Overview

overview

10

Static

static

FeDEx TRAC...LS.exe

windows7_x64

10

FeDEx TRAC...LS.exe

windows10_x64

10

Analysis

  • max time kernel
    79s
  • max time network
    111s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    13-01-2021 20:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FeDEx TRACKING DETAILS.exe

  • Size

    316KB

  • MD5

    205460f0adbfe5667223d1e5b3d9a9ee

  • SHA1

    78e909ffd58734dc411d22fc72d27a833db4b969

  • SHA256

    90dbd6dce0e0e7013656333f1cd8a9b7660e0e40e782a622856800c52e980d3e

  • SHA512

    104ba781eb949821bad8789271feab185a2aa28ff1c6fc35cfd0bf44eee1ff7ed2412dd17d60831d55bee6af7d0731d80091f5e2edeebbc6fb3a1f622bbff775

Score
10/10
netwirebotnetratstealer

Malware Config

Signatures

  • NetWire RAT payload 3 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\FeDEx TRACKING DETAILS.exe
    "C:\Users\Admin\AppData\Local\Temp\FeDEx TRACKING DETAILS.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:3992
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /Create /TN loserty /XML "C:\Users\Admin\AppData\Local\Temp\5114842f0dd2444f9d7295083ca8bde7.xml"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2284
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /Create /TN loserty /XML "C:\Users\Admin\AppData\Local\Temp\5114842f0dd2444f9d7295083ca8bde7.xml"
        3⤵
        • Creates scheduled task(s)
        PID:2676
    • C:\Users\Admin\AppData\Local\Temp\FeDEx TRACKING DETAILS.exe
      "C:\Users\Admin\AppData\Local\Temp\FeDEx TRACKING DETAILS.exe"
      2⤵
        PID:2280

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\5114842f0dd2444f9d7295083ca8bde7.xml
      MD5

      32351d13c843226c639330f3cb2f73af

      SHA1

      51257007014be0982c14e3ee3257b9fb24fc8f3a

      SHA256

      8acbcfedfbde8dd837c5675967199b477b561f9e3dedf16a56eff9644b4f3159

      SHA512

      4a38d3316b0f5e267d695097cef9771bfb680ecf5d392a041153f8a07f4ad16ff792772006e3c89e281a67e831378da734f2ab096807e0caf975e243e4b886d1

      Download Submit
    • memory/2280-3-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/2280-4-0x000000000040242D-mapping.dmp
      Download
    • memory/2284-2-0x0000000000000000-mapping.dmp
      Download
    • memory/2676-7-0x0000000000000000-mapping.dmp
      Download
    • memory/3992-5-0x0000000001470000-0x00000000014A3000-memory.dmp
      Filesize

      204KB

      Download