netwire | dd9582b4545f6e3213f9578fa5de451932a79ab1cdcf343f5a031dda1ecfce03

General

Target

dd9582b4545f6e3213f9578fa5de451932a79ab1cdcf343f5a031dda1ecfce03.exe
Size

466KB
MD5

f69e136db9264350a915c78e9c5f4c5c
SHA1

0abcc3593f61de014239a416f65485849091a68c
SHA256

dd9582b4545f6e3213f9578fa5de451932a79ab1cdcf343f5a031dda1ecfce03
SHA512

a401b31dbbeb6de10cf6a1bddbeb758b501ab17150e6f56596cbf96ba68de33c5fb952af0287e858f8ffa5803a5de1566088919aacfa0263f52808cc3c0a4a14
SSDEEP

12288:M1dlZo5yOPPCWvwxJCpgb1ljkeJU0cq8392cgtBnLbjU9aE7ZCwY:M1dlZo5r3hXpeXH9cB9ngtlGY

Score

10^/10

netwire botnet persistence rat stealer upx

Malware Config

Signatures

NetWire RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/392-71-0x0000000000400000-0x0000000001400000-memory.dmp	netwire
behavioral1/memory/392-74-0x0000000000400000-0x0000000001400000-memory.dmp	netwire
behavioral1/memory/392-75-0x0000000000402196-mapping.dmp	netwire
behavioral1/memory/392-79-0x0000000000400000-0x0000000001400000-memory.dmp	netwire
behavioral1/memory/392-80-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/392-88-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

saa.exesaa.exe

pid process

976 saa.exe
392 saa.exe

pid	process
976	saa.exe
392	saa.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

saa.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17C8GX2F-CX25-S40Y-L4I1-7NDW4MPVQ8FP}\StubPath = "\"C:\\saa\\saa.exe\""	saa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17C8GX2F-CX25-S40Y-L4I1-7NDW4MPVQ8FP}	saa.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\saa\saa.exe	upx
\saa\saa.exe	upx
C:\saa\saa.exe	upx
behavioral1/memory/976-62-0x0000000000400000-0x0000000000519000-memory.dmp	upx
C:\saa\saa.exe	upx
C:\saa\saa.exe	upx

Loads dropped DLL 2 IoCs

Processes:

dd9582b4545f6e3213f9578fa5de451932a79ab1cdcf343f5a031dda1ecfce03.exe

pid	process
852	dd9582b4545f6e3213f9578fa5de451932a79ab1cdcf343f5a031dda1ecfce03.exe
852	dd9582b4545f6e3213f9578fa5de451932a79ab1cdcf343f5a031dda1ecfce03.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

saa.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	saa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nets = "C:\\saa\\saa.exe"	saa.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

saa.exe

description pid process target process

PID 976 set thread context of 392 976 saa.exe saa.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

description	pid	process	target process
PID 976 set thread context of 392	976	saa.exe	saa.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

824 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

saa.exe

pid process

976 saa.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

saa.exeWINWORD.EXE

pid process

976 saa.exe
824 WINWORD.EXE
824 WINWORD.EXE

pid	process
824	WINWORD.EXE

pid	process
976	saa.exe

pid	process
976	saa.exe
824	WINWORD.EXE
824	WINWORD.EXE

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

dd9582b4545f6e3213f9578fa5de451932a79ab1cdcf343f5a031dda1ecfce03.exesaa.exeWINWORD.EXE

description	pid	process	target process
PID 852 wrote to memory of 976	852	dd9582b4545f6e3213f9578fa5de451932a79ab1cdcf343f5a031dda1ecfce03.exe	saa.exe
PID 852 wrote to memory of 976	852	dd9582b4545f6e3213f9578fa5de451932a79ab1cdcf343f5a031dda1ecfce03.exe	saa.exe
PID 852 wrote to memory of 976	852	dd9582b4545f6e3213f9578fa5de451932a79ab1cdcf343f5a031dda1ecfce03.exe	saa.exe
PID 852 wrote to memory of 976	852	dd9582b4545f6e3213f9578fa5de451932a79ab1cdcf343f5a031dda1ecfce03.exe	saa.exe
PID 976 wrote to memory of 392	976	saa.exe	saa.exe
PID 976 wrote to memory of 392	976	saa.exe	saa.exe
PID 976 wrote to memory of 392	976	saa.exe	saa.exe
PID 976 wrote to memory of 392	976	saa.exe	saa.exe
PID 976 wrote to memory of 392	976	saa.exe	saa.exe
PID 976 wrote to memory of 392	976	saa.exe	saa.exe
PID 976 wrote to memory of 392	976	saa.exe	saa.exe
PID 976 wrote to memory of 392	976	saa.exe	saa.exe
PID 976 wrote to memory of 392	976	saa.exe	saa.exe
PID 976 wrote to memory of 392	976	saa.exe	saa.exe
PID 852 wrote to memory of 824	852	dd9582b4545f6e3213f9578fa5de451932a79ab1cdcf343f5a031dda1ecfce03.exe	WINWORD.EXE
PID 852 wrote to memory of 824	852	dd9582b4545f6e3213f9578fa5de451932a79ab1cdcf343f5a031dda1ecfce03.exe	WINWORD.EXE
PID 852 wrote to memory of 824	852	dd9582b4545f6e3213f9578fa5de451932a79ab1cdcf343f5a031dda1ecfce03.exe	WINWORD.EXE
PID 852 wrote to memory of 824	852	dd9582b4545f6e3213f9578fa5de451932a79ab1cdcf343f5a031dda1ecfce03.exe	WINWORD.EXE
PID 824 wrote to memory of 2004	824	WINWORD.EXE	splwow64.exe
PID 824 wrote to memory of 2004	824	WINWORD.EXE	splwow64.exe
PID 824 wrote to memory of 2004	824	WINWORD.EXE	splwow64.exe
PID 824 wrote to memory of 2004	824	WINWORD.EXE	splwow64.exe

C:\Users\Admin\AppData\Local\Temp\dd9582b4545f6e3213f9578fa5de451932a79ab1cdcf343f5a031dda1ecfce03.exe
"C:\Users\Admin\AppData\Local\Temp\dd9582b4545f6e3213f9578fa5de451932a79ab1cdcf343f5a031dda1ecfce03.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:852

C:\saa\saa.exe
"C:\saa\saa.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:976

C:\saa\saa.exe
C:\saa\saa.exe
3⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:392

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\saa\Document.rtf"
2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:824

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:2004

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\saa\Document.rtf
Filesize
34KB

MD5
50bac2dd431d23253012f045b387107a

SHA1
d92a3a3bc8e15280aeab2c8980a92fbeb591efa5

SHA256
621604d0c4d547f143f0d04c79c4dcb6e40d6e6e23159903611e38e684463883

SHA512
ec5b1c6e6ef3f31ed6baadb2edc2b5a80aa2782bc1f031a95a583eff677940b73b3a97c12de21bee0c1691b1f8ae3ae9fa4fb5f0b967a8eb10d6266c65fd3890

Download Submit
C:\saa\saa.exe
Filesize
400KB

MD5
732a3bc1a91b0f0e0908a275de5cac0c

SHA1
2d747605ac08d861478a2efc0497d3d20ac49cf6

SHA256
8b2af2a3425ee5e9d24162714aece65d47008c7dd2c89b3beb41e88c8235c912

SHA512
a7e176bf92dc2572d06252e0c3165d3eebd9a8bda2afecfd491f308db54a88614b97646ad15eb9478d3312fc49e19f4badcfbac1d643e1905f2687e34c3be6f3

Download Submit
C:\saa\saa.exe
Filesize
400KB

MD5
732a3bc1a91b0f0e0908a275de5cac0c

SHA1
2d747605ac08d861478a2efc0497d3d20ac49cf6

SHA256
8b2af2a3425ee5e9d24162714aece65d47008c7dd2c89b3beb41e88c8235c912

SHA512
a7e176bf92dc2572d06252e0c3165d3eebd9a8bda2afecfd491f308db54a88614b97646ad15eb9478d3312fc49e19f4badcfbac1d643e1905f2687e34c3be6f3

Download Submit
C:\saa\saa.exe
Filesize
400KB

MD5
732a3bc1a91b0f0e0908a275de5cac0c

SHA1
2d747605ac08d861478a2efc0497d3d20ac49cf6

SHA256
8b2af2a3425ee5e9d24162714aece65d47008c7dd2c89b3beb41e88c8235c912

SHA512
a7e176bf92dc2572d06252e0c3165d3eebd9a8bda2afecfd491f308db54a88614b97646ad15eb9478d3312fc49e19f4badcfbac1d643e1905f2687e34c3be6f3

Download Submit
\saa\saa.exe
Filesize
400KB

MD5
732a3bc1a91b0f0e0908a275de5cac0c

SHA1
2d747605ac08d861478a2efc0497d3d20ac49cf6

SHA256
8b2af2a3425ee5e9d24162714aece65d47008c7dd2c89b3beb41e88c8235c912

SHA512
a7e176bf92dc2572d06252e0c3165d3eebd9a8bda2afecfd491f308db54a88614b97646ad15eb9478d3312fc49e19f4badcfbac1d643e1905f2687e34c3be6f3

Download Submit
\saa\saa.exe
Filesize
400KB

MD5
732a3bc1a91b0f0e0908a275de5cac0c

SHA1
2d747605ac08d861478a2efc0497d3d20ac49cf6

SHA256
8b2af2a3425ee5e9d24162714aece65d47008c7dd2c89b3beb41e88c8235c912

SHA512
a7e176bf92dc2572d06252e0c3165d3eebd9a8bda2afecfd491f308db54a88614b97646ad15eb9478d3312fc49e19f4badcfbac1d643e1905f2687e34c3be6f3

Download Submit
memory/392-75-0x0000000000402196-mapping.dmp

Download
memory/392-79-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/392-88-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/392-64-0x00000000001B0000-0x00000000002AA000-memory.dmp

Filesize
1000KB

Download
memory/392-66-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/392-67-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/392-69-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/392-80-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/392-71-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/392-74-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/824-83-0x000000006FBB1000-0x000000006FBB3000-memory.dmp

Filesize
8KB

Download
memory/824-93-0x0000000070B9D000-0x0000000070BA8000-memory.dmp

Filesize
44KB

Download
memory/824-81-0x0000000000000000-mapping.dmp

Download
memory/824-82-0x0000000072131000-0x0000000072134000-memory.dmp

Filesize
12KB

Download
memory/824-89-0x0000000070B9D000-0x0000000070BA8000-memory.dmp

Filesize
44KB

Download
memory/824-84-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/824-86-0x0000000070B9D000-0x0000000070BA8000-memory.dmp

Filesize
44KB

Download
memory/824-92-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/852-60-0x00000000032E0000-0x00000000033F9000-memory.dmp

Filesize
1.1MB

Download
memory/852-54-0x0000000074E41000-0x0000000074E43000-memory.dmp

Filesize
8KB

Download
memory/852-61-0x00000000032E0000-0x00000000033F9000-memory.dmp

Filesize
1.1MB

Download
memory/976-72-0x0000000000220000-0x0000000000224000-memory.dmp

Filesize
16KB

Download
memory/976-57-0x0000000000000000-mapping.dmp

Download
memory/976-62-0x0000000000400000-0x0000000000519000-memory.dmp

Filesize
1.1MB

Download
memory/2004-90-0x0000000000000000-mapping.dmp

Download
memory/2004-91-0x000007FEFB641000-0x000007FEFB643000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads