c3c8d337313ba9ba442de6db900bf5a1c95373450a907d011ca319908d921057

General

Target

R0DJFF6DH_ETRANSFER_RECEIPT.exe
Size

300.0MB
MD5

226fb5752aa6f88a83ff3b5fd793ed3e
SHA1

e47d89197c492285ed0e21ba88d8c6dc57b53b28
SHA256

b7bc9c6c715db6abe6707205e70f685422aedf9c881beda92fff27a4fafdc4cb
SHA512

7cf758e2846db04570cb00731a629d9fe282c5fd39c3b50e2238209e2341c4aa10944ed81d9971a8db475fd421d90aaec0b59722be522706dccf482eae138156

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

retwvs.exeretwvs.exe

pid process

2052 retwvs.exe
912 retwvs.exe

pid	process
2052	retwvs.exe
912	retwvs.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3472-137-0x0000000000990000-0x0000000000D74000-memory.dmp	upx
behavioral2/memory/3472-138-0x0000000000990000-0x0000000000D74000-memory.dmp	upx
behavioral2/memory/912-147-0x00000000007A0000-0x0000000000B84000-memory.dmp	upx
behavioral2/memory/912-148-0x00000000007A0000-0x0000000000B84000-memory.dmp	upx

Suspicious use of SetThreadContext 2 IoCs

Processes:

R0DJFF6DH_ETRANSFER_RECEIPT.exeretwvs.exe

description	pid	process	target process
PID 2784 set thread context of 3472	2784	R0DJFF6DH_ETRANSFER_RECEIPT.exe	R0DJFF6DH_ETRANSFER_RECEIPT.exe
PID 2052 set thread context of 912	2052	retwvs.exe	retwvs.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

1804 3472 WerFault.exe R0DJFF6DH_ETRANSFER_RECEIPT.exe
4264 912 WerFault.exe retwvs.exe
444 912 WerFault.exe retwvs.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3152 schtasks.exe
8 schtasks.exe

pid	pid_target	process	target process
1804	3472	WerFault.exe	R0DJFF6DH_ETRANSFER_RECEIPT.exe
4264	912	WerFault.exe	retwvs.exe
444	912	WerFault.exe	retwvs.exe

pid	process
3152	schtasks.exe
8	schtasks.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

R0DJFF6DH_ETRANSFER_RECEIPT.execmd.exeretwvs.execmd.exe

description	pid	process	target process
PID 2784 wrote to memory of 1484	2784	R0DJFF6DH_ETRANSFER_RECEIPT.exe	cmd.exe
PID 2784 wrote to memory of 1484	2784	R0DJFF6DH_ETRANSFER_RECEIPT.exe	cmd.exe
PID 2784 wrote to memory of 1484	2784	R0DJFF6DH_ETRANSFER_RECEIPT.exe	cmd.exe
PID 1484 wrote to memory of 3152	1484	cmd.exe	schtasks.exe
PID 1484 wrote to memory of 3152	1484	cmd.exe	schtasks.exe
PID 1484 wrote to memory of 3152	1484	cmd.exe	schtasks.exe
PID 2784 wrote to memory of 4044	2784	R0DJFF6DH_ETRANSFER_RECEIPT.exe	cmd.exe
PID 2784 wrote to memory of 4044	2784	R0DJFF6DH_ETRANSFER_RECEIPT.exe	cmd.exe
PID 2784 wrote to memory of 4044	2784	R0DJFF6DH_ETRANSFER_RECEIPT.exe	cmd.exe
PID 2784 wrote to memory of 3472	2784	R0DJFF6DH_ETRANSFER_RECEIPT.exe	R0DJFF6DH_ETRANSFER_RECEIPT.exe
PID 2784 wrote to memory of 3472	2784	R0DJFF6DH_ETRANSFER_RECEIPT.exe	R0DJFF6DH_ETRANSFER_RECEIPT.exe
PID 2784 wrote to memory of 3472	2784	R0DJFF6DH_ETRANSFER_RECEIPT.exe	R0DJFF6DH_ETRANSFER_RECEIPT.exe
PID 2784 wrote to memory of 3472	2784	R0DJFF6DH_ETRANSFER_RECEIPT.exe	R0DJFF6DH_ETRANSFER_RECEIPT.exe
PID 2784 wrote to memory of 3472	2784	R0DJFF6DH_ETRANSFER_RECEIPT.exe	R0DJFF6DH_ETRANSFER_RECEIPT.exe
PID 2784 wrote to memory of 3472	2784	R0DJFF6DH_ETRANSFER_RECEIPT.exe	R0DJFF6DH_ETRANSFER_RECEIPT.exe
PID 2784 wrote to memory of 3472	2784	R0DJFF6DH_ETRANSFER_RECEIPT.exe	R0DJFF6DH_ETRANSFER_RECEIPT.exe
PID 2052 wrote to memory of 4984	2052	retwvs.exe	cmd.exe
PID 2052 wrote to memory of 4984	2052	retwvs.exe	cmd.exe
PID 2052 wrote to memory of 4984	2052	retwvs.exe	cmd.exe
PID 4984 wrote to memory of 8	4984	cmd.exe	schtasks.exe
PID 4984 wrote to memory of 8	4984	cmd.exe	schtasks.exe
PID 4984 wrote to memory of 8	4984	cmd.exe	schtasks.exe
PID 2052 wrote to memory of 832	2052	retwvs.exe	cmd.exe
PID 2052 wrote to memory of 832	2052	retwvs.exe	cmd.exe
PID 2052 wrote to memory of 832	2052	retwvs.exe	cmd.exe
PID 2052 wrote to memory of 912	2052	retwvs.exe	retwvs.exe
PID 2052 wrote to memory of 912	2052	retwvs.exe	retwvs.exe
PID 2052 wrote to memory of 912	2052	retwvs.exe	retwvs.exe
PID 2052 wrote to memory of 912	2052	retwvs.exe	retwvs.exe
PID 2052 wrote to memory of 912	2052	retwvs.exe	retwvs.exe
PID 2052 wrote to memory of 912	2052	retwvs.exe	retwvs.exe
PID 2052 wrote to memory of 912	2052	retwvs.exe	retwvs.exe

C:\Users\Admin\AppData\Local\Temp\R0DJFF6DH_ETRANSFER_RECEIPT.exe
"C:\Users\Admin\AppData\Local\Temp\R0DJFF6DH_ETRANSFER_RECEIPT.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2784

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\retwvs.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\retwvs.exe'" /f
3⤵
- Creates scheduled task(s)
PID:3152

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\R0DJFF6DH_ETRANSFER_RECEIPT.exe" "C:\Users\Admin\AppData\Roaming\retwvs.exe"
2⤵
PID:4044

C:\Users\Admin\AppData\Local\Temp\R0DJFF6DH_ETRANSFER_RECEIPT.exe
"C:\Users\Admin\AppData\Local\Temp\R0DJFF6DH_ETRANSFER_RECEIPT.exe"
2⤵
PID:3472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 188
3⤵
- Program crash
PID:1804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3472 -ip 3472
1⤵
PID:1364

C:\Users\Admin\AppData\Roaming\retwvs.exe
C:\Users\Admin\AppData\Roaming\retwvs.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2052

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\retwvs.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4984

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\retwvs.exe'" /f
3⤵
- Creates scheduled task(s)
PID:8

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\retwvs.exe" "C:\Users\Admin\AppData\Roaming\retwvs.exe"
2⤵
PID:832

C:\Users\Admin\AppData\Roaming\retwvs.exe
"C:\Users\Admin\AppData\Roaming\retwvs.exe"
2⤵
- Executes dropped EXE
PID:912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 184
3⤵
- Program crash
PID:4264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 188
3⤵
- Program crash
PID:444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 912 -ip 912
1⤵
PID:3820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 912 -ip 912
1⤵
PID:3348

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\retwvs.exe
Filesize
294.9MB

MD5
2ae61b523b72eae34dfccaf5cd15d426

SHA1
fc4e5ab5950a5dfe8ae64a9845ba37b541e5433b

SHA256
57e86ab425f493a6e07e8563ebb200f306a03a9c0cced2ca2e0c01d08bf84239

SHA512
a785c69895a168b91758bd885a904b4adb1b758cecd796f3d3af21cf05a808813add4144123b8f8e73c7f8036ed0f73330574c21a877364951d3bf13c0ba3af2

Download Submit
C:\Users\Admin\AppData\Roaming\retwvs.exe
Filesize
300.0MB

MD5
226fb5752aa6f88a83ff3b5fd793ed3e

SHA1
e47d89197c492285ed0e21ba88d8c6dc57b53b28

SHA256
b7bc9c6c715db6abe6707205e70f685422aedf9c881beda92fff27a4fafdc4cb

SHA512
7cf758e2846db04570cb00731a629d9fe282c5fd39c3b50e2238209e2341c4aa10944ed81d9971a8db475fd421d90aaec0b59722be522706dccf482eae138156

Download Submit
C:\Users\Admin\AppData\Roaming\retwvs.exe
Filesize
76.7MB

MD5
b154a683c9792cca2f7dc67f388c79e7

SHA1
7fd2d1e39c376e59909f9414c7c806d3f5ec364e

SHA256
57d2505f7a6641304f59eec0a47e27af88ae8b4bb607b0f794399ab350d1a678

SHA512
79f272881b89a1763ed3582df8838eb2fa74749303f7e020304f601cffc388f041ca83b3642b18ecb8a85dc4583e0389571dafc2d96d64c49c213227b25f63cd

Download Submit
memory/8-142-0x0000000000000000-mapping.dmp

Download
memory/832-143-0x0000000000000000-mapping.dmp

Download
memory/912-144-0x0000000000000000-mapping.dmp

Download
memory/912-147-0x00000000007A0000-0x0000000000B84000-memory.dmp

Filesize
3.9MB

Download
memory/912-148-0x00000000007A0000-0x0000000000B84000-memory.dmp

Filesize
3.9MB

Download
memory/1484-132-0x0000000000000000-mapping.dmp

Download
memory/2784-130-0x00000000005B0000-0x0000000000744000-memory.dmp

Filesize
1.6MB

Download
memory/2784-131-0x0000000005730000-0x0000000005CD4000-memory.dmp

Filesize
5.6MB

Download
memory/3152-133-0x0000000000000000-mapping.dmp

Download
memory/3472-135-0x0000000000000000-mapping.dmp

Download
memory/3472-137-0x0000000000990000-0x0000000000D74000-memory.dmp

Filesize
3.9MB

Download
memory/3472-138-0x0000000000990000-0x0000000000D74000-memory.dmp

Filesize
3.9MB

Download
memory/4044-134-0x0000000000000000-mapping.dmp

Download
memory/4984-141-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads