Analysis
-
max time kernel
45s -
max time network
142s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
12-01-2021 07:29
Static task
static1
Behavioral task
behavioral1
Sample
Proof of Payment.exe
Resource
win7v20201028
General
-
Target
Proof of Payment.exe
-
Size
669KB
-
MD5
4ec018f96f78c1bb6425f5e1bb71f6da
-
SHA1
5190f3d25beaebda68285ed0dae5241fcd1b2162
-
SHA256
ee564dc0c72681dd264376c496603592961ed0025f607f5b5b0a9f025fa521bc
-
SHA512
d7565e7928794486a4f4e30726030bab108e2d3b99ddc30171802f1f8dc820957850fcd610ae5e8468d24374d2efd9b5bf8040fd8ab6e9cd9bd049cd6cf2b5c9
Malware Config
Signatures
-
NetWire RAT payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1112-9-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral1/memory/1112-10-0x0000000000402BCB-mapping.dmp netwire behavioral1/memory/1112-11-0x0000000000400000-0x000000000042C000-memory.dmp netwire -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Proof of Payment.exedescription pid process target process PID 1120 set thread context of 1112 1120 Proof of Payment.exe Proof of Payment.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Proof of Payment.exedescription pid process Token: SeDebugPrivilege 1120 Proof of Payment.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Proof of Payment.exedescription pid process target process PID 1120 wrote to memory of 1464 1120 Proof of Payment.exe schtasks.exe PID 1120 wrote to memory of 1464 1120 Proof of Payment.exe schtasks.exe PID 1120 wrote to memory of 1464 1120 Proof of Payment.exe schtasks.exe PID 1120 wrote to memory of 1464 1120 Proof of Payment.exe schtasks.exe PID 1120 wrote to memory of 1112 1120 Proof of Payment.exe Proof of Payment.exe PID 1120 wrote to memory of 1112 1120 Proof of Payment.exe Proof of Payment.exe PID 1120 wrote to memory of 1112 1120 Proof of Payment.exe Proof of Payment.exe PID 1120 wrote to memory of 1112 1120 Proof of Payment.exe Proof of Payment.exe PID 1120 wrote to memory of 1112 1120 Proof of Payment.exe Proof of Payment.exe PID 1120 wrote to memory of 1112 1120 Proof of Payment.exe Proof of Payment.exe PID 1120 wrote to memory of 1112 1120 Proof of Payment.exe Proof of Payment.exe PID 1120 wrote to memory of 1112 1120 Proof of Payment.exe Proof of Payment.exe PID 1120 wrote to memory of 1112 1120 Proof of Payment.exe Proof of Payment.exe PID 1120 wrote to memory of 1112 1120 Proof of Payment.exe Proof of Payment.exe PID 1120 wrote to memory of 1112 1120 Proof of Payment.exe Proof of Payment.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Proof of Payment.exe"C:\Users\Admin\AppData\Local\Temp\Proof of Payment.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EkuxZKGBKwV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD72D.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Proof of Payment.exe"{path}"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpD72D.tmpMD5
1923eeb4043770c935d774095094bc33
SHA14deb192867a9ea7611fe658f770c8aa2fac045ff
SHA256e3a646418dd7b71d3009d75f63fedc93ec16e1dad6cdde0a788caca2e1074559
SHA512d6f8bed0f5d19f5ca66a49431d27a943d4da3a795afa0772e1893cdafff017c997479b68f76a01c11008a584549741f16e5aee7f5099b9ff89a48f4e9668b44a
-
memory/1112-9-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1112-10-0x0000000000402BCB-mapping.dmp
-
memory/1112-11-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1120-2-0x0000000074B10000-0x00000000751FE000-memory.dmpFilesize
6.9MB
-
memory/1120-3-0x0000000000EC0000-0x0000000000EC1000-memory.dmpFilesize
4KB
-
memory/1120-5-0x00000000003F0000-0x00000000003FE000-memory.dmpFilesize
56KB
-
memory/1120-6-0x0000000005720000-0x0000000005796000-memory.dmpFilesize
472KB
-
memory/1464-7-0x0000000000000000-mapping.dmp