netwire | 1a4ea9c422e80abe0f0abd7cbc73e3070b0345d2e9ab5ff57840230240f10f47

Analysis

Target

nxxt.exe
Size

338KB
MD5

5a68d27a6d644b88a59ae764acaad552
SHA1

24f135bf0c8e0db609a39fc2a5b68e644ed1ce7c
SHA256

1a4ea9c422e80abe0f0abd7cbc73e3070b0345d2e9ab5ff57840230240f10f47
SHA512

191b216e498e1ea68d4f61b506ea08e9f4852461bb9324febbd527a16dc4eb610f43a1457e8f2482874f6b634aaadad46c20baf2944871c40f894226e3f59783

Score

10^/10

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.exe.lnk	nxxt.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2536	nxxt.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2536	nxxt.exe
2536	nxxt.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2536 set thread context of 2688	2536	nxxt.exe	68

Executes dropped EXE 1 IoCs

pid	Process
2688	sdhost.exe

NetWire RAT payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/2688-0-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/2688-4-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier	cmd.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 2688	2536	nxxt.exe	68
PID 2536 wrote to memory of 2688	2536	nxxt.exe	68
PID 2536 wrote to memory of 2688	2536	nxxt.exe	68
PID 2536 wrote to memory of 2688	2536	nxxt.exe	68
PID 2536 wrote to memory of 2688	2536	nxxt.exe	68
PID 2536 wrote to memory of 2688	2536	nxxt.exe	68
PID 2536 wrote to memory of 2688	2536	nxxt.exe	68
PID 2536 wrote to memory of 2688	2536	nxxt.exe	68
PID 2536 wrote to memory of 2688	2536	nxxt.exe	68
PID 2536 wrote to memory of 2688	2536	nxxt.exe	68
PID 2536 wrote to memory of 2688	2536	nxxt.exe	68
PID 2536 wrote to memory of 3744	2536	nxxt.exe	69
PID 2536 wrote to memory of 3744	2536	nxxt.exe	69
PID 2536 wrote to memory of 3744	2536	nxxt.exe	69
PID 2536 wrote to memory of 3908	2536	nxxt.exe	71
PID 2536 wrote to memory of 3908	2536	nxxt.exe	71
PID 2536 wrote to memory of 3908	2536	nxxt.exe	71

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

C:\Users\Admin\AppData\Local\Temp\nxxt.exe
"C:\Users\Admin\AppData\Local\Temp\nxxt.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Users\Admin\AppData\Local\Temp\sdhost.exe
  "C:\Users\Admin\AppData\Local\Temp\sdhost.exe"
  2⤵
  - Executes dropped EXE
  PID:2688
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/nxxt.exe" "%temp%\FolderN\name.exe" /Y
  2⤵
  PID:3744
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
  2⤵
  - NTFS ADS
  PID:3908

memory/2688-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2688-4-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download