Overview

overview

10

Static

static

1

TEKLİF İ...MU.rtf

windows7-x64

10

TEKLİF İ...MU.rtf

windows10-2004-x64

1

Analysis

  • max time kernel
    119s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    22-02-2023 10:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TEKLİF İSTEME FORMU.rtf

  • Size

    37KB

  • MD5

    ac61d636809fd4617b6fa6b5a099a38c

  • SHA1

    9e3bb29de5667a90fe0df822ec27a0f4a6a012ed

  • SHA256

    1fd6569eae2820afd99e6ba741c6f4c69f61004e617e9e0cccf54c4df93d6865

  • SHA512

    1a18206c3b417993381c7b8bc8b4fe538022744c2890fb247c6c56b1726d22d8ec0f170197b4c925bd84ab507277067e95bae1b6403f5f371f8b9508f80c471a

  • SSDEEP

    768:xFx0XaIsnPRIa4fwJMcfBPts3AjTySc2sj345ddMu8pcn:xf0Xvx3EMcfBPtmAwboY96n

Score
10/10
netwirebotnetpersistenceratstealer

Malware Config

Extracted

Family

netwire

C2

zekeriyasolek44.duckdns.org:3102

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    Valentine End

  • install_path

    %Windows%\Windows DataPoint\Windows Data Start.exe

  • lock_executable

    false

  • mutex

    Windows

  • offline_keylogger

    false

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • NetWire RAT payload 14 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\TEKLİF İSTEME FORMU.rtf"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1352
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1000
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:1768
      • C:\Users\Admin\AppData\Roaming\chungd48628.exe
        "C:\Users\Admin\AppData\Roaming\chungd48628.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:856
        • C:\Users\Admin\AppData\Roaming\chungd48628.exe
          "C:\Users\Admin\AppData\Roaming\chungd48628.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:1968
          • C:\Windows\SysWOW64\%Windows\Windows DataPoint\Windows Data Start.exe
            "C:\Windows\System32\%Windows\Windows DataPoint\Windows Data Start.exe" -m "C:\Users\Admin\AppData\Roaming\chungd48628.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:1616
            • C:\Windows\SysWOW64\%Windows\Windows DataPoint\Windows Data Start.exe
              "C:\Windows\SysWOW64\%Windows\Windows DataPoint\Windows Data Start.exe"
              5⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in System32 directory
              PID:268

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Exploitation for Client Execution

    1
    T1203

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      25e5ddb1345a59296db101e599302b1d

      SHA1

      e568fb7a3a65aa864c0ec38b26592e5443da8574

      SHA256

      f990befba812f35c800a090283ad497665d51151f7944a4edadfed15c06bebcb

      SHA512

      a2f69dd00d35b0cf8ef88fa5cda5685fa3a5a744cdd20c5602e8cf0b5973c700eebf70b93f8c46a6f050ea1e99291a7ffc46ff8796df3a6245d384b5fa806cee

      Download Submit
    • C:\Users\Admin\AppData\Roaming\chungd48628.exe
      Filesize

      1.0MB

      MD5

      9e3dac5c792d10815c94ae9474c93aa8

      SHA1

      da3ffcfa7c41e842ea80548105fac93252149550

      SHA256

      e9b94cae938b5549cc9645b0e15337bc0ff894b9413305351937cf7831347d85

      SHA512

      69fe825e8c41cdc852407eb2d396344341ceeabcec2edb0bebe269245ca305796975a88d81d557b5cde3fe84c235fb4c26bbad60541b19709ede1240387c956b

      Download Submit
    • C:\Users\Admin\AppData\Roaming\chungd48628.exe
      Filesize

      1.0MB

      MD5

      9e3dac5c792d10815c94ae9474c93aa8

      SHA1

      da3ffcfa7c41e842ea80548105fac93252149550

      SHA256

      e9b94cae938b5549cc9645b0e15337bc0ff894b9413305351937cf7831347d85

      SHA512

      69fe825e8c41cdc852407eb2d396344341ceeabcec2edb0bebe269245ca305796975a88d81d557b5cde3fe84c235fb4c26bbad60541b19709ede1240387c956b

      Download Submit
    • C:\Users\Admin\AppData\Roaming\chungd48628.exe
      Filesize

      1.0MB

      MD5

      9e3dac5c792d10815c94ae9474c93aa8

      SHA1

      da3ffcfa7c41e842ea80548105fac93252149550

      SHA256

      e9b94cae938b5549cc9645b0e15337bc0ff894b9413305351937cf7831347d85

      SHA512

      69fe825e8c41cdc852407eb2d396344341ceeabcec2edb0bebe269245ca305796975a88d81d557b5cde3fe84c235fb4c26bbad60541b19709ede1240387c956b

      Download Submit
    • C:\Users\Admin\AppData\Roaming\chungd48628.exe
      Filesize

      1.0MB

      MD5

      9e3dac5c792d10815c94ae9474c93aa8

      SHA1

      da3ffcfa7c41e842ea80548105fac93252149550

      SHA256

      e9b94cae938b5549cc9645b0e15337bc0ff894b9413305351937cf7831347d85

      SHA512

      69fe825e8c41cdc852407eb2d396344341ceeabcec2edb0bebe269245ca305796975a88d81d557b5cde3fe84c235fb4c26bbad60541b19709ede1240387c956b

      Download Submit
    • C:\Windows\SysWOW64\%Windows\Windows DataPoint\Windows Data Start.exe
      Filesize

      1.0MB

      MD5

      9e3dac5c792d10815c94ae9474c93aa8

      SHA1

      da3ffcfa7c41e842ea80548105fac93252149550

      SHA256

      e9b94cae938b5549cc9645b0e15337bc0ff894b9413305351937cf7831347d85

      SHA512

      69fe825e8c41cdc852407eb2d396344341ceeabcec2edb0bebe269245ca305796975a88d81d557b5cde3fe84c235fb4c26bbad60541b19709ede1240387c956b

      Download Submit
    • C:\Windows\SysWOW64\%Windows\Windows DataPoint\Windows Data Start.exe
      Filesize

      1.0MB

      MD5

      9e3dac5c792d10815c94ae9474c93aa8

      SHA1

      da3ffcfa7c41e842ea80548105fac93252149550

      SHA256

      e9b94cae938b5549cc9645b0e15337bc0ff894b9413305351937cf7831347d85

      SHA512

      69fe825e8c41cdc852407eb2d396344341ceeabcec2edb0bebe269245ca305796975a88d81d557b5cde3fe84c235fb4c26bbad60541b19709ede1240387c956b

      Download Submit
    • C:\Windows\SysWOW64\%Windows\Windows DataPoint\Windows Data Start.exe
      Filesize

      1.0MB

      MD5

      9e3dac5c792d10815c94ae9474c93aa8

      SHA1

      da3ffcfa7c41e842ea80548105fac93252149550

      SHA256

      e9b94cae938b5549cc9645b0e15337bc0ff894b9413305351937cf7831347d85

      SHA512

      69fe825e8c41cdc852407eb2d396344341ceeabcec2edb0bebe269245ca305796975a88d81d557b5cde3fe84c235fb4c26bbad60541b19709ede1240387c956b

      Download Submit
    • \Users\Admin\AppData\Roaming\chungd48628.exe
      Filesize

      1.0MB

      MD5

      9e3dac5c792d10815c94ae9474c93aa8

      SHA1

      da3ffcfa7c41e842ea80548105fac93252149550

      SHA256

      e9b94cae938b5549cc9645b0e15337bc0ff894b9413305351937cf7831347d85

      SHA512

      69fe825e8c41cdc852407eb2d396344341ceeabcec2edb0bebe269245ca305796975a88d81d557b5cde3fe84c235fb4c26bbad60541b19709ede1240387c956b

      Download Submit
    • \Windows\SysWOW64\%Windows\Windows DataPoint\Windows Data Start.exe
      Filesize

      1.0MB

      MD5

      9e3dac5c792d10815c94ae9474c93aa8

      SHA1

      da3ffcfa7c41e842ea80548105fac93252149550

      SHA256

      e9b94cae938b5549cc9645b0e15337bc0ff894b9413305351937cf7831347d85

      SHA512

      69fe825e8c41cdc852407eb2d396344341ceeabcec2edb0bebe269245ca305796975a88d81d557b5cde3fe84c235fb4c26bbad60541b19709ede1240387c956b

      Download Submit
    • memory/268-135-0x0000000000400000-0x000000000044F000-memory.dmp
      Filesize

      316KB

      Download
    • memory/268-134-0x0000000000400000-0x000000000044F000-memory.dmp
      Filesize

      316KB

      Download
    • memory/268-133-0x0000000000400000-0x000000000044F000-memory.dmp
      Filesize

      316KB

      Download
    • memory/268-136-0x0000000000400000-0x000000000044F000-memory.dmp
      Filesize

      316KB

      Download
    • memory/268-114-0x0000000000400000-0x000000000044F000-memory.dmp
      Filesize

      316KB

      Download
    • memory/268-113-0x0000000000400000-0x000000000044F000-memory.dmp
      Filesize

      316KB

      Download
    • memory/268-109-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
      Filesize

      4KB

      Download
    • memory/856-77-0x0000000007F20000-0x0000000007FF2000-memory.dmp
      Filesize

      840KB

      Download
    • memory/856-78-0x00000000043C0000-0x000000000440C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/856-67-0x0000000000DA0000-0x0000000000EB2000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/856-72-0x0000000000D40000-0x0000000000D80000-memory.dmp
      Filesize

      256KB

      Download
    • memory/856-73-0x0000000000750000-0x0000000000764000-memory.dmp
      Filesize

      80KB

      Download
    • memory/856-74-0x0000000000D40000-0x0000000000D80000-memory.dmp
      Filesize

      256KB

      Download
    • memory/856-76-0x0000000000780000-0x000000000078C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/1352-132-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1352-54-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1616-99-0x0000000000B80000-0x0000000000C92000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/1616-102-0x0000000002420000-0x0000000002460000-memory.dmp
      Filesize

      256KB

      Download
    • memory/1616-100-0x0000000000250000-0x0000000000264000-memory.dmp
      Filesize

      80KB

      Download
    • memory/1616-101-0x0000000002420000-0x0000000002460000-memory.dmp
      Filesize

      256KB

      Download
    • memory/1968-81-0x0000000000400000-0x000000000044F000-memory.dmp
      Filesize

      316KB

      Download
    • memory/1968-80-0x0000000000400000-0x000000000044F000-memory.dmp
      Filesize

      316KB

      Download
    • memory/1968-79-0x0000000000400000-0x000000000044F000-memory.dmp
      Filesize

      316KB

      Download
    • memory/1968-85-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1968-97-0x0000000000400000-0x000000000044F000-memory.dmp
      Filesize

      316KB

      Download
    • memory/1968-82-0x0000000000400000-0x000000000044F000-memory.dmp
      Filesize

      316KB

      Download
    • memory/1968-83-0x0000000000400000-0x000000000044F000-memory.dmp
      Filesize

      316KB

      Download
    • memory/1968-91-0x0000000000400000-0x000000000044F000-memory.dmp
      Filesize

      316KB

      Download
    • memory/1968-89-0x0000000000400000-0x000000000044F000-memory.dmp
      Filesize

      316KB

      Download
    • memory/1968-84-0x0000000000400000-0x000000000044F000-memory.dmp
      Filesize

      316KB

      Download
    • memory/1968-86-0x0000000000400000-0x000000000044F000-memory.dmp
      Filesize

      316KB

      Download