netwire | ac5172fa3b434962c4f2e12b9c47dfd29a939b1d15c358ead485c4843ae065aa

General

Target

X2.exe
Size

1.8MB
MD5

36f108b320d0b177b1fb3e20fb917cb1
SHA1

a3a40037b451c4d25758eec72009e703f1f80534
SHA256

ac5172fa3b434962c4f2e12b9c47dfd29a939b1d15c358ead485c4843ae065aa
SHA512

9e97b0984a711244e5783dd772490a12858557a4c4dc677f5f1189e92d4232db48e5e56471fd0af3e78b2cd801ac34df4b71bceba84d26fe76e3b15ae109bd62

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/648-5-0x0000000007B00000-0x0000000008153000-memory.dmp	netwire
behavioral2/memory/2388-9-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/2388-10-0x000000000040242D-mapping.dmp	netwire
behavioral2/memory/2388-11-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/2112-23-0x000000000040242D-mapping.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 3 IoCs

Processes:

WindowsDefenderUpdater.exeWindowsDefenderUpdater.exetmp8A8D.tmp.exe

pid process

636 WindowsDefenderUpdater.exe
2112 WindowsDefenderUpdater.exe
3892 tmp8A8D.tmp.exe

pid	process
636	WindowsDefenderUpdater.exe
2112	WindowsDefenderUpdater.exe
3892	tmp8A8D.tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

X2.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater.exe = "C:\\ProgramData\\WindowsDefenderUpdater.exe"	X2.exe

JavaScript code in executable 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\tmp8A8D.tmp.exe	js

Suspicious use of SetThreadContext 2 IoCs

Processes:

X2.exeWindowsDefenderUpdater.exe

description	pid	process	target process
PID 648 set thread context of 2388	648	X2.exe	X2.exe
PID 636 set thread context of 2112	636	WindowsDefenderUpdater.exe	WindowsDefenderUpdater.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

X2.exeWindowsDefenderUpdater.exe

description	pid	process	target process
PID 648 wrote to memory of 2388	648	X2.exe	X2.exe
PID 648 wrote to memory of 2388	648	X2.exe	X2.exe
PID 648 wrote to memory of 2388	648	X2.exe	X2.exe
PID 648 wrote to memory of 2388	648	X2.exe	X2.exe
PID 648 wrote to memory of 2388	648	X2.exe	X2.exe
PID 648 wrote to memory of 2388	648	X2.exe	X2.exe
PID 648 wrote to memory of 2388	648	X2.exe	X2.exe
PID 648 wrote to memory of 2388	648	X2.exe	X2.exe
PID 648 wrote to memory of 2388	648	X2.exe	X2.exe
PID 648 wrote to memory of 2388	648	X2.exe	X2.exe
PID 648 wrote to memory of 2388	648	X2.exe	X2.exe
PID 648 wrote to memory of 636	648	X2.exe	WindowsDefenderUpdater.exe
PID 648 wrote to memory of 636	648	X2.exe	WindowsDefenderUpdater.exe
PID 648 wrote to memory of 636	648	X2.exe	WindowsDefenderUpdater.exe
PID 636 wrote to memory of 2112	636	WindowsDefenderUpdater.exe	WindowsDefenderUpdater.exe
PID 636 wrote to memory of 2112	636	WindowsDefenderUpdater.exe	WindowsDefenderUpdater.exe
PID 636 wrote to memory of 2112	636	WindowsDefenderUpdater.exe	WindowsDefenderUpdater.exe
PID 636 wrote to memory of 2112	636	WindowsDefenderUpdater.exe	WindowsDefenderUpdater.exe
PID 636 wrote to memory of 2112	636	WindowsDefenderUpdater.exe	WindowsDefenderUpdater.exe
PID 636 wrote to memory of 2112	636	WindowsDefenderUpdater.exe	WindowsDefenderUpdater.exe
PID 636 wrote to memory of 2112	636	WindowsDefenderUpdater.exe	WindowsDefenderUpdater.exe
PID 636 wrote to memory of 2112	636	WindowsDefenderUpdater.exe	WindowsDefenderUpdater.exe
PID 636 wrote to memory of 2112	636	WindowsDefenderUpdater.exe	WindowsDefenderUpdater.exe
PID 636 wrote to memory of 2112	636	WindowsDefenderUpdater.exe	WindowsDefenderUpdater.exe
PID 636 wrote to memory of 2112	636	WindowsDefenderUpdater.exe	WindowsDefenderUpdater.exe

C:\Users\Admin\AppData\Local\Temp\X2.exe
"C:\Users\Admin\AppData\Local\Temp\X2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:648

C:\Users\Admin\AppData\Local\Temp\X2.exe
"C:\Users\Admin\AppData\Local\Temp\X2.exe"
2⤵
PID:2388

C:\ProgramData\WindowsDefenderUpdater.exe
"C:\ProgramData\WindowsDefenderUpdater.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:636

C:\ProgramData\WindowsDefenderUpdater.exe
"C:\ProgramData\WindowsDefenderUpdater.exe"
3⤵
- Executes dropped EXE
PID:2112

C:\Users\Admin\AppData\Local\Temp\tmp8A8D.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp8A8D.tmp.exe"
3⤵
- Executes dropped EXE
PID:3892

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WindowsDefenderUpdater.exe
MD5
36f108b320d0b177b1fb3e20fb917cb1

SHA1
a3a40037b451c4d25758eec72009e703f1f80534

SHA256
ac5172fa3b434962c4f2e12b9c47dfd29a939b1d15c358ead485c4843ae065aa

SHA512
9e97b0984a711244e5783dd772490a12858557a4c4dc677f5f1189e92d4232db48e5e56471fd0af3e78b2cd801ac34df4b71bceba84d26fe76e3b15ae109bd62

Download Submit
C:\ProgramData\WindowsDefenderUpdater.exe
MD5
36f108b320d0b177b1fb3e20fb917cb1

SHA1
a3a40037b451c4d25758eec72009e703f1f80534

SHA256
ac5172fa3b434962c4f2e12b9c47dfd29a939b1d15c358ead485c4843ae065aa

SHA512
9e97b0984a711244e5783dd772490a12858557a4c4dc677f5f1189e92d4232db48e5e56471fd0af3e78b2cd801ac34df4b71bceba84d26fe76e3b15ae109bd62

Download Submit
C:\ProgramData\WindowsDefenderUpdater.exe
MD5
36f108b320d0b177b1fb3e20fb917cb1

SHA1
a3a40037b451c4d25758eec72009e703f1f80534

SHA256
ac5172fa3b434962c4f2e12b9c47dfd29a939b1d15c358ead485c4843ae065aa

SHA512
9e97b0984a711244e5783dd772490a12858557a4c4dc677f5f1189e92d4232db48e5e56471fd0af3e78b2cd801ac34df4b71bceba84d26fe76e3b15ae109bd62

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8A8D.tmp.exe
MD5
2e0385c717b435d1614c025465325343

SHA1
868299f19bf85a53586f29532680143b250ced96

SHA256
45efc02dded7360d03dd32e16ab04a06ced012605f85ef187e63357c89cb6d61

SHA512
1b84e45aefed2abc921f61da93fd65b9971bb38b0b54b5793271c1150ecabfa9ec7afa4dce1622e2c5f67cf7b76e40c5a008694b267190f2d693f0a1b3333e98

Download Submit
memory/636-26-0x0000000007AF0000-0x0000000007AF1000-memory.dmp

Filesize
4KB

Download
memory/636-16-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/636-15-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/636-12-0x0000000000000000-mapping.dmp

Download
memory/648-7-0x0000000008300000-0x0000000008301000-memory.dmp

Filesize
4KB

Download
memory/648-8-0x00000000088A0000-0x00000000088A1000-memory.dmp

Filesize
4KB

Download
memory/648-2-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/648-6-0x0000000002F50000-0x0000000002F6D000-memory.dmp

Filesize
116KB

Download
memory/648-5-0x0000000007B00000-0x0000000008153000-memory.dmp

Filesize
6.3MB

Download
memory/648-3-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/2112-23-0x000000000040242D-mapping.dmp

Download
memory/2388-11-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2388-10-0x000000000040242D-mapping.dmp

Download
memory/2388-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads