Overview

overview

10

Static

static

Payment no...on.exe

windows7_x64

10

Payment no...on.exe

windows10_x64

10

Analysis

  • max time kernel
    49s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    11-01-2021 09:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Payment notification.exe

  • Size

    758KB

  • MD5

    1ddc40fd6ae75ccf9fffe1f0a01a9d63

  • SHA1

    8183320a9a31c56f31e482d76240afbb4a6dae54

  • SHA256

    26227234f11b155d504617e9580d22efe5a9f95d52ce767bade994da339d0d90

  • SHA512

    e940a839860e2ec7c0471392bc010165aaaed2be98f3e6cec504750ceede14aa3d1f44eb5d7c7b7b05fd1f106f3a44c2dd1cbb5050255430553554b7be866203

Score
10/10
netwirebotnetratstealer

Malware Config

Signatures

  • NetWire RAT payload 3 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Payment notification.exe
    "C:\Users\Admin\AppData\Local\Temp\Payment notification.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1048
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CBNvoQgI" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBC0F.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1668
    • C:\Users\Admin\AppData\Local\Temp\Payment notification.exe
      "{path}"
      2⤵
        PID:1340

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpBC0F.tmp
      MD5

      9dfa7d6aaadf38e92efa33e43aaf8fb2

      SHA1

      68f45f0fcb6eed04ba0982dca2f4afdd90030f7a

      SHA256

      499fb8af631d52c4c251bb05d5e50d18af2a6cbd30103f367a359daf38df7045

      SHA512

      20459c79258585f7bfc2240f588e584041a8901407ada5faa79b88d5d873e2aef60502f0b55ce448e391ea2f5bcb3d8d892d15da4bc028507438227fc5221e87

      Download Submit
    • memory/1048-2-0x0000000073C60000-0x000000007434E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/1048-3-0x0000000000A50000-0x0000000000A51000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1048-5-0x0000000000600000-0x000000000060E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/1048-6-0x00000000050B0000-0x0000000005145000-memory.dmp
      Filesize

      596KB

      Download
    • memory/1340-10-0x000000000040242D-mapping.dmp
      Download
    • memory/1340-9-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/1340-11-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/1668-7-0x0000000000000000-mapping.dmp
      Download