Overview

overview

10

Static

static

8

RAT/Adwind.jar

windows7-x64

10

RAT/Adwind.jar

windows10-2004-x64

10

RAT/CobaltStrike.docm

windows7-x64

10

RAT/CobaltStrike.docm

windows10-2004-x64

10

RAT/CrimsonRAT.exe

windows7-x64

10

RAT/CrimsonRAT.exe

windows10-2004-x64

10

RAT/NetWire.doc

windows7-x64

10

RAT/NetWire.doc

windows10-2004-x64

7

RAT/VanToM-Rat.exe

windows7-x64

7

RAT/VanToM-Rat.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    81s
  • max time network
    81s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    06-12-2024 10:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RAT/NetWire.doc

  • Size

    7.3MB

  • MD5

    6b23cce75ff84aaa6216e90b6ce6a5f3

  • SHA1

    e6cc0ef23044de9b1f96b67699c55232aea67f7d

  • SHA256

    9105005851fbf7a7d757109cf697237c0766e6948c7d88089ac6cf25fe1e9b15

  • SHA512

    4d0705644ade8e8a215cc3190717850d88f4d532ac875e504cb59b7e5c6dd3ffae69ea946e2208e2286e2f7168709850b7b6e3b6d0572de40cfe442d96bba125

  • SSDEEP

    49152:GI3M51kvB7YHve+tPHAUpS60t4+6mEuKsXtz5LlqCO4n44m4uXkyNR4Ss3NZx:GuMPkvdYbgUpShGmZfXZZ1O7NRzG

Score
10/10
discovery

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Office loads VBA resources, possible macro or embedded object present
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RAT\NetWire.doc"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2216
    • C:\Windows\SysWOW64\runonce.exe
      "C:\Windows\system32\runonce.exe"
      2⤵
      • Process spawned unexpected child process
      • System Location Discovery: System Language Discovery
      PID:2168
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2884

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\-1567980119.dat
      Filesize

      474B

      MD5

      108a846fce8e14bec7a3a8c2850d8ed1

      SHA1

      44075cdd5403feadd753986ce39fbc672ca9c69a

      SHA256

      300c5bfa2b54a6c48fb592ba9f2a164dc92d796688f3e43112e696e68a09ed88

      SHA512

      c2f03dad5d470b779de7e2fe36e26c3b112b4f82db76cd5ebd30da71649f1f26326db0632b1dc2bcbe7b80804d4dc8d878b058ce9798bd5d35b722212f6c78da

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

      Download Submit

    • \Users\Admin\AppData\Local\Temp\ands.dll
      Filesize

      30KB

      MD5

      d4a7e2883571bd5aadc8c42e7dde6288

      SHA1

      90d06ccbcfa36ed581a9a9af5f3581dc36387746

      SHA256

      787b25dc26dc474d9a6a8afe13c20ec3db2d204b390c399029c92da3dbbbdd40

      SHA512

      a204f3be5a0a95c3b6126473b6079965386c4a66d59bc0bbb40772141b65775d7db60b01caced38796c66d2bf7a6d23e8dd4970d7a9a5d40901ac19477d25714

      Download Submit

    • \Users\Admin\AppData\Local\Temp\ands.dll
      Filesize

      63KB

      MD5

      6218fe3773cb6838bef254b739c2f664

      SHA1

      fc39665759d3667ec451a2057268ef1b2715577e

      SHA256

      a697ae136e5633a17a2833d1e3e2e2a10cfe274da042d6749becf523bc947eea

      SHA512

      557ddbfc9ac2e8f5209b797b46e3f2782403bbd569ea9450f69be6288fbbe99229123891e9e76e82b1a8c546221ac98ff1aa1a97befe37f0403031f3db26a86a

      Download Submit

    • memory/2168-23-0x0000000000090000-0x0000000000092000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2216-5-0x0000000000370000-0x0000000000470000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2216-6-0x0000000000370000-0x0000000000470000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2216-12-0x00000000070C0000-0x00000000071C0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2216-7-0x0000000000370000-0x0000000000470000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2216-13-0x0000000070E5D000-0x0000000070E68000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2216-14-0x0000000000370000-0x0000000000470000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2216-15-0x00000000070C0000-0x00000000071C0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2216-11-0x0000000000370000-0x0000000000470000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2216-0-0x000000002FA71000-0x000000002FA72000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2216-22-0x0000000002590000-0x0000000002595000-memory.dmp

      Filesize

      20KB

      Download

    • memory/2216-4-0x0000000000370000-0x0000000000470000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2216-46-0x0000000002590000-0x0000000002595000-memory.dmp

      Filesize

      20KB

      Download

    • memory/2216-2-0x0000000070E5D000-0x0000000070E68000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2216-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download