Analysis
-
max time kernel
3s -
max time network
125s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
04-03-2021 07:20
General
-
Target
IRS-TAX.exe
-
Size
390KB
-
MD5
48d8ed92f64e8f595d4e61962d93d89e
-
SHA1
5a2fc1c48209ecd1301a1c98bedec49a056a533c
-
SHA256
9fedb9fe35eae9739d319565aed4cbd16325242f8815cdf21d12d02e5601109d
-
SHA512
96e62dfe42a9351a4f476c1731094ade50915350a1730487e535b1e17c925dc38e1ee36c08b34bade558fd5f6e12b34462b3683cc6026ae1195af9b66355ff12
Malware Config
Signatures
-
NetWire RAT payload 1 IoCs
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Loads dropped DLL 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of WriteProcessMemory 5 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\IRS-TAX.exe"C:\Users\Admin\AppData\Local\Temp\IRS-TAX.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IRS-TAX.exe"C:\Users\Admin\AppData\Local\Temp\IRS-TAX.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nss2C01.tmp\bfjt.dllMD5
8a4a3cbf74a413178e8e67e3d4693d74
SHA1d746cf198e531ad22e61b4e8dc92ffe5501b9893
SHA256e11dac1006fc48867811b6c1852b311affba0c00339626d331f99a1c0114f295
SHA512199ec5808e0a3ca7e412ee18de55dab6e306fa5a34f5941a643f0432d3671e6bafa197136424fc3369abd7d5dfa6466241900cb717f66933777d1fc3b84f58ba
-
memory/1724-2-0x00000000761E1000-0x00000000761E3000-memory.dmpFilesize
8KB
-
memory/1928-4-0x000000000040242D-mapping.dmp
-
memory/1928-6-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB