Analysis
-
max time kernel
12s -
max time network
122s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
04-03-2021 07:20
Static task
static1
Behavioral task
behavioral1
Sample
IRS-TAX.exe
Resource
win7v20201028
General
-
Target
IRS-TAX.exe
-
Size
390KB
-
MD5
48d8ed92f64e8f595d4e61962d93d89e
-
SHA1
5a2fc1c48209ecd1301a1c98bedec49a056a533c
-
SHA256
9fedb9fe35eae9739d319565aed4cbd16325242f8815cdf21d12d02e5601109d
-
SHA512
96e62dfe42a9351a4f476c1731094ade50915350a1730487e535b1e17c925dc38e1ee36c08b34bade558fd5f6e12b34462b3683cc6026ae1195af9b66355ff12
Malware Config
Signatures
-
NetWire RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4080-4-0x0000000000400000-0x0000000000433000-memory.dmp netwire -
Loads dropped DLL 1 IoCs
Processes:
IRS-TAX.exepid process 1232 IRS-TAX.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
IRS-TAX.exedescription pid process target process PID 1232 set thread context of 4080 1232 IRS-TAX.exe IRS-TAX.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
IRS-TAX.exepid process 1232 IRS-TAX.exe 1232 IRS-TAX.exe 1232 IRS-TAX.exe 1232 IRS-TAX.exe 1232 IRS-TAX.exe 1232 IRS-TAX.exe 1232 IRS-TAX.exe 1232 IRS-TAX.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
IRS-TAX.exepid process 1232 IRS-TAX.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
IRS-TAX.exedescription pid process target process PID 1232 wrote to memory of 4080 1232 IRS-TAX.exe IRS-TAX.exe PID 1232 wrote to memory of 4080 1232 IRS-TAX.exe IRS-TAX.exe PID 1232 wrote to memory of 4080 1232 IRS-TAX.exe IRS-TAX.exe PID 1232 wrote to memory of 4080 1232 IRS-TAX.exe IRS-TAX.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\IRS-TAX.exe"C:\Users\Admin\AppData\Local\Temp\IRS-TAX.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IRS-TAX.exe"C:\Users\Admin\AppData\Local\Temp\IRS-TAX.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsb6F2C.tmp\bfjt.dllMD5
8a4a3cbf74a413178e8e67e3d4693d74
SHA1d746cf198e531ad22e61b4e8dc92ffe5501b9893
SHA256e11dac1006fc48867811b6c1852b311affba0c00339626d331f99a1c0114f295
SHA512199ec5808e0a3ca7e412ee18de55dab6e306fa5a34f5941a643f0432d3671e6bafa197136424fc3369abd7d5dfa6466241900cb717f66933777d1fc3b84f58ba
-
memory/4080-3-0x000000000040242D-mapping.dmp
-
memory/4080-4-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB