Analysis
-
max time kernel
64s -
max time network
80s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
10-11-2022 21:23
Static task
static1
Behavioral task
behavioral1
Sample
Payment Receipt.exe
Resource
win7-20220812-en
General
-
Target
Payment Receipt.exe
-
Size
992KB
-
MD5
7d39f04fbba87f0cae773a8d4b1a591b
-
SHA1
965ea909e8bda5e2c4934115d73062dc5947918d
-
SHA256
1d02d9cb143c8c20ccc2e47bd8e9bb78a6a0fcade93db78c227a33a92a3c30e7
-
SHA512
8617990532ea5d4158434fe6229697d4b9ef8c3c9537fa30908fcd7af81afe15a02fbf5b0f4fd14ae38a97a3a428c901a4b11a6cd34864299afeb5d8f6571582
-
SSDEEP
12288:S9k6w+/jgepcoxTlFvJ70WZkT4GHBLWgKx+kiEQ4CxAab1r3LPH61uQRaKaJZOwO:S9kcNDwYaLWVx+kmmK1rrHuraK4OwO
Malware Config
Extracted
netwire
212.193.30.230:3363
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
Password@2
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 8 IoCs
Processes:
resource yara_rule behavioral1/memory/1624-70-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1624-71-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1624-72-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1624-74-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1624-75-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1624-76-0x000000000040242D-mapping.dmp netwire behavioral1/memory/1624-79-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1624-82-0x0000000000400000-0x0000000000433000-memory.dmp netwire -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Payment Receipt.exedescription pid process target process PID 536 set thread context of 1624 536 Payment Receipt.exe Payment Receipt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1744 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1744 powershell.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
Payment Receipt.exedescription pid process target process PID 536 wrote to memory of 1744 536 Payment Receipt.exe powershell.exe PID 536 wrote to memory of 1744 536 Payment Receipt.exe powershell.exe PID 536 wrote to memory of 1744 536 Payment Receipt.exe powershell.exe PID 536 wrote to memory of 1744 536 Payment Receipt.exe powershell.exe PID 536 wrote to memory of 1692 536 Payment Receipt.exe schtasks.exe PID 536 wrote to memory of 1692 536 Payment Receipt.exe schtasks.exe PID 536 wrote to memory of 1692 536 Payment Receipt.exe schtasks.exe PID 536 wrote to memory of 1692 536 Payment Receipt.exe schtasks.exe PID 536 wrote to memory of 1624 536 Payment Receipt.exe Payment Receipt.exe PID 536 wrote to memory of 1624 536 Payment Receipt.exe Payment Receipt.exe PID 536 wrote to memory of 1624 536 Payment Receipt.exe Payment Receipt.exe PID 536 wrote to memory of 1624 536 Payment Receipt.exe Payment Receipt.exe PID 536 wrote to memory of 1624 536 Payment Receipt.exe Payment Receipt.exe PID 536 wrote to memory of 1624 536 Payment Receipt.exe Payment Receipt.exe PID 536 wrote to memory of 1624 536 Payment Receipt.exe Payment Receipt.exe PID 536 wrote to memory of 1624 536 Payment Receipt.exe Payment Receipt.exe PID 536 wrote to memory of 1624 536 Payment Receipt.exe Payment Receipt.exe PID 536 wrote to memory of 1624 536 Payment Receipt.exe Payment Receipt.exe PID 536 wrote to memory of 1624 536 Payment Receipt.exe Payment Receipt.exe PID 536 wrote to memory of 1624 536 Payment Receipt.exe Payment Receipt.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment Receipt.exe"C:\Users\Admin\AppData\Local\Temp\Payment Receipt.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wlfowlehnDP.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1744 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wlfowlehnDP" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF5B5.tmp"2⤵
- Creates scheduled task(s)
PID:1692 -
C:\Users\Admin\AppData\Local\Temp\Payment Receipt.exe"C:\Users\Admin\AppData\Local\Temp\Payment Receipt.exe"2⤵PID:1624
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpF5B5.tmpFilesize
1KB
MD52580391df153d1712fd3d68a0a9a866f
SHA110c55170776e0bf072db07700e410ea581cce675
SHA25627cd646dbc140c202b0bea790c91b04ffb54dda4c69796212c997a3f23b1df4c
SHA512cea26ddbf8040e9757f23239310e1425e5302319cd132d4c4cbcbbce07a747b0cacb7adc521053b9c3a4d32446704d79e1f3ef15b22f8c13728341ec7157965d
-
memory/536-55-0x0000000075CF1000-0x0000000075CF3000-memory.dmpFilesize
8KB
-
memory/536-56-0x0000000004600000-0x0000000004690000-memory.dmpFilesize
576KB
-
memory/536-57-0x0000000000770000-0x0000000000788000-memory.dmpFilesize
96KB
-
memory/536-58-0x00000000003E0000-0x00000000003EC000-memory.dmpFilesize
48KB
-
memory/536-59-0x00000000056D0000-0x0000000005742000-memory.dmpFilesize
456KB
-
memory/536-54-0x0000000000A70000-0x0000000000B6E000-memory.dmpFilesize
1016KB
-
memory/536-64-0x00000000053E0000-0x0000000005418000-memory.dmpFilesize
224KB
-
memory/1624-65-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1624-72-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1624-82-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1624-66-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1624-68-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1624-70-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1624-71-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1624-79-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1624-74-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1624-75-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1624-76-0x000000000040242D-mapping.dmp
-
memory/1692-61-0x0000000000000000-mapping.dmp
-
memory/1744-80-0x000000006E8B0000-0x000000006EE5B000-memory.dmpFilesize
5.7MB
-
memory/1744-81-0x000000006E8B0000-0x000000006EE5B000-memory.dmpFilesize
5.7MB
-
memory/1744-60-0x0000000000000000-mapping.dmp