d4c3f532ec3b444078af1ce3a237365f91
SHA51248961951cbf5eba1c947053ef5edc15b83601eb5a066530a262831276924b4c9e6fc45fcda4e861a7216a2bd601ee53ae262cbce8f4bda36028521aef613e636
-
C:\Users\Admin\AppData\Local\Temp\8_410\mnrvwnoo.kdvMD5
7c7103f63a985d7d365c8b5ffb976033
SHA19187fd85513b81a9ef14829d825667e7f2ce40b1
SHA25642d4d72925bc5153ffa039c5fc070a8ee434d80f57b59624d299901463e91886
SHA512acb7a771550bf41b005ac69c3d572cb6600da2be93fc08db02c019eb8fa1a70ffc26096931e256ea9c94e6627469c6380cc9fcd8a3ef8bc655b209063654f94f
-
C:\Users\Admin\AppData\Local\Temp\8_410\rvkjvxgjb.adoMD5
aab187cdf62195e8be56bdbbefce3d87
SHA1a7d5d2d7ee9039d962aa30910deb456ab9441933
SHA25647247cec5c19d4299ddc1d84f427ea86871e2ae36775d15679380ca5e71b5f4e
SHA512a58d23b9884c781f386269aa2beda5281412253797dc36b75ee9506f831ba2f89ec74e62b0d40c20eb3942b18efd047fa3f0a9a75514b287b174c3b21f687558
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeMD5
0e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
\Users\Admin\AppData\Local\Temp\8_410\btlawc.pifMD5
f28aa08788132e64db4b8918ee2430b1
SHA1ef32b1023a89dc36d7c5e98e22845fe87c5efef2
SHA256f99b9fc041c177f0bee2c82d09f451ef0833696111b1b37cbfff8c975232ece2
SHA512689cf6118061aa9e7d4b78118db99338aa767433df511610d471a989825a84a53119310248ed3870b10e48e77b47c429ef5a276dbc9c4ec53a7588e16093b50f
-
\Users\Admin\AppData\Local\Temp\8_410\btlawc.pifMD5
f28aa08788132e64db4b8918ee2430b1
SHA1ef32b1023a89dc36d7c5e98e22845fe87c5efef2
SHA256f99b9fc041c177f0bee2c82d09f451ef0833696111b1b37cbfff8c975232ece2
SHA512689cf6118061aa9e7d4b78118db99338aa767433df511610d471a989825a84a53119310248ed3870b10e48e77b47c429ef5a276dbc9c4ec53a7588e16093b50f
-
\Users\Admin\AppData\Local\Temp\8_410\btlawc.pifMD5
f28aa08788132e64db4b8918ee2430b1
SHA1ef32b1023a89dc36d7c5e98e22845fe87c5efef2
SHA256f99b9fc041c177f0bee2c82d09f451ef0833696111b1b37cbfff8c975232ece2
SHA512689cf6118061aa9e7d4b78118db99338aa767433df511610d471a989825a84a53119310248ed3870b10e48e77b47c429ef5a276dbc9c4ec53a7588e16093b50f
-
\Users\Admin\AppData\Local\Temp\8_410\btlawc.pifMD5
f28aa08788132e64db4b8918ee2430b1
SHA1ef32b1023a89dc36d7c5e98e22845fe87c5efef2
SHA256f99b9fc041c177f0bee2c82d09f451ef0833696111b1b37cbfff8c975232ece2
SHA512689cf6118061aa9e7d4b78118db99338aa767433df511610d471a989825a84a53119310248ed3870b10e48e77b47c429ef5a276dbc9c4ec53a7588e16093b50f
-
\Users\Admin\AppData\Local\Temp\RegSvcs.exeMD5
0e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
memory/1404-54-0x0000000074F01000-0x0000000074F03000-memory.dmp
-
memory/1500-66-0x0000000000290000-0x000000000086C000-memory.dmp
-
memory/1500-68-0x0000000000290000-0x000000000086C000-memory.dmp
-
memory/1500-69-0x000000000029242D-mapping.dmp
-
memory/1500-73-0x0000000000290000-0x000000000086C000-memory.dmp
-
memory/1500-74-0x0000000000290000-0x000000000086C000-memory.dmp
-
memory/1656-59-0x0000000000000000-mapping.dmp