Managed XDR

proof-20of-20payment-a...11629570627495728-.asd (NetWire) — malware analysis report

File info

Filename
proof-20of-20payment-autosaved-311629570627495728-.asd
File type
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: John Barret, Template: Normal.dotm, Last Saved By: John Barret, Revision Number: 3, Name of Creating Application: Microsoft Office Word, Total Editing Time: 05:00, Create Time/Date: Sat May 6 15:58:00 2017, Last Saved Time/Date: Mon May 8 10:34:00 2017, Number of Pages: 1, Number of Words: 23, Number of Characters: 134, Security: 0
File size
775.5 KB
First seen
Last seen

Environment

win7/x86 en

Hashes

SHA1
d254129347602e2c579b616f2746e96cd2f14e6c
SHA256
92c4200807c0e1e57c9b2378e45bc43de577da8f5a38fd058ccdf7300d390896
MD5
db38e7a3d7c51134e16484d6487b8d08

Malwares

  • NetWire

Signatures

Execution

T1059 autoit: AutoIt script execution detected
T1106 susp_callbacks: Suspicious usage of some WinAPI with callbacks

Persistence

T1547.001 persistence_autorun: Makes itself run automatically on Windows startup

Privilege Escalation

T1547.001 persistence_autorun: Makes itself run automatically on Windows startup
T1055.002 inject_write_pe: Writes PE file to another process's memory
T1055.012 injection_runpe: Injects code into another process
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1218 bypass_dev_utils: Executing .NET utility in a suspended state, potentially for injection
T1055.002 inject_write_pe: Writes PE file to another process's memory
T1055.012 injection_runpe: Injects code into another process
T1027.002 unnamed_memory_regions_contains_pe: One or several unnamed memory regions are PE files
T1027.002 unnamed_memory_regions: Code was executed in unnamed regions
T1564.001 stealth_file: Creates hidden or system files
T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1027.002 packer_entropy: Probably contains compressed or encrypted data
T1497 evasion_trustrecords: Attempts to detect Sandbox exploring trusted documents
T1497.001 antivm_queries_computername: Retrieves the computer name
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Credential Access

T1056.001 infostealer_keylogger: Keylogger (intercepts keystrokes)

Discovery

T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1057 process_interest: Enumerates processes
T1497 evasion_trustrecords: Attempts to detect Sandbox exploring trusted documents
T1497.001 antivm_queries_computername: Retrieves the computer name
T1135 server_share_info: Retrieves information about each shared resource on a server

Collection

T1056.001 infostealer_keylogger: Keylogger (intercepts keystrokes)

Other

yara_rules: Static rules
office_embedded: Office document contains embedded executable file(s)
drops_interpreter: Creates intrepreter binary file
creates_doc: Creates (office) documents in the file system
dead_host: Connects to IP addresses that do not respond to requests
executes_dropped_exe: Executes dropped exe files
create_rpc_bindings: Creates RPC connection
has_pdb: This executable file has a PDB path
creates_suspended_process: Creates suspended process
creates_exe: Creates executable files in the file system
get_policy_info: Retrieves information about a Policy object
test_check_service: Starts services
antisandbox_check_graphics_card: Uses CreateDXGIFactory, potentially to detect graphics card
checktokenmembership: Checks user token with CheckTokenMembership call
pe_overlay: PE file contains overlay

Related reports