Analysis
-
max time kernel
12s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
05-03-2021 07:17
Static task
static1
Behavioral task
behavioral1
Sample
FedEx Shipment.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
FedEx Shipment.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
FedEx Shipment.exe
-
Size
738KB
-
MD5
20e5be824638df2b4f86520d5a5a0cad
-
SHA1
5e3a464ce7ebaf297438e52dd6c9eaf374217eed
-
SHA256
cef2f777b4c29a5ced187382e3c0a0ee61d4c71471fc5d100b78a4e88f4324de
-
SHA512
238b8f441a6d5c17c407ff254928bb17ef7ed06143a23187842f9ab3012263913055672ea67c32351f2be9d2b2fa6f7e0a2a7af2260514870418dcf19fc11a11
Score
10/10
Malware Config
Signatures
-
NetWire RAT payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/816-7-0x000000001C630000-0x000000001C6AE000-memory.dmp netwire behavioral2/memory/816-10-0x0000000001910000-0x0000000001939000-memory.dmp netwire behavioral2/memory/3184-11-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/3184-12-0x000000000040242D-mapping.dmp netwire behavioral2/memory/3184-13-0x0000000000400000-0x0000000000433000-memory.dmp netwire -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
FedEx Shipment.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwd.exe = "C:\\Users\\Admin\\AppData\\Roaming\\cwds\\cwd.exe" FedEx Shipment.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
FedEx Shipment.exedescription pid process target process PID 816 set thread context of 3184 816 FedEx Shipment.exe explorer.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
FedEx Shipment.exepid process 816 FedEx Shipment.exe 816 FedEx Shipment.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
FedEx Shipment.exedescription pid process Token: SeDebugPrivilege 816 FedEx Shipment.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
FedEx Shipment.exedescription pid process target process PID 816 wrote to memory of 800 816 FedEx Shipment.exe explorer.exe PID 816 wrote to memory of 800 816 FedEx Shipment.exe explorer.exe PID 816 wrote to memory of 800 816 FedEx Shipment.exe explorer.exe PID 816 wrote to memory of 3184 816 FedEx Shipment.exe explorer.exe PID 816 wrote to memory of 3184 816 FedEx Shipment.exe explorer.exe PID 816 wrote to memory of 3184 816 FedEx Shipment.exe explorer.exe PID 816 wrote to memory of 3184 816 FedEx Shipment.exe explorer.exe PID 816 wrote to memory of 3184 816 FedEx Shipment.exe explorer.exe PID 816 wrote to memory of 3184 816 FedEx Shipment.exe explorer.exe PID 816 wrote to memory of 3184 816 FedEx Shipment.exe explorer.exe PID 816 wrote to memory of 3184 816 FedEx Shipment.exe explorer.exe PID 816 wrote to memory of 3184 816 FedEx Shipment.exe explorer.exe PID 816 wrote to memory of 3184 816 FedEx Shipment.exe explorer.exe PID 816 wrote to memory of 3184 816 FedEx Shipment.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FedEx Shipment.exe"C:\Users\Admin\AppData\Local\Temp\FedEx Shipment.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/816-2-0x00007FFB852D0000-0x00007FFB85CBC000-memory.dmpFilesize
9.9MB
-
memory/816-3-0x0000000000B00000-0x0000000000B01000-memory.dmpFilesize
4KB
-
memory/816-5-0x00000000019B0000-0x0000000001A2E000-memory.dmpFilesize
504KB
-
memory/816-6-0x000000001C6F0000-0x000000001C6F2000-memory.dmpFilesize
8KB
-
memory/816-7-0x000000001C630000-0x000000001C6AE000-memory.dmpFilesize
504KB
-
memory/816-8-0x00000000018F0000-0x0000000001902000-memory.dmpFilesize
72KB
-
memory/816-9-0x00000000013C0000-0x00000000013C1000-memory.dmpFilesize
4KB
-
memory/816-10-0x0000000001910000-0x0000000001939000-memory.dmpFilesize
164KB
-
memory/3184-11-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/3184-12-0x000000000040242D-mapping.dmp
-
memory/3184-13-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB