Analysis
-
max time kernel
79s -
max time network
79s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
13-01-2021 20:19
Static task
static1
Behavioral task
behavioral1
Sample
FeDEx TRACKING DETAILS.exe
Resource
win7v20201028
General
-
Target
FeDEx TRACKING DETAILS.exe
-
Size
316KB
-
MD5
205460f0adbfe5667223d1e5b3d9a9ee
-
SHA1
78e909ffd58734dc411d22fc72d27a833db4b969
-
SHA256
90dbd6dce0e0e7013656333f1cd8a9b7660e0e40e782a622856800c52e980d3e
-
SHA512
104ba781eb949821bad8789271feab185a2aa28ff1c6fc35cfd0bf44eee1ff7ed2412dd17d60831d55bee6af7d0731d80091f5e2edeebbc6fb3a1f622bbff775
Malware Config
Signatures
-
NetWire RAT payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1712-3-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1712-4-0x000000000040242D-mapping.dmp netwire behavioral1/memory/1712-5-0x0000000000400000-0x0000000000433000-memory.dmp netwire -
Suspicious use of SetThreadContext 1 IoCs
Processes:
FeDEx TRACKING DETAILS.exedescription pid process target process PID 1632 set thread context of 1712 1632 FeDEx TRACKING DETAILS.exe FeDEx TRACKING DETAILS.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
FeDEx TRACKING DETAILS.exepid process 1632 FeDEx TRACKING DETAILS.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
FeDEx TRACKING DETAILS.execmd.exedescription pid process target process PID 1632 wrote to memory of 1708 1632 FeDEx TRACKING DETAILS.exe cmd.exe PID 1632 wrote to memory of 1708 1632 FeDEx TRACKING DETAILS.exe cmd.exe PID 1632 wrote to memory of 1708 1632 FeDEx TRACKING DETAILS.exe cmd.exe PID 1632 wrote to memory of 1708 1632 FeDEx TRACKING DETAILS.exe cmd.exe PID 1632 wrote to memory of 1712 1632 FeDEx TRACKING DETAILS.exe FeDEx TRACKING DETAILS.exe PID 1632 wrote to memory of 1712 1632 FeDEx TRACKING DETAILS.exe FeDEx TRACKING DETAILS.exe PID 1632 wrote to memory of 1712 1632 FeDEx TRACKING DETAILS.exe FeDEx TRACKING DETAILS.exe PID 1632 wrote to memory of 1712 1632 FeDEx TRACKING DETAILS.exe FeDEx TRACKING DETAILS.exe PID 1632 wrote to memory of 1712 1632 FeDEx TRACKING DETAILS.exe FeDEx TRACKING DETAILS.exe PID 1708 wrote to memory of 1684 1708 cmd.exe schtasks.exe PID 1708 wrote to memory of 1684 1708 cmd.exe schtasks.exe PID 1708 wrote to memory of 1684 1708 cmd.exe schtasks.exe PID 1708 wrote to memory of 1684 1708 cmd.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FeDEx TRACKING DETAILS.exe"C:\Users\Admin\AppData\Local\Temp\FeDEx TRACKING DETAILS.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /Create /TN loserty /XML "C:\Users\Admin\AppData\Local\Temp\5114842f0dd2444f9d7295083ca8bde7.xml"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN loserty /XML "C:\Users\Admin\AppData\Local\Temp\5114842f0dd2444f9d7295083ca8bde7.xml"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\FeDEx TRACKING DETAILS.exe"C:\Users\Admin\AppData\Local\Temp\FeDEx TRACKING DETAILS.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\5114842f0dd2444f9d7295083ca8bde7.xmlMD5
8d133071e6c5a143837cd0f751da52ef
SHA1c33cd85604b8f4c301be7b05cf89c1485a609912
SHA256c7687c45a893f19cb54cf7f9fec97dd56a6d1908a63490d1be2f68bd50714244
SHA5125fa2b5b5f524c8722a6afb1fc261b67fddc0728698041a980b16d057f98813fc9e215984a1369498e2320cba5eecea82e8bdef47699a0c7ee1edf162dc49be4d
-
memory/1684-6-0x0000000000000000-mapping.dmp
-
memory/1708-2-0x0000000000000000-mapping.dmp
-
memory/1712-3-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1712-4-0x000000000040242D-mapping.dmp
-
memory/1712-5-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB