Analysis
-
max time kernel
149s -
max time network
141s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
30-06-2020 08:44
Static task
static1
Behavioral task
behavioral1
Sample
Payment notification-pdf.exe
Resource
win7
General
-
Target
Payment notification-pdf.exe
-
Size
1.0MB
-
MD5
55f366df0150172ee321229116917ef9
-
SHA1
7e8c4c56a6055d01e4d96ddedd5aec9241adcaf1
-
SHA256
c52c1fb415117cce538aa98327a5c9e5adebe60dd26c49dee07d9efcc07a5948
-
SHA512
6a368da55f572461d502886c5122a363eb1689ce87d1b3ba2e2a9ad6ff6da3c62d04a8625bd4a7d6aa3989d9924feb91babd14f7174118c4a41aa71c4d0d6afe
Malware Config
Signatures
-
NetWire RAT payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1640-5-0x0000000000D60000-0x00000000012F1000-memory.dmp netwire behavioral2/memory/1640-6-0x0000000000D62BCB-mapping.dmp netwire behavioral2/memory/1640-9-0x0000000000D60000-0x00000000012F1000-memory.dmp netwire -
Executes dropped EXE 2 IoCs
Processes:
gcfmk.pifRegSvcs.exepid process 3904 gcfmk.pif 1640 RegSvcs.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
gcfmk.pifdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run gcfmk.pif Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\98545522\\gcfmk.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\98545522\\bklnpoc.lsg" gcfmk.pif -
Suspicious use of SetThreadContext 1 IoCs
Processes:
gcfmk.pifdescription pid process target process PID 3904 set thread context of 1640 3904 gcfmk.pif RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 278 IoCs
Processes:
gcfmk.pifpid process 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif 3904 gcfmk.pif -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Payment notification-pdf.exegcfmk.pifdescription pid process target process PID 2416 wrote to memory of 3904 2416 Payment notification-pdf.exe gcfmk.pif PID 2416 wrote to memory of 3904 2416 Payment notification-pdf.exe gcfmk.pif PID 2416 wrote to memory of 3904 2416 Payment notification-pdf.exe gcfmk.pif PID 3904 wrote to memory of 1640 3904 gcfmk.pif RegSvcs.exe PID 3904 wrote to memory of 1640 3904 gcfmk.pif RegSvcs.exe PID 3904 wrote to memory of 1640 3904 gcfmk.pif RegSvcs.exe PID 3904 wrote to memory of 1640 3904 gcfmk.pif RegSvcs.exe PID 3904 wrote to memory of 1640 3904 gcfmk.pif RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment notification-pdf.exe"C:\Users\Admin\AppData\Local\Temp\Payment notification-pdf.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\98545522\gcfmk.pif"C:\Users\Admin\AppData\Local\Temp\98545522\gcfmk.pif" bklnpoc.lsg2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\98545522\bklnpoc.lsgMD5
3e7f2d13332e870998d6ae693927893c
SHA1d3c84858110d0d6dd407d1cc37ec713f7bd18afb
SHA256431abca02527bc6dd8271bc4fc03cca481ce7622df63500465389ea83285332b
SHA5126d7b62489166f18fe135ee052a258c0f4e368959dd840d5143e9f10d2b97d9a23100c3299d08f1bb78c41918202089ae576b529f0711ef032018d9fd0c126f9a
-
C:\Users\Admin\AppData\Local\Temp\98545522\gcfmk.pifMD5
8939087523c8c4815680f11d1a29a2bf
SHA10159ea905c98f9ac82f8191b5af7a982d39e1e6d
SHA25611d85bdbae72f2d143952126f2a7d682d9af166349de1b024cca5fcde7b8b551
SHA512b290eb355e88121650670ce4bf87f19fcc9721ef96d77c31cacf050e58e621c0dacd56628076bf3b3c857a50cb1f7476985888611004008e428c79b19a316735
-
C:\Users\Admin\AppData\Local\Temp\98545522\gcfmk.pifMD5
8939087523c8c4815680f11d1a29a2bf
SHA10159ea905c98f9ac82f8191b5af7a982d39e1e6d
SHA25611d85bdbae72f2d143952126f2a7d682d9af166349de1b024cca5fcde7b8b551
SHA512b290eb355e88121650670ce4bf87f19fcc9721ef96d77c31cacf050e58e621c0dacd56628076bf3b3c857a50cb1f7476985888611004008e428c79b19a316735
-
C:\Users\Admin\AppData\Local\Temp\98545522\lkosdll.pptMD5
2098961ff6b10d43c9d4a48c50985419
SHA15494ba0b1607eb16154819ee3f7d3d435c0df692
SHA256a1820d51aab3a6ac3223774c0ce0ee3042434fdd493742845ade14b8d163f53a
SHA512dcea5854081fd59f79f75412add9058f97a522c4a752e93a77ffa0b6d707e3f4cccac2b7a73086b32133587f11121e486f0bbafdb5349c01109b62256214de61
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeMD5
0e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeMD5
0e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
memory/1640-5-0x0000000000D60000-0x00000000012F1000-memory.dmpFilesize
5.6MB
-
memory/1640-6-0x0000000000D62BCB-mapping.dmp
-
memory/1640-9-0x0000000000D60000-0x00000000012F1000-memory.dmpFilesize
5.6MB
-
memory/3904-0-0x0000000000000000-mapping.dmp