Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
24-09-2022 02:05
Static task
static1
Behavioral task
behavioral1
Sample
invoice_7833.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
invoice_7833.exe
Resource
win10v2004-20220901-en
General
-
Target
invoice_7833.exe
-
Size
1.2MB
-
MD5
2bb20b6123c38e8980b9f92e9a16f957
-
SHA1
3097deacf4adcdb35d8cb9d726cdf9f62efeaca6
-
SHA256
c43c2232e4c6cf97b7bd145ab5a72c8d5c408c77b7a56725160c192a6f6434a3
-
SHA512
f402382f7d5802130c6db3ada51678304b4d51558dacbfcd4237012153b2e66f88d525f6c23383a7792a2d70daab5cd8117c8347c85d34eabbd37d222b3879d4
-
SSDEEP
24576:5AOcZgAgB9ZkeKEptML955rCmtMyGpLAWDXxo8FVCaWXZWcVX:zTAgBgApyLseZG/VokCp79
Malware Config
Extracted
netwire
212.193.30.230:3345
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
Password@9
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1500-68-0x0000000000290000-0x000000000086C000-memory.dmp netwire behavioral1/memory/1500-69-0x000000000029242D-mapping.dmp netwire behavioral1/memory/1500-73-0x0000000000290000-0x000000000086C000-memory.dmp netwire behavioral1/memory/1500-74-0x0000000000290000-0x000000000086C000-memory.dmp netwire -
Executes dropped EXE 2 IoCs
Processes:
btlawc.pifRegSvcs.exepid process 1656 btlawc.pif 1500 RegSvcs.exe -
Loads dropped DLL 5 IoCs
Processes:
invoice_7833.exebtlawc.pifpid process 1404 invoice_7833.exe 1404 invoice_7833.exe 1404 invoice_7833.exe 1404 invoice_7833.exe 1656 btlawc.pif -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
btlawc.pifdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run btlawc.pif Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8_410\\btlawc.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\8_410\\RVKJVX~1.ADO" btlawc.pif -
Suspicious use of SetThreadContext 1 IoCs
Processes:
btlawc.pifdescription pid process target process PID 1656 set thread context of 1500 1656 btlawc.pif RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
btlawc.pifpid process 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif 1656 btlawc.pif -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
invoice_7833.exebtlawc.pifdescription pid process target process PID 1404 wrote to memory of 1656 1404 invoice_7833.exe btlawc.pif PID 1404 wrote to memory of 1656 1404 invoice_7833.exe btlawc.pif PID 1404 wrote to memory of 1656 1404 invoice_7833.exe btlawc.pif PID 1404 wrote to memory of 1656 1404 invoice_7833.exe btlawc.pif PID 1404 wrote to memory of 1656 1404 invoice_7833.exe btlawc.pif PID 1404 wrote to memory of 1656 1404 invoice_7833.exe btlawc.pif PID 1404 wrote to memory of 1656 1404 invoice_7833.exe btlawc.pif PID 1656 wrote to memory of 1500 1656 btlawc.pif RegSvcs.exe PID 1656 wrote to memory of 1500 1656 btlawc.pif RegSvcs.exe PID 1656 wrote to memory of 1500 1656 btlawc.pif RegSvcs.exe PID 1656 wrote to memory of 1500 1656 btlawc.pif RegSvcs.exe PID 1656 wrote to memory of 1500 1656 btlawc.pif RegSvcs.exe PID 1656 wrote to memory of 1500 1656 btlawc.pif RegSvcs.exe PID 1656 wrote to memory of 1500 1656 btlawc.pif RegSvcs.exe PID 1656 wrote to memory of 1500 1656 btlawc.pif RegSvcs.exe PID 1656 wrote to memory of 1500 1656 btlawc.pif RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\invoice_7833.exe"C:\Users\Admin\AppData\Local\Temp\invoice_7833.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Users\Admin\AppData\Local\Temp\8_410\btlawc.pif"C:\Users\Admin\AppData\Local\Temp\8_410\btlawc.pif" rvkjvxgjb.ado2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"3⤵
- Executes dropped EXE
PID:1500
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
906KB
MD5f28aa08788132e64db4b8918ee2430b1
SHA1ef32b1023a89dc36d7c5e98e22845fe87c5efef2
SHA256f99b9fc041c177f0bee2c82d09f451ef0833696111b1b37cbfff8c975232ece2
SHA512689cf6118061aa9e7d4b78118db99338aa767433df511610d471a989825a84a53119310248ed3870b10e48e77b47c429ef5a276dbc9c4ec53a7588e16093b50f
-
Filesize
59KB
MD52700e5dc7d99daa1226ecc071fc14848
SHA1df0e9b8fcacf21a8d28a9121f83b0a83224b1a69
SHA256813ba7f9ced0f45900fffbf4cf07c9d4c3f532ec3b444078af1ce3a237365f91
SHA51248961951cbf5eba1c947053ef5edc15b83601eb5a066530a262831276924b4c9e6fc45fcda4e861a7216a2bd601ee53ae262cbce8f4bda36028521aef613e636
-
Filesize
321KB
MD57c7103f63a985d7d365c8b5ffb976033
SHA19187fd85513b81a9ef14829d825667e7f2ce40b1
SHA25642d4d72925bc5153ffa039c5fc070a8ee434d80f57b59624d299901463e91886
SHA512acb7a771550bf41b005ac69c3d572cb6600da2be93fc08db02c019eb8fa1a70ffc26096931e256ea9c94e6627469c6380cc9fcd8a3ef8bc655b209063654f94f
-
Filesize
178.1MB
MD5aab187cdf62195e8be56bdbbefce3d87
SHA1a7d5d2d7ee9039d962aa30910deb456ab9441933
SHA25647247cec5c19d4299ddc1d84f427ea86871e2ae36775d15679380ca5e71b5f4e
SHA512a58d23b9884c781f386269aa2beda5281412253797dc36b75ee9506f831ba2f89ec74e62b0d40c20eb3942b18efd047fa3f0a9a75514b287b174c3b21f687558
-
Filesize
44KB
MD50e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
Filesize
906KB
MD5f28aa08788132e64db4b8918ee2430b1
SHA1ef32b1023a89dc36d7c5e98e22845fe87c5efef2
SHA256f99b9fc041c177f0bee2c82d09f451ef0833696111b1b37cbfff8c975232ece2
SHA512689cf6118061aa9e7d4b78118db99338aa767433df511610d471a989825a84a53119310248ed3870b10e48e77b47c429ef5a276dbc9c4ec53a7588e16093b50f
-
Filesize
906KB
MD5f28aa08788132e64db4b8918ee2430b1
SHA1ef32b1023a89dc36d7c5e98e22845fe87c5efef2
SHA256f99b9fc041c177f0bee2c82d09f451ef0833696111b1b37cbfff8c975232ece2
SHA512689cf6118061aa9e7d4b78118db99338aa767433df511610d471a989825a84a53119310248ed3870b10e48e77b47c429ef5a276dbc9c4ec53a7588e16093b50f
-
Filesize
906KB
MD5f28aa08788132e64db4b8918ee2430b1
SHA1ef32b1023a89dc36d7c5e98e22845fe87c5efef2
SHA256f99b9fc041c177f0bee2c82d09f451ef0833696111b1b37cbfff8c975232ece2
SHA512689cf6118061aa9e7d4b78118db99338aa767433df511610d471a989825a84a53119310248ed3870b10e48e77b47c429ef5a276dbc9c4ec53a7588e16093b50f
-
Filesize
906KB
MD5f28aa08788132e64db4b8918ee2430b1
SHA1ef32b1023a89dc36d7c5e98e22845fe87c5efef2
SHA256f99b9fc041c177f0bee2c82d09f451ef0833696111b1b37cbfff8c975232ece2
SHA512689cf6118061aa9e7d4b78118db99338aa767433df511610d471a989825a84a53119310248ed3870b10e48e77b47c429ef5a276dbc9c4ec53a7588e16093b50f
-
Filesize
44KB
MD50e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215