Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30-11-2022 13:22
Static task
static1
Behavioral task
behavioral1
Sample
fd2d9b3b2366b8b23e0f5f6f562f972aceaa9c3f2b6e7a523e2b072a03422e79.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
fd2d9b3b2366b8b23e0f5f6f562f972aceaa9c3f2b6e7a523e2b072a03422e79.exe
Resource
win10v2004-20220812-en
General
-
Target
fd2d9b3b2366b8b23e0f5f6f562f972aceaa9c3f2b6e7a523e2b072a03422e79.exe
-
Size
562KB
-
MD5
3f37a617c0ac47ca476dfc3ce9a214fd
-
SHA1
830a64c95ba3d812de2021dc1e931b76326d9b2b
-
SHA256
fd2d9b3b2366b8b23e0f5f6f562f972aceaa9c3f2b6e7a523e2b072a03422e79
-
SHA512
6898844b8fc4c28e78e490e827e7b361ab089018a77134c992d9dbbced0f9cd1da3bcf2140aa0593937a104acf01efcbb0b2613a7b2621d93f9f2a7e2983e0d0
-
SSDEEP
12288:aEBDwqBGbanzcvPvcj+h/QEUo6den53XydJCoR:LwOGtcihQEURdOFo
Malware Config
Extracted
netwire
185.84.181.94:4376
-
activex_autorun
true
-
activex_key
{FX1MI827-36FJ-SX70-S6O1-DTD67404Y543}
-
copy_executable
true
-
delete_original
true
-
host_id
Panelsan
-
install_path
%AppData%\Install\Mswords.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
true
-
mutex
EiFjmhwr
-
offline_keylogger
true
-
password
<(/82?TM{V
-
registry_autorun
true
-
startup_name
Mswords
-
use_mutex
true
Signatures
-
NetWire RAT payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1016-62-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral1/memory/1636-82-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral1/memory/1636-88-0x0000000077270000-0x00000000773F0000-memory.dmp netwire -
Executes dropped EXE 2 IoCs
Processes:
Mswords.exeMswords.exepid process 1780 Mswords.exe 1636 Mswords.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
Mswords.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FX1MI827-36FJ-SX70-S6O1-DTD67404Y543} Mswords.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FX1MI827-36FJ-SX70-S6O1-DTD67404Y543}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Install\\Mswords.exe\"" Mswords.exe -
Loads dropped DLL 2 IoCs
Processes:
fd2d9b3b2366b8b23e0f5f6f562f972aceaa9c3f2b6e7a523e2b072a03422e79.exepid process 1016 fd2d9b3b2366b8b23e0f5f6f562f972aceaa9c3f2b6e7a523e2b072a03422e79.exe 1016 fd2d9b3b2366b8b23e0f5f6f562f972aceaa9c3f2b6e7a523e2b072a03422e79.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Mswords.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Mswords.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mswords = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Mswords.exe" Mswords.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
fd2d9b3b2366b8b23e0f5f6f562f972aceaa9c3f2b6e7a523e2b072a03422e79.exeMswords.exedescription pid process target process PID 2020 set thread context of 1016 2020 fd2d9b3b2366b8b23e0f5f6f562f972aceaa9c3f2b6e7a523e2b072a03422e79.exe fd2d9b3b2366b8b23e0f5f6f562f972aceaa9c3f2b6e7a523e2b072a03422e79.exe PID 1780 set thread context of 1636 1780 Mswords.exe Mswords.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
fd2d9b3b2366b8b23e0f5f6f562f972aceaa9c3f2b6e7a523e2b072a03422e79.exeMswords.exepid process 2020 fd2d9b3b2366b8b23e0f5f6f562f972aceaa9c3f2b6e7a523e2b072a03422e79.exe 1780 Mswords.exe -
Suspicious use of UnmapMainImage 2 IoCs
Processes:
fd2d9b3b2366b8b23e0f5f6f562f972aceaa9c3f2b6e7a523e2b072a03422e79.exeMswords.exepid process 1016 fd2d9b3b2366b8b23e0f5f6f562f972aceaa9c3f2b6e7a523e2b072a03422e79.exe 1636 Mswords.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
fd2d9b3b2366b8b23e0f5f6f562f972aceaa9c3f2b6e7a523e2b072a03422e79.exefd2d9b3b2366b8b23e0f5f6f562f972aceaa9c3f2b6e7a523e2b072a03422e79.exeMswords.exedescription pid process target process PID 2020 wrote to memory of 1016 2020 fd2d9b3b2366b8b23e0f5f6f562f972aceaa9c3f2b6e7a523e2b072a03422e79.exe fd2d9b3b2366b8b23e0f5f6f562f972aceaa9c3f2b6e7a523e2b072a03422e79.exe PID 2020 wrote to memory of 1016 2020 fd2d9b3b2366b8b23e0f5f6f562f972aceaa9c3f2b6e7a523e2b072a03422e79.exe fd2d9b3b2366b8b23e0f5f6f562f972aceaa9c3f2b6e7a523e2b072a03422e79.exe PID 2020 wrote to memory of 1016 2020 fd2d9b3b2366b8b23e0f5f6f562f972aceaa9c3f2b6e7a523e2b072a03422e79.exe fd2d9b3b2366b8b23e0f5f6f562f972aceaa9c3f2b6e7a523e2b072a03422e79.exe PID 2020 wrote to memory of 1016 2020 fd2d9b3b2366b8b23e0f5f6f562f972aceaa9c3f2b6e7a523e2b072a03422e79.exe fd2d9b3b2366b8b23e0f5f6f562f972aceaa9c3f2b6e7a523e2b072a03422e79.exe PID 1016 wrote to memory of 1780 1016 fd2d9b3b2366b8b23e0f5f6f562f972aceaa9c3f2b6e7a523e2b072a03422e79.exe Mswords.exe PID 1016 wrote to memory of 1780 1016 fd2d9b3b2366b8b23e0f5f6f562f972aceaa9c3f2b6e7a523e2b072a03422e79.exe Mswords.exe PID 1016 wrote to memory of 1780 1016 fd2d9b3b2366b8b23e0f5f6f562f972aceaa9c3f2b6e7a523e2b072a03422e79.exe Mswords.exe PID 1016 wrote to memory of 1780 1016 fd2d9b3b2366b8b23e0f5f6f562f972aceaa9c3f2b6e7a523e2b072a03422e79.exe Mswords.exe PID 1780 wrote to memory of 1636 1780 Mswords.exe Mswords.exe PID 1780 wrote to memory of 1636 1780 Mswords.exe Mswords.exe PID 1780 wrote to memory of 1636 1780 Mswords.exe Mswords.exe PID 1780 wrote to memory of 1636 1780 Mswords.exe Mswords.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd2d9b3b2366b8b23e0f5f6f562f972aceaa9c3f2b6e7a523e2b072a03422e79.exe"C:\Users\Admin\AppData\Local\Temp\fd2d9b3b2366b8b23e0f5f6f562f972aceaa9c3f2b6e7a523e2b072a03422e79.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fd2d9b3b2366b8b23e0f5f6f562f972aceaa9c3f2b6e7a523e2b072a03422e79.exeC:\Users\Admin\AppData\Local\Temp\fd2d9b3b2366b8b23e0f5f6f562f972aceaa9c3f2b6e7a523e2b072a03422e79.exe"2⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Mswords.exe-m "C:\Users\Admin\AppData\Local\Temp\fd2d9b3b2366b8b23e0f5f6f562f972aceaa9c3f2b6e7a523e2b072a03422e79.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Mswords.exem "C:\Users\Admin\AppData\Local\Temp\fd2d9b3b2366b8b23e0f5f6f562f972aceaa9c3f2b6e7a523e2b072a03422e79.exe"4⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Suspicious use of UnmapMainImage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Install\Mswords.exeFilesize
562KB
MD53f37a617c0ac47ca476dfc3ce9a214fd
SHA1830a64c95ba3d812de2021dc1e931b76326d9b2b
SHA256fd2d9b3b2366b8b23e0f5f6f562f972aceaa9c3f2b6e7a523e2b072a03422e79
SHA5126898844b8fc4c28e78e490e827e7b361ab089018a77134c992d9dbbced0f9cd1da3bcf2140aa0593937a104acf01efcbb0b2613a7b2621d93f9f2a7e2983e0d0
-
C:\Users\Admin\AppData\Roaming\Install\Mswords.exeFilesize
562KB
MD53f37a617c0ac47ca476dfc3ce9a214fd
SHA1830a64c95ba3d812de2021dc1e931b76326d9b2b
SHA256fd2d9b3b2366b8b23e0f5f6f562f972aceaa9c3f2b6e7a523e2b072a03422e79
SHA5126898844b8fc4c28e78e490e827e7b361ab089018a77134c992d9dbbced0f9cd1da3bcf2140aa0593937a104acf01efcbb0b2613a7b2621d93f9f2a7e2983e0d0
-
C:\Users\Admin\AppData\Roaming\Install\Mswords.exeFilesize
562KB
MD53f37a617c0ac47ca476dfc3ce9a214fd
SHA1830a64c95ba3d812de2021dc1e931b76326d9b2b
SHA256fd2d9b3b2366b8b23e0f5f6f562f972aceaa9c3f2b6e7a523e2b072a03422e79
SHA5126898844b8fc4c28e78e490e827e7b361ab089018a77134c992d9dbbced0f9cd1da3bcf2140aa0593937a104acf01efcbb0b2613a7b2621d93f9f2a7e2983e0d0
-
\Users\Admin\AppData\Roaming\Install\Mswords.exeFilesize
562KB
MD53f37a617c0ac47ca476dfc3ce9a214fd
SHA1830a64c95ba3d812de2021dc1e931b76326d9b2b
SHA256fd2d9b3b2366b8b23e0f5f6f562f972aceaa9c3f2b6e7a523e2b072a03422e79
SHA5126898844b8fc4c28e78e490e827e7b361ab089018a77134c992d9dbbced0f9cd1da3bcf2140aa0593937a104acf01efcbb0b2613a7b2621d93f9f2a7e2983e0d0
-
\Users\Admin\AppData\Roaming\Install\Mswords.exeFilesize
562KB
MD53f37a617c0ac47ca476dfc3ce9a214fd
SHA1830a64c95ba3d812de2021dc1e931b76326d9b2b
SHA256fd2d9b3b2366b8b23e0f5f6f562f972aceaa9c3f2b6e7a523e2b072a03422e79
SHA5126898844b8fc4c28e78e490e827e7b361ab089018a77134c992d9dbbced0f9cd1da3bcf2140aa0593937a104acf01efcbb0b2613a7b2621d93f9f2a7e2983e0d0
-
memory/1016-58-0x0000000000465353-mapping.dmp
-
memory/1016-62-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1016-72-0x0000000077270000-0x00000000773F0000-memory.dmpFilesize
1.5MB
-
memory/1636-77-0x0000000000465353-mapping.dmp
-
memory/1636-82-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1636-88-0x0000000077270000-0x00000000773F0000-memory.dmpFilesize
1.5MB
-
memory/1780-70-0x0000000000000000-mapping.dmp
-
memory/1780-79-0x0000000077270000-0x00000000773F0000-memory.dmpFilesize
1.5MB
-
memory/2020-59-0x0000000077270000-0x00000000773F0000-memory.dmpFilesize
1.5MB
-
memory/2020-57-0x0000000075451000-0x0000000075453000-memory.dmpFilesize
8KB
-
memory/2020-56-0x0000000000240000-0x0000000000246000-memory.dmpFilesize
24KB