Analysis
-
max time kernel
85s -
max time network
92s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
08-01-2021 17:26
Static task
static1
Behavioral task
behavioral1
Sample
FedEx TRACKING DETAILS.exe
Resource
win7v20201028
General
-
Target
FedEx TRACKING DETAILS.exe
-
Size
275KB
-
MD5
07c71b43ca45df4d5fb8b4a8cb90a3c1
-
SHA1
cf69d346d7d95e1387d64c4025af617272d4dc38
-
SHA256
c6e42b6b5328ea35302559a7cb8b3849e3b9a646648a9be0a505ae8c2aa5490c
-
SHA512
9ad849b93b5413f05ba2ad7c781d862497d3b35395fcdcc0454264c93d547d39d75cf0c4367fe100b8d05a0d59fd0606adfe9c45a4ff60ab5241045a52bc3194
Malware Config
Signatures
-
NetWire RAT payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1664-7-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1664-8-0x000000000040242D-mapping.dmp netwire behavioral1/memory/1664-10-0x0000000000400000-0x0000000000433000-memory.dmp netwire -
Suspicious use of SetThreadContext 1 IoCs
Processes:
FedEx TRACKING DETAILS.exedescription pid process target process PID 648 set thread context of 1664 648 FedEx TRACKING DETAILS.exe FedEx TRACKING DETAILS.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
FedEx TRACKING DETAILS.exeFedEx TRACKING DETAILS.exepid process 2028 FedEx TRACKING DETAILS.exe 648 FedEx TRACKING DETAILS.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
FedEx TRACKING DETAILS.execmd.exeFedEx TRACKING DETAILS.exedescription pid process target process PID 2028 wrote to memory of 1680 2028 FedEx TRACKING DETAILS.exe cmd.exe PID 2028 wrote to memory of 1680 2028 FedEx TRACKING DETAILS.exe cmd.exe PID 2028 wrote to memory of 1680 2028 FedEx TRACKING DETAILS.exe cmd.exe PID 2028 wrote to memory of 1680 2028 FedEx TRACKING DETAILS.exe cmd.exe PID 2028 wrote to memory of 1676 2028 FedEx TRACKING DETAILS.exe FedEx TRACKING DETAILS.exe PID 2028 wrote to memory of 1676 2028 FedEx TRACKING DETAILS.exe FedEx TRACKING DETAILS.exe PID 2028 wrote to memory of 1676 2028 FedEx TRACKING DETAILS.exe FedEx TRACKING DETAILS.exe PID 2028 wrote to memory of 1676 2028 FedEx TRACKING DETAILS.exe FedEx TRACKING DETAILS.exe PID 2028 wrote to memory of 648 2028 FedEx TRACKING DETAILS.exe FedEx TRACKING DETAILS.exe PID 2028 wrote to memory of 648 2028 FedEx TRACKING DETAILS.exe FedEx TRACKING DETAILS.exe PID 2028 wrote to memory of 648 2028 FedEx TRACKING DETAILS.exe FedEx TRACKING DETAILS.exe PID 2028 wrote to memory of 648 2028 FedEx TRACKING DETAILS.exe FedEx TRACKING DETAILS.exe PID 1680 wrote to memory of 744 1680 cmd.exe schtasks.exe PID 1680 wrote to memory of 744 1680 cmd.exe schtasks.exe PID 1680 wrote to memory of 744 1680 cmd.exe schtasks.exe PID 1680 wrote to memory of 744 1680 cmd.exe schtasks.exe PID 648 wrote to memory of 1664 648 FedEx TRACKING DETAILS.exe FedEx TRACKING DETAILS.exe PID 648 wrote to memory of 1664 648 FedEx TRACKING DETAILS.exe FedEx TRACKING DETAILS.exe PID 648 wrote to memory of 1664 648 FedEx TRACKING DETAILS.exe FedEx TRACKING DETAILS.exe PID 648 wrote to memory of 1664 648 FedEx TRACKING DETAILS.exe FedEx TRACKING DETAILS.exe PID 648 wrote to memory of 1664 648 FedEx TRACKING DETAILS.exe FedEx TRACKING DETAILS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FedEx TRACKING DETAILS.exe"C:\Users\Admin\AppData\Local\Temp\FedEx TRACKING DETAILS.exe"1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c schtasks /Create /TN fiftservices /XML "C:\Users\Admin\AppData\Local\Temp\fd8e6f66c0d24ce7a8a81a9d06ef14b2.xml"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN fiftservices /XML "C:\Users\Admin\AppData\Local\Temp\fd8e6f66c0d24ce7a8a81a9d06ef14b2.xml"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\FedEx TRACKING DETAILS.exe"C:\Users\Admin\AppData\Local\Temp\FedEx TRACKING DETAILS.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\FedEx TRACKING DETAILS.exe"C:\Users\Admin\AppData\Local\Temp\FedEx TRACKING DETAILS.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\FedEx TRACKING DETAILS.exe"C:\Users\Admin\AppData\Local\Temp\FedEx TRACKING DETAILS.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\fd8e6f66c0d24ce7a8a81a9d06ef14b2.xmlMD5
9f937595a682681bc5dacc606e466157
SHA186d48949af26a14835ba0d15ac59319b7c0ebbed
SHA2562d639d75576c88f2e30344d14b7c9bd4ba85e57a68c8d976f287e0314359557d
SHA512596d02db0d98b0fffad8ab5d6e27d2c768ac39d164442ab70807fb1e8c5ad6b5ab744a2f9607b4b00d726ef17df20722785b2ad789c447bc90ea4cfa33951643
-
memory/648-4-0x0000000000000000-mapping.dmp
-
memory/648-9-0x0000000000270000-0x0000000000290000-memory.dmpFilesize
128KB
-
memory/744-5-0x0000000000000000-mapping.dmp
-
memory/1664-7-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1664-8-0x000000000040242D-mapping.dmp
-
memory/1664-10-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1680-2-0x0000000000000000-mapping.dmp
-
memory/2028-3-0x00000000001E0000-0x0000000000200000-memory.dmpFilesize
128KB