Analysis
-
max time kernel
127s -
max time network
130s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
19-11-2020 07:15
General
-
Target
PaymentConfirmation.exe
-
Size
390KB
-
MD5
ecc09a255547ec12aa086f06e4205a4a
-
SHA1
2535e63c27cd0655d59b6c36aa06ccdb9faf1259
-
SHA256
5bfba7235e133fb4c8b63e98c4b7d227e5ef5ebc44dc81c6fa95cf76fe2c22bb
-
SHA512
d0d00f8814bc63995ae2f2ecf473ee7c4859ffa205ad24ec1ed4bb5ee6c1b25fe58c16b048ab9b75f881abf25cad7ae12d26e691f075856610adb8465b28fa9a
Malware Config
Signatures
-
NetWire RAT payload 3 IoCs
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Suspicious use of SetThreadContext 1 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\PaymentConfirmation.exe"C:\Users\Admin\AppData\Local\Temp\PaymentConfirmation.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wlCCJrPbrEgk" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD5F.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\PaymentConfirmation.exe"{path}"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpD5F.tmpMD5
85cbb2501929db2aa90f1a55ab5585d9
SHA1833db11202d1b3c9a60b759292c7ff9a4d111e1c
SHA256f0d214002badffa756b05331771b32914f7b3e2e4a94867af9f0a2ac6bcf5fb0
SHA5124a078bf687a999b818b9b2f14353b4a01c69d3f30d9e10795f7a2b0ae93b3f6afe97dea464154d6907bc3c043248c74e91c167a596d2b302592a3c081a4d06ff
-
memory/656-8-0x000000000A240000-0x000000000A241000-memory.dmpFilesize
4KB
-
memory/656-10-0x0000000006650000-0x000000000669E000-memory.dmpFilesize
312KB
-
memory/656-4-0x0000000009810000-0x0000000009811000-memory.dmpFilesize
4KB
-
memory/656-5-0x0000000005160000-0x0000000005161000-memory.dmpFilesize
4KB
-
memory/656-7-0x0000000002910000-0x0000000002911000-memory.dmpFilesize
4KB
-
memory/656-0-0x0000000074070000-0x000000007475E000-memory.dmpFilesize
6.9MB
-
memory/656-9-0x0000000007000000-0x0000000007014000-memory.dmpFilesize
80KB
-
memory/656-3-0x0000000002880000-0x00000000028D6000-memory.dmpFilesize
344KB
-
memory/656-11-0x0000000009550000-0x0000000009551000-memory.dmpFilesize
4KB
-
memory/656-1-0x0000000000380000-0x0000000000381000-memory.dmpFilesize
4KB
-
memory/2272-14-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2272-15-0x0000000000402BCB-mapping.dmp
-
memory/2272-16-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2336-12-0x0000000000000000-mapping.dmp