netwire | e232e9c0d66770fe8e50466f3dd073160a8ddaf565ed0382ce997226c1b364dd

General

Target

Solictud_de_cotizacion (3699663-2020).exe
Size

553KB
MD5

748e4a49b7e306d7eb45aaa7b10faf5d
SHA1

ed4e974775f050e65233116fdbb28921618fceb7
SHA256

e232e9c0d66770fe8e50466f3dd073160a8ddaf565ed0382ce997226c1b364dd
SHA512

378f5c0ed4b94405a1287febc6a12901cbc8b386b41b66d9f2d007d704780424f3427b6e6973480656954f3d31540cacdc5e935118d4d561bba1bf399fc8d839

Score

10^/10

rat botnet stealer netwire persistence

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2723 IoCs

Processes:

Solictud_de_cotizacion (3699663-2020).exeSolictud_de_cotizacion (3699663-2020).exeHost.exeSolictud_de_cotizacion (3699663-2020).exeHost.exeSolictud_de_cotizacion (3699663-2020).exe

pid	process
1612	Solictud_de_cotizacion (3699663-2020).exe
1540	Solictud_de_cotizacion (3699663-2020).exe
1540	Solictud_de_cotizacion (3699663-2020).exe
1540	Solictud_de_cotizacion (3699663-2020).exe
1540	Solictud_de_cotizacion (3699663-2020).exe
1716	Host.exe
1776	Solictud_de_cotizacion (3699663-2020).exe
1948	Host.exe
1948	Host.exe
1948	Host.exe
1948	Host.exe
1972	Solictud_de_cotizacion (3699663-2020).exe
1972	Solictud_de_cotizacion (3699663-2020).exe
1948	Host.exe
1972	Solictud_de_cotizacion (3699663-2020).exe
1948	Host.exe
1972	Solictud_de_cotizacion (3699663-2020).exe
1948	Host.exe
1972	Solictud_de_cotizacion (3699663-2020).exe
1948	Host.exe
1972	Solictud_de_cotizacion (3699663-2020).exe
1948	Host.exe
1972	Solictud_de_cotizacion (3699663-2020).exe
1948	Host.exe
1972	Solictud_de_cotizacion (3699663-2020).exe
1948	Host.exe
1972	Solictud_de_cotizacion (3699663-2020).exe
1948	Host.exe
1972	Solictud_de_cotizacion (3699663-2020).exe
1948	Host.exe
1972	Solictud_de_cotizacion (3699663-2020).exe
1948	Host.exe
1972	Solictud_de_cotizacion (3699663-2020).exe
1948	Host.exe
1972	Solictud_de_cotizacion (3699663-2020).exe
1948	Host.exe
1972	Solictud_de_cotizacion (3699663-2020).exe
1948	Host.exe
1972	Solictud_de_cotizacion (3699663-2020).exe
1948	Host.exe
1972	Solictud_de_cotizacion (3699663-2020).exe
1948	Host.exe
1972	Solictud_de_cotizacion (3699663-2020).exe
1948	Host.exe
1972	Solictud_de_cotizacion (3699663-2020).exe
1948	Host.exe
1972	Solictud_de_cotizacion (3699663-2020).exe
1948	Host.exe
1972	Solictud_de_cotizacion (3699663-2020).exe
1948	Host.exe
1972	Solictud_de_cotizacion (3699663-2020).exe
1948	Host.exe
1972	Solictud_de_cotizacion (3699663-2020).exe
1948	Host.exe
1972	Solictud_de_cotizacion (3699663-2020).exe
1948	Host.exe
1972	Solictud_de_cotizacion (3699663-2020).exe
1948	Host.exe
1972	Solictud_de_cotizacion (3699663-2020).exe
1948	Host.exe
1972	Solictud_de_cotizacion (3699663-2020).exe
1948	Host.exe
1972	Solictud_de_cotizacion (3699663-2020).exe
1948	Host.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

Solictud_de_cotizacion (3699663-2020).exeSolictud_de_cotizacion (3699663-2020).exeSolictud_de_cotizacion (3699663-2020).exeHost.exeSolictud_de_cotizacion (3699663-2020).exe

description	pid	process	target process
PID 1612 wrote to memory of 1072	1612	Solictud_de_cotizacion (3699663-2020).exe	AcroRd32.exe
PID 1612 wrote to memory of 1072	1612	Solictud_de_cotizacion (3699663-2020).exe	AcroRd32.exe
PID 1612 wrote to memory of 1072	1612	Solictud_de_cotizacion (3699663-2020).exe	AcroRd32.exe
PID 1612 wrote to memory of 1072	1612	Solictud_de_cotizacion (3699663-2020).exe	AcroRd32.exe
PID 1612 wrote to memory of 1056	1612	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 1612 wrote to memory of 1056	1612	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 1612 wrote to memory of 1056	1612	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 1612 wrote to memory of 1056	1612	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 1612 wrote to memory of 1540	1612	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 1612 wrote to memory of 1540	1612	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 1612 wrote to memory of 1540	1612	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 1612 wrote to memory of 1540	1612	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 1056 wrote to memory of 1716	1056	Solictud_de_cotizacion (3699663-2020).exe	Host.exe
PID 1056 wrote to memory of 1716	1056	Solictud_de_cotizacion (3699663-2020).exe	Host.exe
PID 1056 wrote to memory of 1716	1056	Solictud_de_cotizacion (3699663-2020).exe	Host.exe
PID 1056 wrote to memory of 1716	1056	Solictud_de_cotizacion (3699663-2020).exe	Host.exe
PID 1540 wrote to memory of 1776	1540	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 1540 wrote to memory of 1776	1540	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 1540 wrote to memory of 1776	1540	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 1540 wrote to memory of 1776	1540	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 1716 wrote to memory of 1860	1716	Host.exe	AcroRd32.exe
PID 1716 wrote to memory of 1860	1716	Host.exe	AcroRd32.exe
PID 1716 wrote to memory of 1860	1716	Host.exe	AcroRd32.exe
PID 1716 wrote to memory of 1860	1716	Host.exe	AcroRd32.exe
PID 1776 wrote to memory of 1872	1776	Solictud_de_cotizacion (3699663-2020).exe	AcroRd32.exe
PID 1776 wrote to memory of 1872	1776	Solictud_de_cotizacion (3699663-2020).exe	AcroRd32.exe
PID 1776 wrote to memory of 1872	1776	Solictud_de_cotizacion (3699663-2020).exe	AcroRd32.exe
PID 1776 wrote to memory of 1872	1776	Solictud_de_cotizacion (3699663-2020).exe	AcroRd32.exe
PID 1716 wrote to memory of 1888	1716	Host.exe	Host.exe
PID 1716 wrote to memory of 1888	1716	Host.exe	Host.exe
PID 1716 wrote to memory of 1888	1716	Host.exe	Host.exe
PID 1716 wrote to memory of 1888	1716	Host.exe	Host.exe
PID 1776 wrote to memory of 1416	1776	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 1776 wrote to memory of 1416	1776	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 1776 wrote to memory of 1416	1776	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 1776 wrote to memory of 1416	1776	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 1716 wrote to memory of 1948	1716	Host.exe	Host.exe
PID 1716 wrote to memory of 1948	1716	Host.exe	Host.exe
PID 1716 wrote to memory of 1948	1716	Host.exe	Host.exe
PID 1716 wrote to memory of 1948	1716	Host.exe	Host.exe
PID 1776 wrote to memory of 1972	1776	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 1776 wrote to memory of 1972	1776	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 1776 wrote to memory of 1972	1776	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 1776 wrote to memory of 1972	1776	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

Solictud_de_cotizacion (3699663-2020).exeHost.exeSolictud_de_cotizacion (3699663-2020).exe

pid process

1612 Solictud_de_cotizacion (3699663-2020).exe
1716 Host.exe
1776 Solictud_de_cotizacion (3699663-2020).exe
Executes dropped EXE 3 IoCs

Processes:

Host.exeHost.exeHost.exe

pid process

1716 Host.exe
1888 Host.exe
1948 Host.exe

pid	process
1716	Host.exe
1888	Host.exe
1948	Host.exe

NetWire RAT payload 9 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1056-1-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1056-1-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1056-2-0x000000000040242D-mapping.dmp	netwire
behavioral1/memory/1056-4-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1056-4-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1888-16-0x000000000040242D-mapping.dmp	netwire
behavioral1/memory/1888-19-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1888-19-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1416-22-0x000000000040242D-mapping.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Host.exeSolictud_de_cotizacion (3699663-2020).exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Host.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe"	Host.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Solictud_de_cotizacion (3699663-2020).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solictud_de_cotizacion (3699663-2020).exe"	Solictud_de_cotizacion (3699663-2020).exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Solictud_de_cotizacion (3699663-2020).exeHost.exeSolictud_de_cotizacion (3699663-2020).exe

description	pid	process	target process
PID 1612 set thread context of 1056	1612	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 1716 set thread context of 1888	1716	Host.exe	Host.exe
PID 1776 set thread context of 1416	1776	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe

Loads dropped DLL 2 IoCs

Processes:

Solictud_de_cotizacion (3699663-2020).exe

pid process

1056 Solictud_de_cotizacion (3699663-2020).exe
1056 Solictud_de_cotizacion (3699663-2020).exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

1072 AcroRd32.exe
1072 AcroRd32.exe
1072 AcroRd32.exe
1072 AcroRd32.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

1072 AcroRd32.exe

pid	process
1056	Solictud_de_cotizacion (3699663-2020).exe
1056	Solictud_de_cotizacion (3699663-2020).exe

pid	process
1072	AcroRd32.exe
1072	AcroRd32.exe
1072	AcroRd32.exe
1072	AcroRd32.exe

pid	process
1072	AcroRd32.exe

C:\Users\Admin\AppData\Local\Temp\Solictud_de_cotizacion (3699663-2020).exe
"C:\Users\Admin\AppData\Local\Temp\Solictud_de_cotizacion (3699663-2020).exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1612

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Orden.pdf"
2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: GetForegroundWindowSpam
PID:1072

C:\Users\Admin\AppData\Local\Temp\Solictud_de_cotizacion (3699663-2020).exe
"C:\Users\Admin\AppData\Local\Temp\Solictud_de_cotizacion (3699663-2020).exe"
2⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
PID:1056

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1716

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Orden.pdf"
4⤵
PID:1860

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1888

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe" 2 1888 67985
4⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
PID:1948

C:\Users\Admin\AppData\Local\Temp\Solictud_de_cotizacion (3699663-2020).exe
"C:\Users\Admin\AppData\Local\Temp\Solictud_de_cotizacion (3699663-2020).exe" 2 1056 67236
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1540

C:\Users\Admin\AppData\Local\Temp\Solictud_de_cotizacion (3699663-2020).exe
"C:\Users\Admin\AppData\Local\Temp\Solictud_de_cotizacion (3699663-2020).exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1776

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Orden.pdf"
4⤵
PID:1872

C:\Users\Admin\AppData\Local\Temp\Solictud_de_cotizacion (3699663-2020).exe
"C:\Users\Admin\AppData\Local\Temp\Solictud_de_cotizacion (3699663-2020).exe"
4⤵
- Adds Run key to start application
PID:1416

C:\Users\Admin\AppData\Local\Temp\Solictud_de_cotizacion (3699663-2020).exe
"C:\Users\Admin\AppData\Local\Temp\Solictud_de_cotizacion (3699663-2020).exe" 2 1416 68156
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1972

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Orden.pdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Orden.pdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Orden.pdf

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe

Download Submit
memory/1056-2-0x000000000040242D-mapping.dmp

Download
memory/1056-4-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1056-1-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1072-0-0x0000000000000000-mapping.dmp

Download
memory/1416-22-0x000000000040242D-mapping.dmp

Download
memory/1540-3-0x0000000000000000-mapping.dmp

Download
memory/1716-7-0x0000000000000000-mapping.dmp

Download
memory/1776-9-0x0000000000000000-mapping.dmp

Download
memory/1860-12-0x0000000000000000-mapping.dmp

Download
memory/1872-13-0x0000000000000000-mapping.dmp

Download
memory/1888-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1888-16-0x000000000040242D-mapping.dmp

Download
memory/1948-20-0x0000000000000000-mapping.dmp

Download
memory/1972-24-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads