Analysis
-
max time kernel
41s -
max time network
118s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
15-01-2021 07:22
Static task
static1
Behavioral task
behavioral1
Sample
Proof of Payment.exe
Resource
win7v20201028
General
-
Target
Proof of Payment.exe
-
Size
919KB
-
MD5
06eea001fb61532885ae0ce6f95d0b3c
-
SHA1
0cd7c9f2abdd2558333541762903d2f8328dec96
-
SHA256
2dc1258101b1183ad4e08320f15310cad541c900919e98e0816c751fee303306
-
SHA512
1bd704ab322497ffc5212aed7283819253113b4f2e306b0f3a8d1eec2d4cb302d3007c859877284d31c988917c712f652bdede16c7fb489568293c28e3860c21
Malware Config
Signatures
-
NetWire RAT payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/520-9-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/520-10-0x000000000040242D-mapping.dmp netwire behavioral1/memory/520-11-0x0000000000400000-0x0000000000433000-memory.dmp netwire -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Proof of Payment.exedescription pid process target process PID 740 set thread context of 520 740 Proof of Payment.exe Proof of Payment.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
Proof of Payment.exedescription pid process target process PID 740 wrote to memory of 316 740 Proof of Payment.exe schtasks.exe PID 740 wrote to memory of 316 740 Proof of Payment.exe schtasks.exe PID 740 wrote to memory of 316 740 Proof of Payment.exe schtasks.exe PID 740 wrote to memory of 316 740 Proof of Payment.exe schtasks.exe PID 740 wrote to memory of 520 740 Proof of Payment.exe Proof of Payment.exe PID 740 wrote to memory of 520 740 Proof of Payment.exe Proof of Payment.exe PID 740 wrote to memory of 520 740 Proof of Payment.exe Proof of Payment.exe PID 740 wrote to memory of 520 740 Proof of Payment.exe Proof of Payment.exe PID 740 wrote to memory of 520 740 Proof of Payment.exe Proof of Payment.exe PID 740 wrote to memory of 520 740 Proof of Payment.exe Proof of Payment.exe PID 740 wrote to memory of 520 740 Proof of Payment.exe Proof of Payment.exe PID 740 wrote to memory of 520 740 Proof of Payment.exe Proof of Payment.exe PID 740 wrote to memory of 520 740 Proof of Payment.exe Proof of Payment.exe PID 740 wrote to memory of 520 740 Proof of Payment.exe Proof of Payment.exe PID 740 wrote to memory of 520 740 Proof of Payment.exe Proof of Payment.exe PID 740 wrote to memory of 520 740 Proof of Payment.exe Proof of Payment.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Proof of Payment.exe"C:\Users\Admin\AppData\Local\Temp\Proof of Payment.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pmbtKQaVLTRS" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD7C9.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Proof of Payment.exe"{path}"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpD7C9.tmpMD5
146ac1eb46356e9fe3ff62a900406fcb
SHA1d54ccd4649914090e5d36e0f7a20f587bede62b4
SHA2569346aa0ae22bf40f1c31da57c936c21637bb72ec8599b8b2a6b34a988a74ca06
SHA512105a00eec0abeb1d1fb37893afb4e2062e3db759ab31576980d31b5c0aedb36ae0e88a67c8ae94b02dd4c89d70fe03ff9af656847220492e86656a588e53df89
-
memory/316-7-0x0000000000000000-mapping.dmp
-
memory/520-9-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/520-10-0x000000000040242D-mapping.dmp
-
memory/520-11-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/740-2-0x0000000074CC0000-0x00000000753AE000-memory.dmpFilesize
6.9MB
-
memory/740-3-0x0000000000A40000-0x0000000000A41000-memory.dmpFilesize
4KB
-
memory/740-5-0x0000000000360000-0x000000000036E000-memory.dmpFilesize
56KB
-
memory/740-6-0x0000000002270000-0x00000000022B6000-memory.dmpFilesize
280KB