Analysis
-
max time kernel
37s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-01-2021 07:03
General
-
Target
Payment notification.exe
-
Size
813KB
-
MD5
fe640ee4067329f2713d5c2ecc63ab9f
-
SHA1
33f0a12a80b686159822fce665422546a49348b5
-
SHA256
41dbe67f8521046283d43077e26d6fef8a830e94f6ad1b1765dc5056f8d81846
-
SHA512
5e16b4f3543f317d1d0b9a3134a2a71849b3b79aa324b2a52bd2ae5a62f3231292a8904dbac9019b6abe4aa03ed5f023896b3458d9d40a2e005861d10ea842a1
Malware Config
Signatures
-
NetWire RAT payload 3 IoCs
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Suspicious use of SetThreadContext 1 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment notification.exe"C:\Users\Admin\AppData\Local\Temp\Payment notification.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mZkwuSmrC" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB5E8.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Payment notification.exe"{path}"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpB5E8.tmpMD5
81b3c935518885700027fa9fa6794c63
SHA1a58e75264478aa06c80717bab4648dde8a1ced2a
SHA256c16108056946a83fd994c9eadd8f0f985433ea87716a27d7de34b2702e07c646
SHA512ae64cf8cb69ca83b9942efed26633a08dadb00fc36fb40378b9b27fae273ef3d6eeb3c61d87e0b405a833705a9f5f73ee67e5a706ce1848d08d72d4c09b39f2c
-
memory/3124-15-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/3124-14-0x000000000040242D-mapping.dmp
-
memory/3124-13-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/3496-11-0x0000000000000000-mapping.dmp
-
memory/3932-6-0x0000000004E50000-0x0000000004E51000-memory.dmpFilesize
4KB
-
memory/3932-9-0x00000000072C0000-0x0000000007347000-memory.dmpFilesize
540KB
-
memory/3932-10-0x00000000073F0000-0x00000000073F1000-memory.dmpFilesize
4KB
-
memory/3932-8-0x0000000005080000-0x000000000508E000-memory.dmpFilesize
56KB
-
memory/3932-7-0x0000000004E00000-0x0000000004E01000-memory.dmpFilesize
4KB
-
memory/3932-2-0x00000000733A0000-0x0000000073A8E000-memory.dmpFilesize
6.9MB
-
memory/3932-5-0x00000000052B0000-0x00000000052B1000-memory.dmpFilesize
4KB
-
memory/3932-3-0x00000000004F0000-0x00000000004F1000-memory.dmpFilesize
4KB