Overview

overview

10

Static

static

PO-92059.doc.exe

windows7-x64

10

PO-92059.doc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-07-2022 14:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO-92059.doc.exe

  • Size

    675KB

  • MD5

    5d7895b3ede1833a79a5c4fc7dc0455c

  • SHA1

    714ce92fce404b32345b06e1d0fbbfaff30eaa62

  • SHA256

    7d43cddf5679f4233ebf701f89050ec267f892165a4c34084ad65963af7ebc36

  • SHA512

    6f0a9c1cb2d74436ebde9b2c1068902bb9e0a943fc59f788f3c9e37e037b6dd9c0e5e86f2aa3d9c67e9740e7012f42c96d04ba0f2c3ac69a1c1c106db4fbe26d

Score
10/10
netwirebotnetratstealer

Malware Config

Extracted

Family

netwire

C2

37.0.14.206:3384

Attributes
  • activex_autorun

    false

  • copy_executable

    true

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

    %AppData%\Install\Host.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    true

  • offline_keylogger

    true

  • password

    Password234

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • NetWire RAT payload 5 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PO-92059.doc.exe
    "C:\Users\Admin\AppData\Local\Temp\PO-92059.doc.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:404
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JzSLOgzqANjJNq.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4252
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JzSLOgzqANjJNq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2868.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:4332
    • C:\Users\Admin\AppData\Local\Temp\PO-92059.doc.exe
      "C:\Users\Admin\AppData\Local\Temp\PO-92059.doc.exe"
      2⤵
        PID:644
      • C:\Users\Admin\AppData\Local\Temp\PO-92059.doc.exe
        "C:\Users\Admin\AppData\Local\Temp\PO-92059.doc.exe"
        2⤵
          PID:3388
        • C:\Users\Admin\AppData\Local\Temp\PO-92059.doc.exe
          "C:\Users\Admin\AppData\Local\Temp\PO-92059.doc.exe"
          2⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:4344
          • C:\Users\Admin\AppData\Roaming\Install\Host.exe
            "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
            3⤵
            • Executes dropped EXE
            • Checks computer location settings
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1284
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JzSLOgzqANjJNq.exe"
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3696
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JzSLOgzqANjJNq" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE1D4.tmp"
              4⤵
              • Creates scheduled task(s)
              PID:4688
            • C:\Users\Admin\AppData\Roaming\Install\Host.exe
              "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
              4⤵
              • Executes dropped EXE
              PID:4140
            • C:\Users\Admin\AppData\Roaming\Install\Host.exe
              "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
              4⤵
              • Executes dropped EXE
              PID:1364
        • C:\Users\Admin\AppData\Local\Temp\PO-92059.doc.exe
          "C:\Users\Admin\AppData\Local\Temp\PO-92059.doc.exe"
          2⤵
            PID:4424

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          968cb9309758126772781b83adb8a28f

          SHA1

          8da30e71accf186b2ba11da1797cf67f8f78b47c

          SHA256

          92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

          SHA512

          4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          18KB

          MD5

          e239d4d164813dc405abaa046a9da157

          SHA1

          3c4a57a337ba6c7f0be06596a772942e76fd3f7d

          SHA256

          5b80acb79d7ce34af307f39e638de5c6200defaa99209947d65590686768b94b

          SHA512

          924e400ad22da10f9f0052a64c1342294def546336f0b603ae836130b2f9b84c0ee09c6986d4e5f9b96cc0976df140dc2efee72d58bd8612fe4614dcfeac2533

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\tmp2868.tmp
          Filesize

          1KB

          MD5

          e6f1a2dd27301fccd0d00697220003b6

          SHA1

          a5cbbd8ae91d34b9b0d8c9c5be21d8d20ac9cb9d

          SHA256

          78bcec8fa9c0fe58057b81d801e2e97fd5f87679c5a415b1b7b2d42db59a7a23

          SHA512

          4665ba71912135c79f9dc985664eed4dc57c9d5a30aad6c22fb831af50af414a9b159fbb79de9ae92a1ccec05eb90ecba4107da1f4d68c23a8b435ac95724ced

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\tmpE1D4.tmp
          Filesize

          1KB

          MD5

          e6f1a2dd27301fccd0d00697220003b6

          SHA1

          a5cbbd8ae91d34b9b0d8c9c5be21d8d20ac9cb9d

          SHA256

          78bcec8fa9c0fe58057b81d801e2e97fd5f87679c5a415b1b7b2d42db59a7a23

          SHA512

          4665ba71912135c79f9dc985664eed4dc57c9d5a30aad6c22fb831af50af414a9b159fbb79de9ae92a1ccec05eb90ecba4107da1f4d68c23a8b435ac95724ced

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Install\Host.exe
          Filesize

          675KB

          MD5

          5d7895b3ede1833a79a5c4fc7dc0455c

          SHA1

          714ce92fce404b32345b06e1d0fbbfaff30eaa62

          SHA256

          7d43cddf5679f4233ebf701f89050ec267f892165a4c34084ad65963af7ebc36

          SHA512

          6f0a9c1cb2d74436ebde9b2c1068902bb9e0a943fc59f788f3c9e37e037b6dd9c0e5e86f2aa3d9c67e9740e7012f42c96d04ba0f2c3ac69a1c1c106db4fbe26d

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Install\Host.exe
          Filesize

          675KB

          MD5

          5d7895b3ede1833a79a5c4fc7dc0455c

          SHA1

          714ce92fce404b32345b06e1d0fbbfaff30eaa62

          SHA256

          7d43cddf5679f4233ebf701f89050ec267f892165a4c34084ad65963af7ebc36

          SHA512

          6f0a9c1cb2d74436ebde9b2c1068902bb9e0a943fc59f788f3c9e37e037b6dd9c0e5e86f2aa3d9c67e9740e7012f42c96d04ba0f2c3ac69a1c1c106db4fbe26d

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Install\Host.exe
          Filesize

          675KB

          MD5

          5d7895b3ede1833a79a5c4fc7dc0455c

          SHA1

          714ce92fce404b32345b06e1d0fbbfaff30eaa62

          SHA256

          7d43cddf5679f4233ebf701f89050ec267f892165a4c34084ad65963af7ebc36

          SHA512

          6f0a9c1cb2d74436ebde9b2c1068902bb9e0a943fc59f788f3c9e37e037b6dd9c0e5e86f2aa3d9c67e9740e7012f42c96d04ba0f2c3ac69a1c1c106db4fbe26d

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Install\Host.exe
          Filesize

          675KB

          MD5

          5d7895b3ede1833a79a5c4fc7dc0455c

          SHA1

          714ce92fce404b32345b06e1d0fbbfaff30eaa62

          SHA256

          7d43cddf5679f4233ebf701f89050ec267f892165a4c34084ad65963af7ebc36

          SHA512

          6f0a9c1cb2d74436ebde9b2c1068902bb9e0a943fc59f788f3c9e37e037b6dd9c0e5e86f2aa3d9c67e9740e7012f42c96d04ba0f2c3ac69a1c1c106db4fbe26d

          Download Submit

        • memory/404-133-0x0000000005180000-0x000000000518A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/404-130-0x0000000000750000-0x0000000000800000-memory.dmp

          Filesize

          704KB

          Download

        • memory/404-134-0x0000000005430000-0x00000000054CC000-memory.dmp

          Filesize

          624KB

          Download

        • memory/404-132-0x00000000051A0000-0x0000000005232000-memory.dmp

          Filesize

          584KB

          Download

        • memory/404-131-0x0000000005750000-0x0000000005CF4000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/644-139-0x0000000000000000-mapping.dmp

          Download

        • memory/1284-150-0x0000000000000000-mapping.dmp

          Download

        • memory/1364-175-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

          Download

        • memory/1364-171-0x0000000000000000-mapping.dmp

          Download

        • memory/1364-178-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

          Download

        • memory/3388-142-0x0000000000000000-mapping.dmp

          Download

        • memory/3696-165-0x0000000000000000-mapping.dmp

          Download

        • memory/3696-177-0x0000000071B50000-0x0000000071B9C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/4140-169-0x0000000000000000-mapping.dmp

          Download

        • memory/4252-164-0x0000000007A60000-0x0000000007A68000-memory.dmp

          Filesize

          32KB

          Download

        • memory/4252-162-0x0000000007970000-0x000000000797E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/4252-155-0x0000000007610000-0x0000000007642000-memory.dmp

          Filesize

          200KB

          Download

        • memory/4252-156-0x0000000072A20000-0x0000000072A6C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/4252-157-0x00000000069F0000-0x0000000006A0E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/4252-158-0x0000000007D80000-0x00000000083FA000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/4252-159-0x0000000007740000-0x000000000775A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/4252-160-0x00000000077B0000-0x00000000077BA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/4252-161-0x00000000079C0000-0x0000000007A56000-memory.dmp

          Filesize

          600KB

          Download

        • memory/4252-140-0x0000000005640000-0x0000000005C68000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4252-163-0x0000000007A80000-0x0000000007A9A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/4252-154-0x0000000006440000-0x000000000645E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/4252-149-0x0000000005DE0000-0x0000000005E46000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4252-135-0x0000000000000000-mapping.dmp

          Download

        • memory/4252-148-0x0000000005D70000-0x0000000005DD6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4252-147-0x0000000005360000-0x0000000005382000-memory.dmp

          Filesize

          136KB

          Download

        • memory/4252-137-0x0000000004E70000-0x0000000004EA6000-memory.dmp

          Filesize

          216KB

          Download

        • memory/4332-136-0x0000000000000000-mapping.dmp

          Download

        • memory/4344-153-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

          Download

        • memory/4344-143-0x0000000000000000-mapping.dmp

          Download

        • memory/4344-144-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

          Download

        • memory/4344-146-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

          Download

        • memory/4424-141-0x0000000000000000-mapping.dmp

          Download

        • memory/4688-166-0x0000000000000000-mapping.dmp

          Download