Analysis
-
max time kernel
87s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-01-2021 17:26
Static task
static1
Behavioral task
behavioral1
Sample
FedEx TRACKING DETAILS.exe
Resource
win7v20201028
General
-
Target
FedEx TRACKING DETAILS.exe
-
Size
275KB
-
MD5
07c71b43ca45df4d5fb8b4a8cb90a3c1
-
SHA1
cf69d346d7d95e1387d64c4025af617272d4dc38
-
SHA256
c6e42b6b5328ea35302559a7cb8b3849e3b9a646648a9be0a505ae8c2aa5490c
-
SHA512
9ad849b93b5413f05ba2ad7c781d862497d3b35395fcdcc0454264c93d547d39d75cf0c4367fe100b8d05a0d59fd0606adfe9c45a4ff60ab5241045a52bc3194
Malware Config
Signatures
-
NetWire RAT payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3772-3-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/3772-4-0x000000000040242D-mapping.dmp netwire behavioral2/memory/3772-6-0x0000000000400000-0x0000000000433000-memory.dmp netwire -
Suspicious use of SetThreadContext 1 IoCs
Processes:
FedEx TRACKING DETAILS.exedescription pid process target process PID 508 set thread context of 3772 508 FedEx TRACKING DETAILS.exe FedEx TRACKING DETAILS.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
FedEx TRACKING DETAILS.exepid process 508 FedEx TRACKING DETAILS.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
FedEx TRACKING DETAILS.execmd.exedescription pid process target process PID 508 wrote to memory of 1816 508 FedEx TRACKING DETAILS.exe cmd.exe PID 508 wrote to memory of 1816 508 FedEx TRACKING DETAILS.exe cmd.exe PID 508 wrote to memory of 1816 508 FedEx TRACKING DETAILS.exe cmd.exe PID 508 wrote to memory of 3772 508 FedEx TRACKING DETAILS.exe FedEx TRACKING DETAILS.exe PID 508 wrote to memory of 3772 508 FedEx TRACKING DETAILS.exe FedEx TRACKING DETAILS.exe PID 508 wrote to memory of 3772 508 FedEx TRACKING DETAILS.exe FedEx TRACKING DETAILS.exe PID 508 wrote to memory of 3772 508 FedEx TRACKING DETAILS.exe FedEx TRACKING DETAILS.exe PID 1816 wrote to memory of 2816 1816 cmd.exe schtasks.exe PID 1816 wrote to memory of 2816 1816 cmd.exe schtasks.exe PID 1816 wrote to memory of 2816 1816 cmd.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FedEx TRACKING DETAILS.exe"C:\Users\Admin\AppData\Local\Temp\FedEx TRACKING DETAILS.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c schtasks /Create /TN fiftservices /XML "C:\Users\Admin\AppData\Local\Temp\fd8e6f66c0d24ce7a8a81a9d06ef14b2.xml"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN fiftservices /XML "C:\Users\Admin\AppData\Local\Temp\fd8e6f66c0d24ce7a8a81a9d06ef14b2.xml"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\FedEx TRACKING DETAILS.exe"C:\Users\Admin\AppData\Local\Temp\FedEx TRACKING DETAILS.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\fd8e6f66c0d24ce7a8a81a9d06ef14b2.xmlMD5
5e2e669c68adab74edec35b732b38f35
SHA172e82eaf2a23f0c2cd20c193a27e83302abeca32
SHA256695f8f7af0a3cb80db105481c38ae7e19f66f010ca75b756a4eb6dfbd2a165a8
SHA512a5d57266600688282d0d7fd446bdb73f7618814e4c6e137609e2a0617d94057a359e06c534e48ace02c6d69849fb45a267a53c4326bbf3614cad8c9cb64adc33
-
memory/1816-2-0x0000000000000000-mapping.dmp
-
memory/2816-7-0x0000000000000000-mapping.dmp
-
memory/3772-3-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/3772-4-0x000000000040242D-mapping.dmp
-
memory/3772-6-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB