Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
24-09-2022 02:05
Static task
static1
Behavioral task
behavioral1
Sample
invoice_7833.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
invoice_7833.exe
Resource
win10v2004-20220901-en
General
-
Target
invoice_7833.exe
-
Size
1.2MB
-
MD5
2bb20b6123c38e8980b9f92e9a16f957
-
SHA1
3097deacf4adcdb35d8cb9d726cdf9f62efeaca6
-
SHA256
c43c2232e4c6cf97b7bd145ab5a72c8d5c408c77b7a56725160c192a6f6434a3
-
SHA512
f402382f7d5802130c6db3ada51678304b4d51558dacbfcd4237012153b2e66f88d525f6c23383a7792a2d70daab5cd8117c8347c85d34eabbd37d222b3879d4
-
SSDEEP
24576:5AOcZgAgB9ZkeKEptML955rCmtMyGpLAWDXxo8FVCaWXZWcVX:zTAgBgApyLseZG/VokCp79
Malware Config
Extracted
netwire
212.193.30.230:3345
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
Password@9
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/1472-138-0x0000000001000000-0x00000000015FB000-memory.dmp netwire behavioral2/memory/1472-139-0x000000000100242D-mapping.dmp netwire behavioral2/memory/1472-142-0x0000000001000000-0x00000000015FB000-memory.dmp netwire behavioral2/memory/1472-143-0x0000000001000000-0x00000000015FB000-memory.dmp netwire -
Executes dropped EXE 2 IoCs
Processes:
btlawc.pifRegSvcs.exepid process 2716 btlawc.pif 1472 RegSvcs.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
invoice_7833.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation invoice_7833.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
btlawc.pifdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run btlawc.pif Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8_410\\btlawc.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\8_410\\RVKJVX~1.ADO" btlawc.pif -
Suspicious use of SetThreadContext 1 IoCs
Processes:
btlawc.pifdescription pid process target process PID 2716 set thread context of 1472 2716 btlawc.pif RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
btlawc.pifpid process 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif 2716 btlawc.pif -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
invoice_7833.exebtlawc.pifdescription pid process target process PID 3780 wrote to memory of 2716 3780 invoice_7833.exe btlawc.pif PID 3780 wrote to memory of 2716 3780 invoice_7833.exe btlawc.pif PID 3780 wrote to memory of 2716 3780 invoice_7833.exe btlawc.pif PID 2716 wrote to memory of 1472 2716 btlawc.pif RegSvcs.exe PID 2716 wrote to memory of 1472 2716 btlawc.pif RegSvcs.exe PID 2716 wrote to memory of 1472 2716 btlawc.pif RegSvcs.exe PID 2716 wrote to memory of 1472 2716 btlawc.pif RegSvcs.exe PID 2716 wrote to memory of 1472 2716 btlawc.pif RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\invoice_7833.exe"C:\Users\Admin\AppData\Local\Temp\invoice_7833.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8_410\btlawc.pif"C:\Users\Admin\AppData\Local\Temp\8_410\btlawc.pif" rvkjvxgjb.ado2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\8_410\btlawc.pifFilesize
906KB
MD5f28aa08788132e64db4b8918ee2430b1
SHA1ef32b1023a89dc36d7c5e98e22845fe87c5efef2
SHA256f99b9fc041c177f0bee2c82d09f451ef0833696111b1b37cbfff8c975232ece2
SHA512689cf6118061aa9e7d4b78118db99338aa767433df511610d471a989825a84a53119310248ed3870b10e48e77b47c429ef5a276dbc9c4ec53a7588e16093b50f
-
C:\Users\Admin\AppData\Local\Temp\8_410\btlawc.pifFilesize
906KB
MD5f28aa08788132e64db4b8918ee2430b1
SHA1ef32b1023a89dc36d7c5e98e22845fe87c5efef2
SHA256f99b9fc041c177f0bee2c82d09f451ef0833696111b1b37cbfff8c975232ece2
SHA512689cf6118061aa9e7d4b78118db99338aa767433df511610d471a989825a84a53119310248ed3870b10e48e77b47c429ef5a276dbc9c4ec53a7588e16093b50f
-
C:\Users\Admin\AppData\Local\Temp\8_410\iehqknoxj.logFilesize
59KB
MD52700e5dc7d99daa1226ecc071fc14848
SHA1df0e9b8fcacf21a8d28a9121f83b0a83224b1a69
SHA256813ba7f9ced0f45900fffbf4cf07c9d4c3f532ec3b444078af1ce3a237365f91
SHA51248961951cbf5eba1c947053ef5edc15b83601eb5a066530a262831276924b4c9e6fc45fcda4e861a7216a2bd601ee53ae262cbce8f4bda36028521aef613e636
-
C:\Users\Admin\AppData\Local\Temp\8_410\mnrvwnoo.kdvFilesize
321KB
MD57c7103f63a985d7d365c8b5ffb976033
SHA19187fd85513b81a9ef14829d825667e7f2ce40b1
SHA25642d4d72925bc5153ffa039c5fc070a8ee434d80f57b59624d299901463e91886
SHA512acb7a771550bf41b005ac69c3d572cb6600da2be93fc08db02c019eb8fa1a70ffc26096931e256ea9c94e6627469c6380cc9fcd8a3ef8bc655b209063654f94f
-
C:\Users\Admin\AppData\Local\Temp\8_410\rvkjvxgjb.adoFilesize
178.1MB
MD5aab187cdf62195e8be56bdbbefce3d87
SHA1a7d5d2d7ee9039d962aa30910deb456ab9441933
SHA25647247cec5c19d4299ddc1d84f427ea86871e2ae36775d15679380ca5e71b5f4e
SHA512a58d23b9884c781f386269aa2beda5281412253797dc36b75ee9506f831ba2f89ec74e62b0d40c20eb3942b18efd047fa3f0a9a75514b287b174c3b21f687558
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeFilesize
44KB
MD59d352bc46709f0cb5ec974633a0c3c94
SHA11969771b2f022f9a86d77ac4d4d239becdf08d07
SHA2562c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA51213c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b
-
memory/1472-138-0x0000000001000000-0x00000000015FB000-memory.dmpFilesize
6.0MB
-
memory/1472-139-0x000000000100242D-mapping.dmp
-
memory/1472-142-0x0000000001000000-0x00000000015FB000-memory.dmpFilesize
6.0MB
-
memory/1472-143-0x0000000001000000-0x00000000015FB000-memory.dmpFilesize
6.0MB
-
memory/2716-132-0x0000000000000000-mapping.dmp