netwire | 1a4ea9c422e80abe0f0abd7cbc73e3070b0345d2e9ab5ff57840230240f10f47

General

Target

nxxt.exe
Size

338KB
MD5

5a68d27a6d644b88a59ae764acaad552
SHA1

24f135bf0c8e0db609a39fc2a5b68e644ed1ce7c
SHA256

1a4ea9c422e80abe0f0abd7cbc73e3070b0345d2e9ab5ff57840230240f10f47
SHA512

191b216e498e1ea68d4f61b506ea08e9f4852461bb9324febbd527a16dc4eb610f43a1457e8f2482874f6b634aaadad46c20baf2944871c40f894226e3f59783

Score

10^/10

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	272	nxxt.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 272 wrote to memory of 1116	272	nxxt.exe	24
PID 272 wrote to memory of 1116	272	nxxt.exe	24
PID 272 wrote to memory of 1116	272	nxxt.exe	24
PID 272 wrote to memory of 1116	272	nxxt.exe	24
PID 272 wrote to memory of 1116	272	nxxt.exe	24
PID 272 wrote to memory of 1116	272	nxxt.exe	24
PID 272 wrote to memory of 1116	272	nxxt.exe	24
PID 272 wrote to memory of 1116	272	nxxt.exe	24
PID 272 wrote to memory of 1116	272	nxxt.exe	24
PID 272 wrote to memory of 1116	272	nxxt.exe	24
PID 272 wrote to memory of 1116	272	nxxt.exe	24
PID 272 wrote to memory of 1116	272	nxxt.exe	24
PID 272 wrote to memory of 1512	272	nxxt.exe	25
PID 272 wrote to memory of 1512	272	nxxt.exe	25
PID 272 wrote to memory of 1512	272	nxxt.exe	25
PID 272 wrote to memory of 1512	272	nxxt.exe	25
PID 272 wrote to memory of 1776	272	nxxt.exe	27
PID 272 wrote to memory of 1776	272	nxxt.exe	27
PID 272 wrote to memory of 1776	272	nxxt.exe	27
PID 272 wrote to memory of 1776	272	nxxt.exe	27

Executes dropped EXE 1 IoCs

pid	Process
1116	sdhost.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.exe.lnk	nxxt.exe

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
272	nxxt.exe
272	nxxt.exe

Loads dropped DLL 3 IoCs

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 272 set thread context of 1116	272	nxxt.exe	24

NetWire RAT payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/1116-1-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1116-4-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

C:\Users\Admin\AppData\Local\Temp\nxxt.exe
"C:\Users\Admin\AppData\Local\Temp\nxxt.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:272
- C:\Users\Admin\AppData\Local\Temp\sdhost.exe
  "C:\Users\Admin\AppData\Local\Temp\sdhost.exe"
  2⤵
  - Executes dropped EXE
  PID:1116
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/nxxt.exe" "%temp%\FolderN\name.exe" /Y
  2⤵
  PID:1512
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
  2⤵
  - NTFS ADS
  PID:1776

memory/1116-1-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1116-4-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download