Overview

overview

10

Static

static

FeDEx TRAC...LS.exe

windows7_x64

10

FeDEx TRAC...LS.exe

windows10_x64

10

Analysis

  • max time kernel
    79s
  • max time network
    79s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    13-01-2021 20:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FeDEx TRACKING DETAILS.exe

  • Size

    316KB

  • MD5

    205460f0adbfe5667223d1e5b3d9a9ee

  • SHA1

    78e909ffd58734dc411d22fc72d27a833db4b969

  • SHA256

    90dbd6dce0e0e7013656333f1cd8a9b7660e0e40e782a622856800c52e980d3e

  • SHA512

    104ba781eb949821bad8789271feab185a2aa28ff1c6fc35cfd0bf44eee1ff7ed2412dd17d60831d55bee6af7d0731d80091f5e2edeebbc6fb3a1f622bbff775

Score
10/10
netwirebotnetratstealer

Malware Config

Signatures

  • NetWire RAT payload 3 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\FeDEx TRACKING DETAILS.exe
    "C:\Users\Admin\AppData\Local\Temp\FeDEx TRACKING DETAILS.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1632
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /Create /TN loserty /XML "C:\Users\Admin\AppData\Local\Temp\5114842f0dd2444f9d7295083ca8bde7.xml"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1708
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /Create /TN loserty /XML "C:\Users\Admin\AppData\Local\Temp\5114842f0dd2444f9d7295083ca8bde7.xml"
        3⤵
        • Creates scheduled task(s)
        PID:1684
    • C:\Users\Admin\AppData\Local\Temp\FeDEx TRACKING DETAILS.exe
      "C:\Users\Admin\AppData\Local\Temp\FeDEx TRACKING DETAILS.exe"
      2⤵
        PID:1712

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\5114842f0dd2444f9d7295083ca8bde7.xml
      MD5

      8d133071e6c5a143837cd0f751da52ef

      SHA1

      c33cd85604b8f4c301be7b05cf89c1485a609912

      SHA256

      c7687c45a893f19cb54cf7f9fec97dd56a6d1908a63490d1be2f68bd50714244

      SHA512

      5fa2b5b5f524c8722a6afb1fc261b67fddc0728698041a980b16d057f98813fc9e215984a1369498e2320cba5eecea82e8bdef47699a0c7ee1edf162dc49be4d

      Download Submit
    • memory/1684-6-0x0000000000000000-mapping.dmp
      Download
    • memory/1708-2-0x0000000000000000-mapping.dmp
      Download
    • memory/1712-3-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/1712-4-0x000000000040242D-mapping.dmp
      Download
    • memory/1712-5-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download