0d6e873aa8faee0a896e6ac7679a216585933bc29bdd2c1bc006ce56a6e86818

Analysis

max time kernel
127s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
03-03-2024 01:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RAT/NetWire.doc
Size

7.3MB
MD5

6b23cce75ff84aaa6216e90b6ce6a5f3
SHA1

e6cc0ef23044de9b1f96b67699c55232aea67f7d
SHA256

9105005851fbf7a7d757109cf697237c0766e6948c7d88089ac6cf25fe1e9b15
SHA512

4d0705644ade8e8a215cc3190717850d88f4d532ac875e504cb59b7e5c6dd3ffae69ea946e2208e2286e2f7168709850b7b6e3b6d0572de40cfe442d96bba125
SSDEEP

49152:GI3M51kvB7YHve+tPHAUpS60t4+6mEuKsXtz5LlqCO4n44m4uXkyNR4Ss3NZx:GuMPkvdYbgUpShGmZfXZZ1O7NRzG

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

WINWORD.EXE

pid process

924 WINWORD.EXE
Drops file in Windows directory 2 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\_CutButterball WINWORD.EXE
File opened for modification C:\Windows\BreakTart WINWORD.EXE

pid	process
924	WINWORD.EXE

description	ioc	process
File opened for modification	C:\Windows\_CutButterball	WINWORD.EXE
File opened for modification	C:\Windows\BreakTart	WINWORD.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

924 WINWORD.EXE
924 WINWORD.EXE
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

WINWORD.EXE

pid process

924 WINWORD.EXE
924 WINWORD.EXE
924 WINWORD.EXE
924 WINWORD.EXE

pid	process
924	WINWORD.EXE
924	WINWORD.EXE

pid	process
924	WINWORD.EXE
924	WINWORD.EXE
924	WINWORD.EXE
924	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RAT\NetWire.doc" /o ""
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ands.dll

Filesize
30KB

MD5
d4a7e2883571bd5aadc8c42e7dde6288

SHA1
90d06ccbcfa36ed581a9a9af5f3581dc36387746

SHA256
787b25dc26dc474d9a6a8afe13c20ec3db2d204b390c399029c92da3dbbbdd40

SHA512
a204f3be5a0a95c3b6126473b6079965386c4a66d59bc0bbb40772141b65775d7db60b01caced38796c66d2bf7a6d23e8dd4970d7a9a5d40901ac19477d25714

Download Submit
C:\Windows\BreakTart

Filesize
47B

MD5
081c6d16a42da543e053d56b41e011a4

SHA1
7c3b4b079e17988aef2deb73150dda9f8b393fdc

SHA256
7a4a7fc464c0e33f4959bbfad178f2437be9759ec80078a1b5b2f44656830396

SHA512
5a65a2b81c0d001be174a100363adae86bdc9af02360fbd2c87ebdb45d62833104e4cca90473f1156792473af5922e947677585c55052a99868e6a395aa457ff

Download Submit
C:\Windows\_CutButterball

Filesize
86KB

MD5
e2081c430fef2da05d1387de3ebc9b54

SHA1
a762a665baea2d8504f06cea389bddd0467bcb42

SHA256
abd519e37c39271f70bbd4746e9d69f3de62582407f52385bc14173dec2cd415

SHA512
68103c244065719b4be54fb6787d09dc523e50bf2f9fa9b6303f060819e326f73f521d8750479f4cf73b593812b7a19c7df77f4a5530e97167f0a5e583a06671

Download Submit
C:\Windows\_CutButterball

Filesize
86KB

MD5
c50b514354778ebc7519ee6fca572710

SHA1
b9c6a9e79f6eeba731a25af9da11987584e121d0

SHA256
45a32381182fe57be78f5fb3fe126b8d908312ee6b70708f829c0c38eee900b8

SHA512
a434f19933cfcc3b374ac73c1a27b46dd6ec6b542db161969385298dfda9d1dcb5012ad6b2481385dc3ac8309cdf9ec53ea2847d69c02fb9e7e8cad879b60cc7

Download Submit
C:\Windows\_CutButterball

Filesize
87KB

MD5
973a56bb790c42ce7473bd66a9020041

SHA1
ea70004504af20b1fd25aa3c62119ac633c6de3c

SHA256
bfcd7761b67fab073ba42c895c854784475bf6a481c63f20341b71f5bf5132b1

SHA512
14935dd08096300d8de1c3b71a14d1da78a1729ae2d6628963b561187ae0fb90083f413f31c91d931e9d4edc03a8ef59d667155a9a6d7441bd6d475ef938c759

Download Submit
C:\Windows\_CutButterball

Filesize
90KB

MD5
7e1baa70cf37af3d86f8b7ec209eaa7e

SHA1
bff1e41ddaf1267483d3aa8ca8b9c9772870725e

SHA256
97a41e6b17e0f93cf18f787b69ef0c5ec41741d97c23c5a0ec6ad8a8383cea9f

SHA512
168b5226b39890661c9ae7fe7f988457db3b1b5ada017607a00b1c49e44eb5b900fec6e1a25d3a6bc30a2f2fdcc86f666c0a39587261dcf12e848dcf1b028448

Download Submit
C:\Windows\_CutButterball

Filesize
1KB

MD5
5bace82ad1ebced7e564cb66b047f62d

SHA1
7c808c9a85faf0ed2c73f79a36b0af63046328dd

SHA256
72df2005d5b9ea6bb0c16f6173ddc963fd471ccd497a6a3c1e89ea514fa8a3b3

SHA512
bc63d1a8ac08f4703eb573834091359f44868bd34871455602faa1dee2a02852f171ec56f6d03e3860f0149a4c0ddb7d9fd70967c1c54496e783c7c358da3f29

Download Submit
C:\Windows\_CutButterball

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\_CutButterball

Filesize
7KB

MD5
64df4ac0f1597bc9c2f61ea1ac222e60

SHA1
a4506f879d2c1647c5f22560c2d9d98b3e3474dd

SHA256
c8c21929f2ac0c07cb3997766889dd73517a6ed1de8b91863e6f90dbd2628270

SHA512
27a56065f3d1eecb4429ef3c8118a304bc55b286214d78f8b6c7f228143c727bfe4bb86dbbe339d62745d68bf2d767fc6a984b7d42aa1080340c33c632b27f77

Download Submit
memory/924-21-0x00007FFCC7E10000-0x00007FFCC8005000-memory.dmp

Filesize
2.0MB

Download
memory/924-54-0x00007FFCC7E10000-0x00007FFCC8005000-memory.dmp

Filesize
2.0MB

Download
memory/924-5-0x00007FFC87E90000-0x00007FFC87EA0000-memory.dmp

Filesize
64KB

Download
memory/924-7-0x00007FFCC7E10000-0x00007FFCC8005000-memory.dmp

Filesize
2.0MB

Download
memory/924-8-0x00007FFCC7E10000-0x00007FFCC8005000-memory.dmp

Filesize
2.0MB

Download
memory/924-9-0x00007FFCC7E10000-0x00007FFCC8005000-memory.dmp

Filesize
2.0MB

Download
memory/924-10-0x00007FFCC7E10000-0x00007FFCC8005000-memory.dmp

Filesize
2.0MB

Download
memory/924-12-0x00007FFCC7E10000-0x00007FFCC8005000-memory.dmp

Filesize
2.0MB

Download
memory/924-13-0x00007FFCC7E10000-0x00007FFCC8005000-memory.dmp

Filesize
2.0MB

Download
memory/924-14-0x00007FFCC7E10000-0x00007FFCC8005000-memory.dmp

Filesize
2.0MB

Download
memory/924-11-0x00007FFC859B0000-0x00007FFC859C0000-memory.dmp

Filesize
64KB

Download
memory/924-15-0x00007FFCC7E10000-0x00007FFCC8005000-memory.dmp

Filesize
2.0MB

Download
memory/924-16-0x00007FFCC7E10000-0x00007FFCC8005000-memory.dmp

Filesize
2.0MB

Download
memory/924-18-0x00007FFCC7E10000-0x00007FFCC8005000-memory.dmp

Filesize
2.0MB

Download
memory/924-17-0x00007FFC859B0000-0x00007FFC859C0000-memory.dmp

Filesize
64KB

Download
memory/924-20-0x00007FFCC7E10000-0x00007FFCC8005000-memory.dmp

Filesize
2.0MB

Download
memory/924-19-0x00007FFCC7E10000-0x00007FFCC8005000-memory.dmp

Filesize
2.0MB

Download
memory/924-4-0x00007FFCC7E10000-0x00007FFCC8005000-memory.dmp

Filesize
2.0MB

Download
memory/924-44-0x000001EABDCD0000-0x000001EABECA0000-memory.dmp

Filesize
15.8MB

Download
memory/924-45-0x000001EABDCD0000-0x000001EABECA0000-memory.dmp

Filesize
15.8MB

Download
memory/924-46-0x000001EABDCD0000-0x000001EABECA0000-memory.dmp

Filesize
15.8MB

Download
memory/924-47-0x000001EABDCD0000-0x000001EABECA0000-memory.dmp

Filesize
15.8MB

Download
memory/924-53-0x00007FFCC7E10000-0x00007FFCC8005000-memory.dmp

Filesize
2.0MB

Download
memory/924-6-0x00007FFC87E90000-0x00007FFC87EA0000-memory.dmp

Filesize
64KB

Download
memory/924-55-0x00007FFCC7E10000-0x00007FFCC8005000-memory.dmp

Filesize
2.0MB

Download
memory/924-56-0x00007FFCC7E10000-0x00007FFCC8005000-memory.dmp

Filesize
2.0MB

Download
memory/924-57-0x00007FFCC7E10000-0x00007FFCC8005000-memory.dmp

Filesize
2.0MB

Download
memory/924-58-0x00007FFCC7E10000-0x00007FFCC8005000-memory.dmp

Filesize
2.0MB

Download
memory/924-59-0x00007FFCC7E10000-0x00007FFCC8005000-memory.dmp

Filesize
2.0MB

Download
memory/924-60-0x00007FFCC7E10000-0x00007FFCC8005000-memory.dmp

Filesize
2.0MB

Download
memory/924-61-0x00007FFCC7E10000-0x00007FFCC8005000-memory.dmp

Filesize
2.0MB

Download
memory/924-62-0x00007FFCC7E10000-0x00007FFCC8005000-memory.dmp

Filesize
2.0MB

Download
memory/924-63-0x00007FFCC7E10000-0x00007FFCC8005000-memory.dmp

Filesize
2.0MB

Download
memory/924-64-0x00007FFCC7E10000-0x00007FFCC8005000-memory.dmp

Filesize
2.0MB

Download
memory/924-65-0x00007FFCC7E10000-0x00007FFCC8005000-memory.dmp

Filesize
2.0MB

Download
memory/924-66-0x00007FFCC7E10000-0x00007FFCC8005000-memory.dmp

Filesize
2.0MB

Download
memory/924-3-0x00007FFC87E90000-0x00007FFC87EA0000-memory.dmp

Filesize
64KB

Download
memory/924-2-0x00007FFCC7E10000-0x00007FFCC8005000-memory.dmp

Filesize
2.0MB

Download
memory/924-1-0x00007FFC87E90000-0x00007FFC87EA0000-memory.dmp

Filesize
64KB

Download
memory/924-0-0x00007FFC87E90000-0x00007FFC87EA0000-memory.dmp

Filesize
64KB

Download
memory/924-67-0x00007FFCC7E10000-0x00007FFCC8005000-memory.dmp

Filesize
2.0MB

Download
memory/924-68-0x00007FFCC7E10000-0x00007FFCC8005000-memory.dmp

Filesize
2.0MB

Download
memory/924-69-0x00007FFCC7E10000-0x00007FFCC8005000-memory.dmp

Filesize
2.0MB

Download
memory/924-70-0x000001EABDCD0000-0x000001EABECA0000-memory.dmp

Filesize
15.8MB

Download
memory/924-71-0x000001EABDCD0000-0x000001EABECA0000-memory.dmp

Filesize
15.8MB

Download