Analysis
-
max time kernel
43s -
max time network
141s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
11-01-2021 09:20
General
-
Target
Payment notification.exe
-
Size
758KB
-
MD5
1ddc40fd6ae75ccf9fffe1f0a01a9d63
-
SHA1
8183320a9a31c56f31e482d76240afbb4a6dae54
-
SHA256
26227234f11b155d504617e9580d22efe5a9f95d52ce767bade994da339d0d90
-
SHA512
e940a839860e2ec7c0471392bc010165aaaed2be98f3e6cec504750ceede14aa3d1f44eb5d7c7b7b05fd1f106f3a44c2dd1cbb5050255430553554b7be866203
Malware Config
Signatures
-
NetWire RAT payload 3 IoCs
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Suspicious use of SetThreadContext 1 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment notification.exe"C:\Users\Admin\AppData\Local\Temp\Payment notification.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CBNvoQgI" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD372.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Payment notification.exe"{path}"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpD372.tmpMD5
3613333ef3979a473e7fce0d12d2a7d6
SHA1a265577c08044d3db60958a7f236de516620fea9
SHA25691bf763fb9103e78be03efeda081c535067191dab05c10854e263198e27492ea
SHA51282c5b4d7bf00d5fe39b63302e5bc2525caddc0fe2b43f0cbe64595b978452167ade9b61a1a045810c71f988e21acb7195f16c1379d8354d3f795946aa2af5caf
-
memory/564-15-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/564-14-0x000000000040242D-mapping.dmp
-
memory/564-13-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/2108-11-0x0000000000000000-mapping.dmp
-
memory/4700-6-0x0000000005430000-0x0000000005431000-memory.dmpFilesize
4KB
-
memory/4700-9-0x00000000061B0000-0x0000000006245000-memory.dmpFilesize
596KB
-
memory/4700-10-0x00000000062F0000-0x00000000062F1000-memory.dmpFilesize
4KB
-
memory/4700-8-0x00000000055A0000-0x00000000055AE000-memory.dmpFilesize
56KB
-
memory/4700-7-0x0000000005590000-0x0000000005591000-memory.dmpFilesize
4KB
-
memory/4700-2-0x0000000073FA0000-0x000000007468E000-memory.dmpFilesize
6.9MB
-
memory/4700-5-0x0000000005930000-0x0000000005931000-memory.dmpFilesize
4KB
-
memory/4700-3-0x0000000000B30000-0x0000000000B31000-memory.dmpFilesize
4KB