Overview

overview

10

Static

static

FedEx TRAC...LS.exe

windows7_x64

10

FedEx TRAC...LS.exe

windows10_x64

10

Analysis

  • max time kernel
    85s
  • max time network
    92s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    08-01-2021 17:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FedEx TRACKING DETAILS.exe

  • Size

    275KB

  • MD5

    07c71b43ca45df4d5fb8b4a8cb90a3c1

  • SHA1

    cf69d346d7d95e1387d64c4025af617272d4dc38

  • SHA256

    c6e42b6b5328ea35302559a7cb8b3849e3b9a646648a9be0a505ae8c2aa5490c

  • SHA512

    9ad849b93b5413f05ba2ad7c781d862497d3b35395fcdcc0454264c93d547d39d75cf0c4367fe100b8d05a0d59fd0606adfe9c45a4ff60ab5241045a52bc3194

Score
10/10
netwirebotnetratstealer

Malware Config

Signatures

  • NetWire RAT payload 3 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\FedEx TRACKING DETAILS.exe
    "C:\Users\Admin\AppData\Local\Temp\FedEx TRACKING DETAILS.exe"
    1⤵
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2028
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c schtasks /Create /TN fiftservices /XML "C:\Users\Admin\AppData\Local\Temp\fd8e6f66c0d24ce7a8a81a9d06ef14b2.xml"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1680
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /Create /TN fiftservices /XML "C:\Users\Admin\AppData\Local\Temp\fd8e6f66c0d24ce7a8a81a9d06ef14b2.xml"
        3⤵
        • Creates scheduled task(s)
        PID:744
    • C:\Users\Admin\AppData\Local\Temp\FedEx TRACKING DETAILS.exe
      "C:\Users\Admin\AppData\Local\Temp\FedEx TRACKING DETAILS.exe"
      2⤵
        PID:1676
      • C:\Users\Admin\AppData\Local\Temp\FedEx TRACKING DETAILS.exe
        "C:\Users\Admin\AppData\Local\Temp\FedEx TRACKING DETAILS.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:648
        • C:\Users\Admin\AppData\Local\Temp\FedEx TRACKING DETAILS.exe
          "C:\Users\Admin\AppData\Local\Temp\FedEx TRACKING DETAILS.exe"
          3⤵
            PID:1664

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\fd8e6f66c0d24ce7a8a81a9d06ef14b2.xml
        MD5

        9f937595a682681bc5dacc606e466157

        SHA1

        86d48949af26a14835ba0d15ac59319b7c0ebbed

        SHA256

        2d639d75576c88f2e30344d14b7c9bd4ba85e57a68c8d976f287e0314359557d

        SHA512

        596d02db0d98b0fffad8ab5d6e27d2c768ac39d164442ab70807fb1e8c5ad6b5ab744a2f9607b4b00d726ef17df20722785b2ad789c447bc90ea4cfa33951643

        Download Submit
      • memory/648-4-0x0000000000000000-mapping.dmp
        Download
      • memory/648-9-0x0000000000270000-0x0000000000290000-memory.dmp
        Filesize

        128KB

        Download
      • memory/744-5-0x0000000000000000-mapping.dmp
        Download
      • memory/1664-7-0x0000000000400000-0x0000000000433000-memory.dmp
        Filesize

        204KB

        Download
      • memory/1664-8-0x000000000040242D-mapping.dmp
        Download
      • memory/1664-10-0x0000000000400000-0x0000000000433000-memory.dmp
        Filesize

        204KB

        Download
      • memory/1680-2-0x0000000000000000-mapping.dmp
        Download
      • memory/2028-3-0x00000000001E0000-0x0000000000200000-memory.dmp
        Filesize

        128KB

        Download