Analysis
-
max time kernel
126s -
max time network
128s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
19-01-2021 07:36
General
-
Target
Proof of Payment.exe
-
Size
1.4MB
-
MD5
630c736f4a8124225065b21a153b889d
-
SHA1
c84d8e6cd5218bdc77b5511a7b38cd94c02fa463
-
SHA256
ef9e50bbc71c2f7c213f49e413cebab25733d52f82f2197ab256471ecb3db3bf
-
SHA512
97f4b9f5d5721f8410fb57b2a97f706cef64ad2e9c10a54918dde5a8842c56a59c1cfe1b2aec2d5c889f71612d32045b8c563828eb2d3f3da9284a82227edaa3
Malware Config
Signatures
-
NetWire RAT payload 3 IoCs
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Suspicious use of SetThreadContext 1 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Proof of Payment.exe"C:\Users\Admin\AppData\Local\Temp\Proof of Payment.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iRNHgwxDoUcDgI" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE7E5.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Proof of Payment.exe"{path}"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpE7E5.tmpMD5
479dc10ae1ca9762e2d2195927818aaa
SHA154b3ec53db6c671ca8dd98cbe5fd50588d613c0a
SHA256cb94c188422a18c96dc97ed954b91f035963343680f5c39294913bead2e8350e
SHA51218a252861d1819d4333c4bd439fa4774107043af06c694af400a0921f3353ca981096b1bc67b3fff6596068fe00b5c2724dfb4ffbe61a105bdfd30016240eefb
-
memory/1176-9-0x00000000051B0000-0x00000000051B1000-memory.dmpFilesize
4KB
-
memory/1176-11-0x0000000005720000-0x0000000005777000-memory.dmpFilesize
348KB
-
memory/1176-6-0x0000000004F80000-0x0000000004F81000-memory.dmpFilesize
4KB
-
memory/1176-7-0x000000000AC10000-0x000000000AC11000-memory.dmpFilesize
4KB
-
memory/1176-8-0x000000000A6F0000-0x000000000A6F1000-memory.dmpFilesize
4KB
-
memory/1176-2-0x0000000073A70000-0x000000007415E000-memory.dmpFilesize
6.9MB
-
memory/1176-10-0x0000000005E60000-0x0000000005E6E000-memory.dmpFilesize
56KB
-
memory/1176-5-0x0000000004F00000-0x0000000004F78000-memory.dmpFilesize
480KB
-
memory/1176-12-0x0000000005F10000-0x0000000005F11000-memory.dmpFilesize
4KB
-
memory/1176-3-0x00000000004E0000-0x00000000004E1000-memory.dmpFilesize
4KB
-
memory/1372-13-0x0000000000000000-mapping.dmp
-
memory/1464-15-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1464-16-0x000000000040242D-mapping.dmp
-
memory/1464-17-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB