Analysis
-
max time kernel
145s -
max time network
166s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03-10-2022 02:01
Static task
static1
Behavioral task
behavioral1
Sample
682e7f4053a133c8fe08dfede3962d5af96f01dff69a72ac0b0f0ba8afc57191.rtf
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
682e7f4053a133c8fe08dfede3962d5af96f01dff69a72ac0b0f0ba8afc57191.rtf
Resource
win10v2004-20220812-en
General
-
Target
682e7f4053a133c8fe08dfede3962d5af96f01dff69a72ac0b0f0ba8afc57191.rtf
-
Size
1.2MB
-
MD5
6e752a28a3d4f61fb158099beab88f90
-
SHA1
d8c18216e718401d37a81674d4f4bb95f16742c6
-
SHA256
682e7f4053a133c8fe08dfede3962d5af96f01dff69a72ac0b0f0ba8afc57191
-
SHA512
66bad4bab339a255cded95b6a03df4c149c486deceb23c3fd55080b16d48251bc7ad4db5e5e74c95ad46deebbdbb70fa05ee6fa26ae01e56fa9a89d9ad32e1eb
-
SSDEEP
24576:ko+0Kiy8TOWMRIHjVK+v8GhCXjyx5VqJKnMbYbor+CzzGxp:x
Malware Config
Signatures
-
NetWire RAT payload 3 IoCs
resource yara_rule behavioral1/memory/1396-90-0x0000000000400000-0x00000000004D6000-memory.dmp netwire behavioral1/memory/1264-107-0x0000000000400000-0x00000000004D6000-memory.dmp netwire behavioral1/memory/1264-108-0x0000000000400000-0x00000000004D6000-memory.dmp netwire -
Executes dropped EXE 4 IoCs
pid Process 660 spoolsv.exe 1396 spoolsv.exe 1100 svchost.exe 1264 svchost.exe -
Loads dropped DLL 3 IoCs
pid Process 660 spoolsv.exe 1396 spoolsv.exe 1396 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\svchost.exe" svchost.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ svchost.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 660 set thread context of 1396 660 spoolsv.exe 31 PID 1100 set thread context of 1264 1100 svchost.exe 33 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1988 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 660 spoolsv.exe 1100 svchost.exe -
Suspicious use of SetWindowsHookEx 20 IoCs
pid Process 1988 WINWORD.EXE 1988 WINWORD.EXE 1988 WINWORD.EXE 1988 WINWORD.EXE 1988 WINWORD.EXE 1988 WINWORD.EXE 1988 WINWORD.EXE 1988 WINWORD.EXE 1988 WINWORD.EXE 1988 WINWORD.EXE 1988 WINWORD.EXE 1988 WINWORD.EXE 1988 WINWORD.EXE 1988 WINWORD.EXE 1988 WINWORD.EXE 1988 WINWORD.EXE 660 spoolsv.exe 660 spoolsv.exe 1100 svchost.exe 1100 svchost.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 1988 wrote to memory of 1312 1988 WINWORD.EXE 28 PID 1988 wrote to memory of 1312 1988 WINWORD.EXE 28 PID 1988 wrote to memory of 1312 1988 WINWORD.EXE 28 PID 1988 wrote to memory of 1312 1988 WINWORD.EXE 28 PID 660 wrote to memory of 1396 660 spoolsv.exe 31 PID 660 wrote to memory of 1396 660 spoolsv.exe 31 PID 660 wrote to memory of 1396 660 spoolsv.exe 31 PID 660 wrote to memory of 1396 660 spoolsv.exe 31 PID 660 wrote to memory of 1396 660 spoolsv.exe 31 PID 660 wrote to memory of 1396 660 spoolsv.exe 31 PID 660 wrote to memory of 1396 660 spoolsv.exe 31 PID 660 wrote to memory of 1396 660 spoolsv.exe 31 PID 660 wrote to memory of 1396 660 spoolsv.exe 31 PID 1396 wrote to memory of 1100 1396 spoolsv.exe 32 PID 1396 wrote to memory of 1100 1396 spoolsv.exe 32 PID 1396 wrote to memory of 1100 1396 spoolsv.exe 32 PID 1396 wrote to memory of 1100 1396 spoolsv.exe 32 PID 1100 wrote to memory of 1264 1100 svchost.exe 33 PID 1100 wrote to memory of 1264 1100 svchost.exe 33 PID 1100 wrote to memory of 1264 1100 svchost.exe 33 PID 1100 wrote to memory of 1264 1100 svchost.exe 33 PID 1100 wrote to memory of 1264 1100 svchost.exe 33 PID 1100 wrote to memory of 1264 1100 svchost.exe 33 PID 1100 wrote to memory of 1264 1100 svchost.exe 33 PID 1100 wrote to memory of 1264 1100 svchost.exe 33 PID 1100 wrote to memory of 1264 1100 svchost.exe 33
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\682e7f4053a133c8fe08dfede3962d5af96f01dff69a72ac0b0f0ba8afc57191.rtf"1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1312
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\spoolsv.exeC:\Users\Admin\AppData\Local\Temp\..\Microsoft\Windows\spoolsv.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:660 -
C:\Users\Admin\AppData\Local\Microsoft\Windows\spoolsv.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\spoolsv.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Users\Admin\AppData\Roaming\Install\svchost.exe"C:\Users\Admin\AppData\Roaming\Install\svchost.exe" -m C:\Users\Admin\AppData\Local\Microsoft\Windows\spoolsv.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Users\Admin\AppData\Roaming\Install\svchost.exeC:\Users\Admin\AppData\Roaming\Install\svchost.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1264
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
376KB
MD5cf826a47f5f402a2b37884ee0a99a7d4
SHA1ece848503b24f6c365044a406b917f8e87131445
SHA2563f115ff4f7372b1371bcc4bf1f6d167a6755a4610165b8c4eefce110c7df66c3
SHA5129974d53496124d3e1a709147612263e9555c40f5aee1809d08beba2fdfd2bfdd0f8336c4b829e0fb170edcb8dbd0321c2c86d94272c947f072cc87d07d77d2f0
-
Filesize
376KB
MD5cf826a47f5f402a2b37884ee0a99a7d4
SHA1ece848503b24f6c365044a406b917f8e87131445
SHA2563f115ff4f7372b1371bcc4bf1f6d167a6755a4610165b8c4eefce110c7df66c3
SHA5129974d53496124d3e1a709147612263e9555c40f5aee1809d08beba2fdfd2bfdd0f8336c4b829e0fb170edcb8dbd0321c2c86d94272c947f072cc87d07d77d2f0
-
Filesize
376KB
MD5cf826a47f5f402a2b37884ee0a99a7d4
SHA1ece848503b24f6c365044a406b917f8e87131445
SHA2563f115ff4f7372b1371bcc4bf1f6d167a6755a4610165b8c4eefce110c7df66c3
SHA5129974d53496124d3e1a709147612263e9555c40f5aee1809d08beba2fdfd2bfdd0f8336c4b829e0fb170edcb8dbd0321c2c86d94272c947f072cc87d07d77d2f0
-
Filesize
376KB
MD5cf826a47f5f402a2b37884ee0a99a7d4
SHA1ece848503b24f6c365044a406b917f8e87131445
SHA2563f115ff4f7372b1371bcc4bf1f6d167a6755a4610165b8c4eefce110c7df66c3
SHA5129974d53496124d3e1a709147612263e9555c40f5aee1809d08beba2fdfd2bfdd0f8336c4b829e0fb170edcb8dbd0321c2c86d94272c947f072cc87d07d77d2f0
-
Filesize
376KB
MD5cf826a47f5f402a2b37884ee0a99a7d4
SHA1ece848503b24f6c365044a406b917f8e87131445
SHA2563f115ff4f7372b1371bcc4bf1f6d167a6755a4610165b8c4eefce110c7df66c3
SHA5129974d53496124d3e1a709147612263e9555c40f5aee1809d08beba2fdfd2bfdd0f8336c4b829e0fb170edcb8dbd0321c2c86d94272c947f072cc87d07d77d2f0
-
Filesize
376KB
MD5cf826a47f5f402a2b37884ee0a99a7d4
SHA1ece848503b24f6c365044a406b917f8e87131445
SHA2563f115ff4f7372b1371bcc4bf1f6d167a6755a4610165b8c4eefce110c7df66c3
SHA5129974d53496124d3e1a709147612263e9555c40f5aee1809d08beba2fdfd2bfdd0f8336c4b829e0fb170edcb8dbd0321c2c86d94272c947f072cc87d07d77d2f0
-
Filesize
376KB
MD5cf826a47f5f402a2b37884ee0a99a7d4
SHA1ece848503b24f6c365044a406b917f8e87131445
SHA2563f115ff4f7372b1371bcc4bf1f6d167a6755a4610165b8c4eefce110c7df66c3
SHA5129974d53496124d3e1a709147612263e9555c40f5aee1809d08beba2fdfd2bfdd0f8336c4b829e0fb170edcb8dbd0321c2c86d94272c947f072cc87d07d77d2f0
-
Filesize
376KB
MD5cf826a47f5f402a2b37884ee0a99a7d4
SHA1ece848503b24f6c365044a406b917f8e87131445
SHA2563f115ff4f7372b1371bcc4bf1f6d167a6755a4610165b8c4eefce110c7df66c3
SHA5129974d53496124d3e1a709147612263e9555c40f5aee1809d08beba2fdfd2bfdd0f8336c4b829e0fb170edcb8dbd0321c2c86d94272c947f072cc87d07d77d2f0
-
Filesize
376KB
MD5cf826a47f5f402a2b37884ee0a99a7d4
SHA1ece848503b24f6c365044a406b917f8e87131445
SHA2563f115ff4f7372b1371bcc4bf1f6d167a6755a4610165b8c4eefce110c7df66c3
SHA5129974d53496124d3e1a709147612263e9555c40f5aee1809d08beba2fdfd2bfdd0f8336c4b829e0fb170edcb8dbd0321c2c86d94272c947f072cc87d07d77d2f0