a27ff09ec8cbc4b9bad0679d8922ed1dd22fbf9bcf472ba69c1e413e6785dfa3

Analysis

max time kernel
118s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2024 10:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RAT/NetWire.doc
Size

7.3MB
MD5

6b23cce75ff84aaa6216e90b6ce6a5f3
SHA1

e6cc0ef23044de9b1f96b67699c55232aea67f7d
SHA256

9105005851fbf7a7d757109cf697237c0766e6948c7d88089ac6cf25fe1e9b15
SHA512

4d0705644ade8e8a215cc3190717850d88f4d532ac875e504cb59b7e5c6dd3ffae69ea946e2208e2286e2f7168709850b7b6e3b6d0572de40cfe442d96bba125
SSDEEP

49152:GI3M51kvB7YHve+tPHAUpS60t4+6mEuKsXtz5LlqCO4n44m4uXkyNR4Ss3NZx:GuMPkvdYbgUpShGmZfXZZ1O7NRzG

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
3420	WINWORD.EXE

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\BreakTart	WINWORD.EXE
File opened for modification	C:\Windows\_CutButterball	WINWORD.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3420	WINWORD.EXE
3420	WINWORD.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3420	WINWORD.EXE
3420	WINWORD.EXE
3420	WINWORD.EXE
3420	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RAT\NetWire.doc" /o ""
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ands.dll

Filesize
30KB

MD5
d4a7e2883571bd5aadc8c42e7dde6288

SHA1
90d06ccbcfa36ed581a9a9af5f3581dc36387746

SHA256
787b25dc26dc474d9a6a8afe13c20ec3db2d204b390c399029c92da3dbbbdd40

SHA512
a204f3be5a0a95c3b6126473b6079965386c4a66d59bc0bbb40772141b65775d7db60b01caced38796c66d2bf7a6d23e8dd4970d7a9a5d40901ac19477d25714

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
be5d64b9752dc45a9335c04d4365b99f

SHA1
2a93d304883c6ea1873ec1e3dc3261001be188fd

SHA256
dd16f179c73e4e0e1dedb8a52f825b22c38d785c8973b8ab855a3c4e63729684

SHA512
8dc7690c40930a71e0f2715513c45ac63daa77533f5b34d55b4f343401e04766a29c360ba8c253e5305f38b036ffc95b2f123dee0e624177a4c4f01b7efcd95a

Download Submit
C:\Windows\_CutButterball

Filesize
1KB

MD5
4e595567f82a09e5c95ce47823c4b845

SHA1
d7f2738a09ca1ce1439a01a8f4b828b7f869bb17

SHA256
8fa735a12848d0538b69069a80d5a908958a2f73a6605d52b2b2c58fbb47e976

SHA512
33d4a3c9bc5d0c8ca8096b02ad0dd79028d388d3234c43ec0e88fccf0c50bd58256f9f31f502874e4e7a0f6782215a4a8060f614ea25521489eee0ac768bebc5

Download Submit
C:\Windows\_CutButterball

Filesize
85KB

MD5
2a9694d02b6443549dcdc7a4dd4825ec

SHA1
6d30cef94444f86926b0c7c4d8cd3483bbe4c68c

SHA256
ea545a31504a803c11e89f640b04cc035364765a96f1b78dc95bc97eda2e1d3f

SHA512
211fb73497950cbea1c5fc2a9f5942036cb66098eaa99ab09d3e3205f059415d5fb7cb7fff39bd51a335b986a5c0ec88de5941ef1029d9c473316d88294e5305

Download Submit
C:\Windows\_CutButterball

Filesize
85KB

MD5
c6b79ff8935c6e741b196d572489db1e

SHA1
4349a69ef8f1a26743f05f7b13038005932a1b50

SHA256
f80c6d04f0f29fa65ed6a1c51d5edddba1ddbf359fb3eba43c6512cfe99d35e7

SHA512
59034bba636bc06cded4c36b19c52a40342d774445cb2dd66820fb592c55e5c3784f03395d8873c99a2198e5b43352bb4ee554cf7a28ad0d2a3c7f91e1fd6df2

Download Submit
C:\Windows\_CutButterball

Filesize
90KB

MD5
8aac1de8975893ec4f682d7af30b8ceb

SHA1
0683c09b2ec4819d7003361d96043e25d8b92cd9

SHA256
61f9b9b2d8ff35d2b4c9c86a27bb0c7d47d8605df7c50261b965454a125851d5

SHA512
9cf7c6aeae328e26df24ae4675deac0101447d674d9377ab30d1585d25f4697a496458998d5b47b6fc77cc0619166a8b2c4e7441459175c260f99db5d403d0c2

Download Submit
C:\Windows\_CutButterball

Filesize
68KB

MD5
b78292d151ba96efac0b6580961e1c35

SHA1
eeb2c94ae1eebd4d6b3c720ba4731a32f0b31060

SHA256
413cf2c265ac4522774f617d74274ba26000020a2217f01249541081a9f64e91

SHA512
9dd82e375a4f8e765ce564a00b887319c86fdc5da73b46c0d49b494bf96c060771a61275546652c7e10e1f09db6b5b75a3208ecbf69e1c07a3760fb6bf897621

Download Submit
C:\Windows\_CutButterball

Filesize
55KB

MD5
2866d71f5ae350bb097d97dd6e06ea82

SHA1
3de6f7c39c77e33c107551418938e963ec32de57

SHA256
82cf2dce33a57dd7db69349d952a3495a1d7f1c35f0ad4cf8a224377bbc97fb1

SHA512
1c65190fb666ccdd2c61182b2cd243aa555b67071c4f6081d615826ef8f785fb5da27906db0fbe6cf75af0d387d3d3b4597fa4b097f3a6fcc7cede299e10a073

Download Submit
memory/3420-45-0x00007FF83CE70000-0x00007FF83D065000-memory.dmp

Filesize
2.0MB

Download
memory/3420-49-0x00007FF83CF0D000-0x00007FF83CF0E000-memory.dmp

Filesize
4KB

Download
memory/3420-11-0x00007FF83CE70000-0x00007FF83D065000-memory.dmp

Filesize
2.0MB

Download
memory/3420-9-0x00007FF83CE70000-0x00007FF83D065000-memory.dmp

Filesize
2.0MB

Download
memory/3420-10-0x00007FF83CE70000-0x00007FF83D065000-memory.dmp

Filesize
2.0MB

Download
memory/3420-12-0x00007FF83CE70000-0x00007FF83D065000-memory.dmp

Filesize
2.0MB

Download
memory/3420-7-0x00007FF83CE70000-0x00007FF83D065000-memory.dmp

Filesize
2.0MB

Download
memory/3420-6-0x00007FF83CE70000-0x00007FF83D065000-memory.dmp

Filesize
2.0MB

Download
memory/3420-13-0x00007FF7FAA00000-0x00007FF7FAA10000-memory.dmp

Filesize
64KB

Download
memory/3420-5-0x00007FF7FCEF0000-0x00007FF7FCF00000-memory.dmp

Filesize
64KB

Download
memory/3420-17-0x00007FF83CE70000-0x00007FF83D065000-memory.dmp

Filesize
2.0MB

Download
memory/3420-19-0x00007FF83CE70000-0x00007FF83D065000-memory.dmp

Filesize
2.0MB

Download
memory/3420-20-0x00007FF7FAA00000-0x00007FF7FAA10000-memory.dmp

Filesize
64KB

Download
memory/3420-18-0x00007FF83CE70000-0x00007FF83D065000-memory.dmp

Filesize
2.0MB

Download
memory/3420-16-0x00007FF83CE70000-0x00007FF83D065000-memory.dmp

Filesize
2.0MB

Download
memory/3420-15-0x00007FF83CE70000-0x00007FF83D065000-memory.dmp

Filesize
2.0MB

Download
memory/3420-14-0x00007FF83CE70000-0x00007FF83D065000-memory.dmp

Filesize
2.0MB

Download
memory/3420-4-0x00007FF7FCEF0000-0x00007FF7FCF00000-memory.dmp

Filesize
64KB

Download
memory/3420-44-0x00007FF83CE70000-0x00007FF83D065000-memory.dmp

Filesize
2.0MB

Download
memory/3420-43-0x00007FF83CE70000-0x00007FF83D065000-memory.dmp

Filesize
2.0MB

Download
memory/3420-50-0x00007FF83CE70000-0x00007FF83D065000-memory.dmp

Filesize
2.0MB

Download
memory/3420-8-0x00007FF83CE70000-0x00007FF83D065000-memory.dmp

Filesize
2.0MB

Download
memory/3420-53-0x00007FF83CE70000-0x00007FF83D065000-memory.dmp

Filesize
2.0MB

Download
memory/3420-52-0x00007FF83CE70000-0x00007FF83D065000-memory.dmp

Filesize
2.0MB

Download
memory/3420-59-0x00007FF83CE70000-0x00007FF83D065000-memory.dmp

Filesize
2.0MB

Download
memory/3420-62-0x00007FF83CE70000-0x00007FF83D065000-memory.dmp

Filesize
2.0MB

Download
memory/3420-63-0x00007FF83CE70000-0x00007FF83D065000-memory.dmp

Filesize
2.0MB

Download
memory/3420-61-0x00007FF83CE70000-0x00007FF83D065000-memory.dmp

Filesize
2.0MB

Download
memory/3420-60-0x00007FF83CE70000-0x00007FF83D065000-memory.dmp

Filesize
2.0MB

Download
memory/3420-58-0x00007FF83CE70000-0x00007FF83D065000-memory.dmp

Filesize
2.0MB

Download
memory/3420-57-0x00007FF83CE70000-0x00007FF83D065000-memory.dmp

Filesize
2.0MB

Download
memory/3420-56-0x00007FF83CE70000-0x00007FF83D065000-memory.dmp

Filesize
2.0MB

Download
memory/3420-55-0x00007FF83CE70000-0x00007FF83D065000-memory.dmp

Filesize
2.0MB

Download
memory/3420-54-0x00007FF83CE70000-0x00007FF83D065000-memory.dmp

Filesize
2.0MB

Download
memory/3420-51-0x00007FF83CE70000-0x00007FF83D065000-memory.dmp

Filesize
2.0MB

Download
memory/3420-65-0x00007FF83CE70000-0x00007FF83D065000-memory.dmp

Filesize
2.0MB

Download
memory/3420-2-0x00007FF7FCEF0000-0x00007FF7FCF00000-memory.dmp

Filesize
64KB

Download
memory/3420-3-0x00007FF7FCEF0000-0x00007FF7FCF00000-memory.dmp

Filesize
64KB

Download
memory/3420-0-0x00007FF83CF0D000-0x00007FF83CF0E000-memory.dmp

Filesize
4KB

Download
memory/3420-1-0x00007FF7FCEF0000-0x00007FF7FCF00000-memory.dmp

Filesize
64KB

Download
memory/3420-64-0x00007FF83CE70000-0x00007FF83D065000-memory.dmp

Filesize
2.0MB

Download
memory/3420-73-0x00007FF83CE70000-0x00007FF83D065000-memory.dmp

Filesize
2.0MB

Download
memory/3420-72-0x00007FF83CE70000-0x00007FF83D065000-memory.dmp

Filesize
2.0MB

Download
memory/3420-71-0x00007FF83CE70000-0x00007FF83D065000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads