Overview

overview

10

Static

static

TNT TRACKI...LS.exe

windows7_x64

10

TNT TRACKI...LS.exe

windows10_x64

10

Analysis

  • max time kernel
    3s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    08-01-2021 07:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TNT TRACKING DETAILS.exe

  • Size

    229KB

  • MD5

    740a1985261bb2bd22b6dc7ffbdefc9d

  • SHA1

    b2b9b3a35a01df3db2a1eaee3b4feb96647d3a5c

  • SHA256

    fefea87ebfbd43c789033d46905fd2a11b8ea9d4c6b57691f23a89e8f8687992

  • SHA512

    af71a44e0507c6a50ebdde2689f091a7ae226116d87978900cb00ff37bb8e98943391711f7b1829746e9e3d37fff17fdcf40f8fad785da0d3db8fc199ab5d174

Score
10/10
netwirebotnetratstealer

Malware Config

Signatures

  • NetWire RAT payload 3 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TNT TRACKING DETAILS.exe
    "C:\Users\Admin\AppData\Local\Temp\TNT TRACKING DETAILS.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:596
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c schtasks /Create /TN foftservices /XML "C:\Users\Admin\AppData\Local\Temp\c320787f426b499da21dec2a995e328c.xml"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1732
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /Create /TN foftservices /XML "C:\Users\Admin\AppData\Local\Temp\c320787f426b499da21dec2a995e328c.xml"
        3⤵
        • Creates scheduled task(s)
        PID:1264
    • C:\Users\Admin\AppData\Local\Temp\TNT TRACKING DETAILS.exe
      "C:\Users\Admin\AppData\Local\Temp\TNT TRACKING DETAILS.exe"
      2⤵
        PID:1704

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\c320787f426b499da21dec2a995e328c.xml
      MD5

      aff646c982df92a159ce4ff5b2e708fd

      SHA1

      6ae21e5e595c224c9926f456a6214f742b5edf7b

      SHA256

      e0c2bb9b1b6ea50e4e1abd9ba1837cf4b4aeb8c49fc45cf3e906faa7c37d417f

      SHA512

      37704cdb7f3c4b80800fe58b1be89508b810d6a370ae2c7e8923a79984788b104a8eb90ad64b1e65611afbaf080b3e7ebd1a432dc02d7b9270ec54bbf3a6bc8a

      Download Submit
    • memory/1264-5-0x0000000000000000-mapping.dmp
      Download
    • memory/1704-4-0x000000000040242D-mapping.dmp
      Download
    • memory/1704-3-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/1704-6-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/1732-2-0x0000000000000000-mapping.dmp
      Download