Overview

overview

10

Static

static

Proof Of Payment.exe

windows7_x64

10

Proof Of Payment.exe

windows10_x64

10

Analysis

  • max time kernel
    140s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    19-01-2021 07:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Proof Of Payment.exe

  • Size

    1.4MB

  • MD5

    b09c19f4d896b873476bce03ff91207f

  • SHA1

    2d10ce9d6635ba0bc7787bc25e83f91e6c138a38

  • SHA256

    c8dd40f09de4d85fa155fab0b763b1cba2d8381617eee03932d0edd221c33fef

  • SHA512

    367341a093421f25f560ac9cc2d5e36932af225a72fc5ee8af9d7f1135f6f4f4d135d9bd927203979be4bcccbc3559e558190b4ecdc43d7502205131af0b15ea

Score
10/10
netwirebotnetratstealer

Malware Config

Signatures

  • NetWire RAT payload 3 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Proof Of Payment.exe
    "C:\Users\Admin\AppData\Local\Temp\Proof Of Payment.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1832
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nhNlECm" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1767.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1548
    • C:\Users\Admin\AppData\Local\Temp\Proof Of Payment.exe
      "{path}"
      2⤵
        PID:1724

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp1767.tmp
      MD5

      33a8d506b1106da8af48283ca44ad635

      SHA1

      4c055533fe2dae18975d2fbad01ed83a0c68373a

      SHA256

      ba002599b170c042ae34f5d8082907835166b79e8afccfc7a5918309f9e7c3cb

      SHA512

      3d23ad0a45ef41e7c748f523f8fa5241055bb7865d956a9c17d28d3425c8c0b7a48b3a99e7841be40b855dcf823803c663d25ef1a63f04c8c2f57e1be89ba99c

      Download Submit
    • memory/1548-9-0x0000000000000000-mapping.dmp
      Download
    • memory/1724-11-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/1724-12-0x000000000040242D-mapping.dmp
      Download
    • memory/1724-13-0x0000000076191000-0x0000000076193000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1724-14-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/1832-2-0x00000000749E0000-0x00000000750CE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/1832-3-0x0000000001310000-0x0000000001311000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1832-5-0x0000000000700000-0x0000000000776000-memory.dmp
      Filesize

      472KB

      Download
    • memory/1832-6-0x0000000000260000-0x0000000000261000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1832-7-0x0000000000510000-0x000000000051E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/1832-8-0x0000000004E00000-0x0000000004E56000-memory.dmp
      Filesize

      344KB

      Download