Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows7_x64 -
resource
win7 -
submitted
30-06-2020 08:44
Static task
static1
Behavioral task
behavioral1
Sample
Payment notification-pdf.exe
Resource
win7
General
-
Target
Payment notification-pdf.exe
-
Size
1.0MB
-
MD5
55f366df0150172ee321229116917ef9
-
SHA1
7e8c4c56a6055d01e4d96ddedd5aec9241adcaf1
-
SHA256
c52c1fb415117cce538aa98327a5c9e5adebe60dd26c49dee07d9efcc07a5948
-
SHA512
6a368da55f572461d502886c5122a363eb1689ce87d1b3ba2e2a9ad6ff6da3c62d04a8625bd4a7d6aa3989d9924feb91babd14f7174118c4a41aa71c4d0d6afe
Malware Config
Signatures
-
NetWire RAT payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1928-11-0x0000000000270000-0x00000000008AB000-memory.dmp netwire behavioral1/memory/1928-12-0x0000000000272BCB-mapping.dmp netwire behavioral1/memory/1928-14-0x0000000000270000-0x00000000008AB000-memory.dmp netwire -
Executes dropped EXE 2 IoCs
Processes:
gcfmk.pifRegSvcs.exepid process 1892 gcfmk.pif 1928 RegSvcs.exe -
Loads dropped DLL 5 IoCs
Processes:
Payment notification-pdf.exegcfmk.pifpid process 1612 Payment notification-pdf.exe 1612 Payment notification-pdf.exe 1612 Payment notification-pdf.exe 1612 Payment notification-pdf.exe 1892 gcfmk.pif -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
gcfmk.pifdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run gcfmk.pif Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\98545522\\gcfmk.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\98545522\\bklnpoc.lsg" gcfmk.pif -
Suspicious use of SetThreadContext 1 IoCs
Processes:
gcfmk.pifdescription pid process target process PID 1892 set thread context of 1928 1892 gcfmk.pif RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 141 IoCs
Processes:
gcfmk.pifpid process 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif 1892 gcfmk.pif -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Payment notification-pdf.exegcfmk.pifdescription pid process target process PID 1612 wrote to memory of 1892 1612 Payment notification-pdf.exe gcfmk.pif PID 1612 wrote to memory of 1892 1612 Payment notification-pdf.exe gcfmk.pif PID 1612 wrote to memory of 1892 1612 Payment notification-pdf.exe gcfmk.pif PID 1612 wrote to memory of 1892 1612 Payment notification-pdf.exe gcfmk.pif PID 1892 wrote to memory of 1928 1892 gcfmk.pif RegSvcs.exe PID 1892 wrote to memory of 1928 1892 gcfmk.pif RegSvcs.exe PID 1892 wrote to memory of 1928 1892 gcfmk.pif RegSvcs.exe PID 1892 wrote to memory of 1928 1892 gcfmk.pif RegSvcs.exe PID 1892 wrote to memory of 1928 1892 gcfmk.pif RegSvcs.exe PID 1892 wrote to memory of 1928 1892 gcfmk.pif RegSvcs.exe PID 1892 wrote to memory of 1928 1892 gcfmk.pif RegSvcs.exe PID 1892 wrote to memory of 1928 1892 gcfmk.pif RegSvcs.exe PID 1892 wrote to memory of 1928 1892 gcfmk.pif RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment notification-pdf.exe"C:\Users\Admin\AppData\Local\Temp\Payment notification-pdf.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\98545522\gcfmk.pif"C:\Users\Admin\AppData\Local\Temp\98545522\gcfmk.pif" bklnpoc.lsg2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\98545522\bklnpoc.lsgMD5
3e7f2d13332e870998d6ae693927893c
SHA1d3c84858110d0d6dd407d1cc37ec713f7bd18afb
SHA256431abca02527bc6dd8271bc4fc03cca481ce7622df63500465389ea83285332b
SHA5126d7b62489166f18fe135ee052a258c0f4e368959dd840d5143e9f10d2b97d9a23100c3299d08f1bb78c41918202089ae576b529f0711ef032018d9fd0c126f9a
-
C:\Users\Admin\AppData\Local\Temp\98545522\gcfmk.pifMD5
8939087523c8c4815680f11d1a29a2bf
SHA10159ea905c98f9ac82f8191b5af7a982d39e1e6d
SHA25611d85bdbae72f2d143952126f2a7d682d9af166349de1b024cca5fcde7b8b551
SHA512b290eb355e88121650670ce4bf87f19fcc9721ef96d77c31cacf050e58e621c0dacd56628076bf3b3c857a50cb1f7476985888611004008e428c79b19a316735
-
C:\Users\Admin\AppData\Local\Temp\98545522\lkosdll.pptMD5
2098961ff6b10d43c9d4a48c50985419
SHA15494ba0b1607eb16154819ee3f7d3d435c0df692
SHA256a1820d51aab3a6ac3223774c0ce0ee3042434fdd493742845ade14b8d163f53a
SHA512dcea5854081fd59f79f75412add9058f97a522c4a752e93a77ffa0b6d707e3f4cccac2b7a73086b32133587f11121e486f0bbafdb5349c01109b62256214de61
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeMD5
0e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
\Users\Admin\AppData\Local\Temp\98545522\gcfmk.pifMD5
8939087523c8c4815680f11d1a29a2bf
SHA10159ea905c98f9ac82f8191b5af7a982d39e1e6d
SHA25611d85bdbae72f2d143952126f2a7d682d9af166349de1b024cca5fcde7b8b551
SHA512b290eb355e88121650670ce4bf87f19fcc9721ef96d77c31cacf050e58e621c0dacd56628076bf3b3c857a50cb1f7476985888611004008e428c79b19a316735
-
\Users\Admin\AppData\Local\Temp\98545522\gcfmk.pifMD5
8939087523c8c4815680f11d1a29a2bf
SHA10159ea905c98f9ac82f8191b5af7a982d39e1e6d
SHA25611d85bdbae72f2d143952126f2a7d682d9af166349de1b024cca5fcde7b8b551
SHA512b290eb355e88121650670ce4bf87f19fcc9721ef96d77c31cacf050e58e621c0dacd56628076bf3b3c857a50cb1f7476985888611004008e428c79b19a316735
-
\Users\Admin\AppData\Local\Temp\98545522\gcfmk.pifMD5
8939087523c8c4815680f11d1a29a2bf
SHA10159ea905c98f9ac82f8191b5af7a982d39e1e6d
SHA25611d85bdbae72f2d143952126f2a7d682d9af166349de1b024cca5fcde7b8b551
SHA512b290eb355e88121650670ce4bf87f19fcc9721ef96d77c31cacf050e58e621c0dacd56628076bf3b3c857a50cb1f7476985888611004008e428c79b19a316735
-
\Users\Admin\AppData\Local\Temp\98545522\gcfmk.pifMD5
8939087523c8c4815680f11d1a29a2bf
SHA10159ea905c98f9ac82f8191b5af7a982d39e1e6d
SHA25611d85bdbae72f2d143952126f2a7d682d9af166349de1b024cca5fcde7b8b551
SHA512b290eb355e88121650670ce4bf87f19fcc9721ef96d77c31cacf050e58e621c0dacd56628076bf3b3c857a50cb1f7476985888611004008e428c79b19a316735
-
\Users\Admin\AppData\Local\Temp\RegSvcs.exeMD5
0e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
memory/1612-0-0x00000000024F0000-0x00000000025F1000-memory.dmpFilesize
1.0MB
-
memory/1892-6-0x0000000000000000-mapping.dmp
-
memory/1928-11-0x0000000000270000-0x00000000008AB000-memory.dmpFilesize
6.2MB
-
memory/1928-12-0x0000000000272BCB-mapping.dmp
-
memory/1928-14-0x0000000000270000-0x00000000008AB000-memory.dmpFilesize
6.2MB