a27ff09ec8cbc4b9bad0679d8922ed1dd22fbf9bcf472ba69c1e413e6785dfa3

General

Target

RAT/NetWire.doc
Size

7.3MB
MD5

6b23cce75ff84aaa6216e90b6ce6a5f3
SHA1

e6cc0ef23044de9b1f96b67699c55232aea67f7d
SHA256

9105005851fbf7a7d757109cf697237c0766e6948c7d88089ac6cf25fe1e9b15
SHA512

4d0705644ade8e8a215cc3190717850d88f4d532ac875e504cb59b7e5c6dd3ffae69ea946e2208e2286e2f7168709850b7b6e3b6d0572de40cfe442d96bba125
SSDEEP

49152:GI3M51kvB7YHve+tPHAUpS60t4+6mEuKsXtz5LlqCO4n44m4uXkyNR4Ss3NZx:GuMPkvdYbgUpShGmZfXZZ1O7NRzG

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	12840	444	runonce.exe	79

Loads dropped DLL 1 IoCs

pid	Process
444	WINWORD.EXE

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\_CutButterball	WINWORD.EXE
File opened for modification	C:\Windows\BreakTart	WINWORD.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
444	WINWORD.EXE
444	WINWORD.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
444	WINWORD.EXE
444	WINWORD.EXE
444	WINWORD.EXE
444	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 444 wrote to memory of 12840	444	WINWORD.EXE	91
PID 444 wrote to memory of 12840	444	WINWORD.EXE	91

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RAT\NetWire.doc" /o ""
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:444
- C:\Windows\SYSTEM32\runonce.exe
  runonce.exe
  2⤵
  - Process spawned unexpected child process
  PID:12840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ands.dll

Filesize
30KB

MD5
d4a7e2883571bd5aadc8c42e7dde6288

SHA1
90d06ccbcfa36ed581a9a9af5f3581dc36387746

SHA256
787b25dc26dc474d9a6a8afe13c20ec3db2d204b390c399029c92da3dbbbdd40

SHA512
a204f3be5a0a95c3b6126473b6079965386c4a66d59bc0bbb40772141b65775d7db60b01caced38796c66d2bf7a6d23e8dd4970d7a9a5d40901ac19477d25714

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
4KB

MD5
221ec4b33e567f00e783379edd23c417

SHA1
4ab26b2bc6d76bf29608121f94decfca716ebd02

SHA256
fde521e34daf7eddd77571f12b7fa84ab7b233d8d529d921791e2a22fb990353

SHA512
99cbd37b87efe6b8b55eff61fd68b6e8a927ac6820c10e04a5009b0e745aa487ac02d7817224908632054cc335b54f8bbd0b449ebf6a2d617a0dd33b64f387bc

Download Submit
C:\Windows\BreakTart

Filesize
47B

MD5
081c6d16a42da543e053d56b41e011a4

SHA1
7c3b4b079e17988aef2deb73150dda9f8b393fdc

SHA256
7a4a7fc464c0e33f4959bbfad178f2437be9759ec80078a1b5b2f44656830396

SHA512
5a65a2b81c0d001be174a100363adae86bdc9af02360fbd2c87ebdb45d62833104e4cca90473f1156792473af5922e947677585c55052a99868e6a395aa457ff

Download Submit
C:\Windows\_CutButterball

Filesize
31B

MD5
3d7d7cd0025da467f173323b59e4b117

SHA1
74a792af2a11c7a0ee84898167ed71939b9c2cbb

SHA256
9ebceae390112b96ceadc132cf70c065bae365705de0e11bd61f481224330b03

SHA512
f06c0244c049f7837f636e8649d524e94d065ac5c23a7d5df74065e874fcbb79a3e20c2febedaf5637f3531a4c8e69c0f233974e3a2e94f22afa7f04fce247b7

Download Submit
C:\Windows\_CutButterball

Filesize
31B

MD5
b9aa021d1561596023332b88ac16808c

SHA1
d3a7074f682f529aa3986778ecd9457c399d31a3

SHA256
08843168fb1db0d9c391faebabe8942fb31f858d459f922fbc7018a62b370a62

SHA512
31461f1469b0a3740175316e9d5f4ee474ff536c010c9c909fd8c0c65f52890b5a43c2b212404bd9099cf4d0fc1d39381a52bb17b490e2a582312f6d35ef5e48

Download Submit
C:\Windows\_CutButterball

Filesize
31B

MD5
d75565b620cb728574c3308d50bbb827

SHA1
b182ca95fc4ded27fb1000025f5b48e1c85ac1f3

SHA256
320d11637b034a5e2ba1e0308201320278ff8c1efe024dc8225ce741f800af65

SHA512
9458450cdfc42066a22bb773290325e9d6f91c100bf16912644a9cc1580191e35309bd9c21d6f9e3fc934ab1ca5ed3097e1e5c77e2ff73cd8de558270ab4a31d

Download Submit
memory/444-42-0x00007FFBC66D0000-0x00007FFBC68C8000-memory.dmp

Filesize
2.0MB

Download
memory/444-60-0x00007FFBC66D0000-0x00007FFBC68C8000-memory.dmp

Filesize
2.0MB

Download
memory/444-12-0x00007FFBC66D0000-0x00007FFBC68C8000-memory.dmp

Filesize
2.0MB

Download
memory/444-11-0x00007FFBC66D0000-0x00007FFBC68C8000-memory.dmp

Filesize
2.0MB

Download
memory/444-13-0x00007FFB841F0000-0x00007FFB84200000-memory.dmp

Filesize
64KB

Download
memory/444-9-0x00007FFBC66D0000-0x00007FFBC68C8000-memory.dmp

Filesize
2.0MB

Download
memory/444-8-0x00007FFBC66D0000-0x00007FFBC68C8000-memory.dmp

Filesize
2.0MB

Download
memory/444-14-0x00007FFB841F0000-0x00007FFB84200000-memory.dmp

Filesize
64KB

Download
memory/444-41-0x00007FFBC66D0000-0x00007FFBC68C8000-memory.dmp

Filesize
2.0MB

Download
memory/444-46-0x00007FFBC66D0000-0x00007FFBC68C8000-memory.dmp

Filesize
2.0MB

Download
memory/444-45-0x00007FFBC66D0000-0x00007FFBC68C8000-memory.dmp

Filesize
2.0MB

Download
memory/444-44-0x00007FFBC66D0000-0x00007FFBC68C8000-memory.dmp

Filesize
2.0MB

Download
memory/444-43-0x00007FFBC66D0000-0x00007FFBC68C8000-memory.dmp

Filesize
2.0MB

Download
memory/444-3-0x00007FFBC676D000-0x00007FFBC676E000-memory.dmp

Filesize
4KB

Download
memory/444-40-0x00007FFBC66D0000-0x00007FFBC68C8000-memory.dmp

Filesize
2.0MB

Download
memory/444-54-0x00007FFBC66D0000-0x00007FFBC68C8000-memory.dmp

Filesize
2.0MB

Download
memory/444-56-0x00007FFBC66D0000-0x00007FFBC68C8000-memory.dmp

Filesize
2.0MB

Download
memory/444-10-0x00007FFBC66D0000-0x00007FFBC68C8000-memory.dmp

Filesize
2.0MB

Download
memory/444-59-0x00007FFBC66D0000-0x00007FFBC68C8000-memory.dmp

Filesize
2.0MB

Download
memory/444-58-0x00007FFBC66D0000-0x00007FFBC68C8000-memory.dmp

Filesize
2.0MB

Download
memory/444-57-0x00007FFBC66D0000-0x00007FFBC68C8000-memory.dmp

Filesize
2.0MB

Download
memory/444-55-0x00007FFBC66D0000-0x00007FFBC68C8000-memory.dmp

Filesize
2.0MB

Download
memory/444-53-0x00007FFBC66D0000-0x00007FFBC68C8000-memory.dmp

Filesize
2.0MB

Download
memory/444-52-0x00007FFBC66D0000-0x00007FFBC68C8000-memory.dmp

Filesize
2.0MB

Download
memory/444-51-0x00007FFBC66D0000-0x00007FFBC68C8000-memory.dmp

Filesize
2.0MB

Download
memory/444-50-0x00007FFBC66D0000-0x00007FFBC68C8000-memory.dmp

Filesize
2.0MB

Download
memory/444-49-0x00007FFBC66D0000-0x00007FFBC68C8000-memory.dmp

Filesize
2.0MB

Download
memory/444-48-0x00007FFBC66D0000-0x00007FFBC68C8000-memory.dmp

Filesize
2.0MB

Download
memory/444-47-0x00007FFBC66D0000-0x00007FFBC68C8000-memory.dmp

Filesize
2.0MB

Download
memory/444-7-0x00007FFB86750000-0x00007FFB86760000-memory.dmp

Filesize
64KB

Download
memory/444-6-0x00007FFBC66D0000-0x00007FFBC68C8000-memory.dmp

Filesize
2.0MB

Download
memory/444-5-0x00007FFBC66D0000-0x00007FFBC68C8000-memory.dmp

Filesize
2.0MB

Download
memory/444-4-0x00007FFB86750000-0x00007FFB86760000-memory.dmp

Filesize
64KB

Download
memory/444-0-0x00007FFB86750000-0x00007FFB86760000-memory.dmp

Filesize
64KB

Download
memory/444-1-0x00007FFB86750000-0x00007FFB86760000-memory.dmp

Filesize
64KB

Download
memory/444-2-0x00007FFB86750000-0x00007FFB86760000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads