Overview

overview

10

Static

static

PO-92059.doc.exe

windows7-x64

10

PO-92059.doc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    100s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-07-2022 07:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO-92059.doc.exe

  • Size

    786KB

  • MD5

    432863e4c5dd350edd617bc855d336e3

  • SHA1

    f4e642e4aa55c5d9354f2a7bc96edeebb0b0dd91

  • SHA256

    d2723a5c5c192b80edf6e6ed6d033cd1f916ad9bffefed86ebd6120499c4a058

  • SHA512

    a6e2a368166214fc939e1d9053eaeeace8e0a21c418a910d6daf6f6e2aa64810740801c26cda3f2db33a37a645cfbe73b34bbff1bbc2f0fd29332e68d31ffd59

Score
10/10
netwirebotnetratstealer

Malware Config

Extracted

Family

netwire

C2

37.0.14.206:3384

Attributes
  • activex_autorun

    false

  • copy_executable

    true

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

    %AppData%\Install\Host.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    true

  • offline_keylogger

    true

  • password

    Password234

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • NetWire RAT payload 3 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PO-92059.doc.exe
    "C:\Users\Admin\AppData\Local\Temp\PO-92059.doc.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3296
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\HnFFiUJK.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2204
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HnFFiUJK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3F46.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:4524
    • C:\Users\Admin\AppData\Local\Temp\PO-92059.doc.exe
      "C:\Users\Admin\AppData\Local\Temp\PO-92059.doc.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1320
      • C:\Users\Admin\AppData\Roaming\Install\Host.exe
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2232
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\HnFFiUJK.exe"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3708

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    968cb9309758126772781b83adb8a28f

    SHA1

    8da30e71accf186b2ba11da1797cf67f8f78b47c

    SHA256

    92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

    SHA512

    4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    7bd29290ceca6e577f8c7e3a28b5a83b

    SHA1

    adeefae8292c438bd702f128ebc63d29d54b6e7e

    SHA256

    c2479d7959bfad0976384ce363568f04cd4e89195014aa358de826bd7eadab65

    SHA512

    df702f0718bc50c8d5a6eda01786522180054cea87ebaf9ebee8102c6887b1702de894576a82987b58983c485788a4d4e9c6ed380e05b3bdda9215883ab9c694

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp3F46.tmp
    Filesize

    1KB

    MD5

    f0f9daf32fba032b1ab6ab3251ab0206

    SHA1

    5fef611ef492e56fb5dd231b4df5513454af94c3

    SHA256

    deeb2f45d35ea388a0fbdcea96cc3574f7c0edd5c44bbd4278defce67fcbae3f

    SHA512

    1219396d6e8f0fe97c640c7f08bd74adb8cf93e555a2249262cfb3f495b5424ee24e095874c8549ed8a375d53e7898aceaf928230158f6c826032450e4b360df

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Install\Host.exe
    Filesize

    786KB

    MD5

    432863e4c5dd350edd617bc855d336e3

    SHA1

    f4e642e4aa55c5d9354f2a7bc96edeebb0b0dd91

    SHA256

    d2723a5c5c192b80edf6e6ed6d033cd1f916ad9bffefed86ebd6120499c4a058

    SHA512

    a6e2a368166214fc939e1d9053eaeeace8e0a21c418a910d6daf6f6e2aa64810740801c26cda3f2db33a37a645cfbe73b34bbff1bbc2f0fd29332e68d31ffd59

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Install\Host.exe
    Filesize

    786KB

    MD5

    432863e4c5dd350edd617bc855d336e3

    SHA1

    f4e642e4aa55c5d9354f2a7bc96edeebb0b0dd91

    SHA256

    d2723a5c5c192b80edf6e6ed6d033cd1f916ad9bffefed86ebd6120499c4a058

    SHA512

    a6e2a368166214fc939e1d9053eaeeace8e0a21c418a910d6daf6f6e2aa64810740801c26cda3f2db33a37a645cfbe73b34bbff1bbc2f0fd29332e68d31ffd59

    Download Submit

  • memory/1320-160-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/1320-157-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/1320-155-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/1320-154-0x0000000000000000-mapping.dmp

    Download

  • memory/2204-138-0x00000000052B0000-0x00000000052D2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2204-135-0x0000000000000000-mapping.dmp

    Download

  • memory/2204-141-0x00000000060F0000-0x000000000610E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2204-142-0x00000000066D0000-0x0000000006702000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2204-143-0x000000006F520000-0x000000006F56C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2204-144-0x00000000066B0000-0x00000000066CE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2204-145-0x0000000007A50000-0x00000000080CA000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/2204-146-0x0000000007400000-0x000000000741A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2204-147-0x0000000007470000-0x000000000747A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2204-148-0x0000000007680000-0x0000000007716000-memory.dmp

    Filesize

    600KB

    Download

  • memory/2204-149-0x0000000007630000-0x000000000763E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2204-150-0x0000000007740000-0x000000000775A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2204-151-0x0000000007720000-0x0000000007728000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2204-140-0x0000000005AB0000-0x0000000005B16000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2204-139-0x0000000005A40000-0x0000000005AA6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2204-136-0x00000000011B0000-0x00000000011E6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2204-137-0x0000000005410000-0x0000000005A38000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2232-158-0x0000000000000000-mapping.dmp

    Download

  • memory/3296-130-0x0000000000DA0000-0x0000000000E6A000-memory.dmp

    Filesize

    808KB

    Download

  • memory/3296-134-0x0000000007DA0000-0x0000000007E3C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/3296-133-0x00000000058B0000-0x00000000058BA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3296-132-0x0000000005810000-0x00000000058A2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3296-131-0x0000000005CE0000-0x0000000006284000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3708-162-0x0000000000000000-mapping.dmp

    Download

  • memory/3708-165-0x000000006F520000-0x000000006F56C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4524-152-0x0000000000000000-mapping.dmp

    Download