netwire | ac5172fa3b434962c4f2e12b9c47dfd29a939b1d15c358ead485c4843ae065aa

General

Target

36f108b320d0b177b1fb3e20fb917cb1.exe
Size

1.8MB
MD5

36f108b320d0b177b1fb3e20fb917cb1
SHA1

a3a40037b451c4d25758eec72009e703f1f80534
SHA256

ac5172fa3b434962c4f2e12b9c47dfd29a939b1d15c358ead485c4843ae065aa
SHA512

9e97b0984a711244e5783dd772490a12858557a4c4dc677f5f1189e92d4232db48e5e56471fd0af3e78b2cd801ac34df4b71bceba84d26fe76e3b15ae109bd62

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/932-5-0x0000000007110000-0x0000000007763000-memory.dmp	netwire
behavioral1/memory/1236-7-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1236-8-0x000000000040242D-mapping.dmp	netwire
behavioral1/memory/1236-9-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/556-21-0x000000000040242D-mapping.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 3 IoCs

Processes:

WindowsDefenderUpdater.exeWindowsDefenderUpdater.exetmpD69.tmp.exe

pid process

920 WindowsDefenderUpdater.exe
556 WindowsDefenderUpdater.exe
1208 tmpD69.tmp.exe
Loads dropped DLL 3 IoCs

Processes:

36f108b320d0b177b1fb3e20fb917cb1.exeWindowsDefenderUpdater.exe

pid process

932 36f108b320d0b177b1fb3e20fb917cb1.exe
920 WindowsDefenderUpdater.exe
920 WindowsDefenderUpdater.exe

pid	process
920	WindowsDefenderUpdater.exe
556	WindowsDefenderUpdater.exe
1208	tmpD69.tmp.exe

pid	process
932	36f108b320d0b177b1fb3e20fb917cb1.exe
920	WindowsDefenderUpdater.exe
920	WindowsDefenderUpdater.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

36f108b320d0b177b1fb3e20fb917cb1.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater.exe = "C:\\ProgramData\\WindowsDefenderUpdater.exe"	36f108b320d0b177b1fb3e20fb917cb1.exe

JavaScript code in executable 2 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\tmpD69.tmp.exe	js
C:\Users\Admin\AppData\Local\Temp\tmpD69.tmp.exe	js

Suspicious use of SetThreadContext 2 IoCs

Processes:

36f108b320d0b177b1fb3e20fb917cb1.exeWindowsDefenderUpdater.exe

description	pid	process	target process
PID 932 set thread context of 1236	932	36f108b320d0b177b1fb3e20fb917cb1.exe	36f108b320d0b177b1fb3e20fb917cb1.exe
PID 920 set thread context of 556	920	WindowsDefenderUpdater.exe	WindowsDefenderUpdater.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

36f108b320d0b177b1fb3e20fb917cb1.exeWindowsDefenderUpdater.exe

description	pid	process	target process
PID 932 wrote to memory of 1236	932	36f108b320d0b177b1fb3e20fb917cb1.exe	36f108b320d0b177b1fb3e20fb917cb1.exe
PID 932 wrote to memory of 1236	932	36f108b320d0b177b1fb3e20fb917cb1.exe	36f108b320d0b177b1fb3e20fb917cb1.exe
PID 932 wrote to memory of 1236	932	36f108b320d0b177b1fb3e20fb917cb1.exe	36f108b320d0b177b1fb3e20fb917cb1.exe
PID 932 wrote to memory of 1236	932	36f108b320d0b177b1fb3e20fb917cb1.exe	36f108b320d0b177b1fb3e20fb917cb1.exe
PID 932 wrote to memory of 1236	932	36f108b320d0b177b1fb3e20fb917cb1.exe	36f108b320d0b177b1fb3e20fb917cb1.exe
PID 932 wrote to memory of 1236	932	36f108b320d0b177b1fb3e20fb917cb1.exe	36f108b320d0b177b1fb3e20fb917cb1.exe
PID 932 wrote to memory of 1236	932	36f108b320d0b177b1fb3e20fb917cb1.exe	36f108b320d0b177b1fb3e20fb917cb1.exe
PID 932 wrote to memory of 1236	932	36f108b320d0b177b1fb3e20fb917cb1.exe	36f108b320d0b177b1fb3e20fb917cb1.exe
PID 932 wrote to memory of 1236	932	36f108b320d0b177b1fb3e20fb917cb1.exe	36f108b320d0b177b1fb3e20fb917cb1.exe
PID 932 wrote to memory of 1236	932	36f108b320d0b177b1fb3e20fb917cb1.exe	36f108b320d0b177b1fb3e20fb917cb1.exe
PID 932 wrote to memory of 1236	932	36f108b320d0b177b1fb3e20fb917cb1.exe	36f108b320d0b177b1fb3e20fb917cb1.exe
PID 932 wrote to memory of 1236	932	36f108b320d0b177b1fb3e20fb917cb1.exe	36f108b320d0b177b1fb3e20fb917cb1.exe
PID 932 wrote to memory of 920	932	36f108b320d0b177b1fb3e20fb917cb1.exe	WindowsDefenderUpdater.exe
PID 932 wrote to memory of 920	932	36f108b320d0b177b1fb3e20fb917cb1.exe	WindowsDefenderUpdater.exe
PID 932 wrote to memory of 920	932	36f108b320d0b177b1fb3e20fb917cb1.exe	WindowsDefenderUpdater.exe
PID 932 wrote to memory of 920	932	36f108b320d0b177b1fb3e20fb917cb1.exe	WindowsDefenderUpdater.exe
PID 932 wrote to memory of 920	932	36f108b320d0b177b1fb3e20fb917cb1.exe	WindowsDefenderUpdater.exe
PID 932 wrote to memory of 920	932	36f108b320d0b177b1fb3e20fb917cb1.exe	WindowsDefenderUpdater.exe
PID 932 wrote to memory of 920	932	36f108b320d0b177b1fb3e20fb917cb1.exe	WindowsDefenderUpdater.exe
PID 920 wrote to memory of 556	920	WindowsDefenderUpdater.exe	WindowsDefenderUpdater.exe
PID 920 wrote to memory of 556	920	WindowsDefenderUpdater.exe	WindowsDefenderUpdater.exe
PID 920 wrote to memory of 556	920	WindowsDefenderUpdater.exe	WindowsDefenderUpdater.exe
PID 920 wrote to memory of 556	920	WindowsDefenderUpdater.exe	WindowsDefenderUpdater.exe
PID 920 wrote to memory of 556	920	WindowsDefenderUpdater.exe	WindowsDefenderUpdater.exe
PID 920 wrote to memory of 556	920	WindowsDefenderUpdater.exe	WindowsDefenderUpdater.exe
PID 920 wrote to memory of 556	920	WindowsDefenderUpdater.exe	WindowsDefenderUpdater.exe
PID 920 wrote to memory of 556	920	WindowsDefenderUpdater.exe	WindowsDefenderUpdater.exe
PID 920 wrote to memory of 556	920	WindowsDefenderUpdater.exe	WindowsDefenderUpdater.exe
PID 920 wrote to memory of 556	920	WindowsDefenderUpdater.exe	WindowsDefenderUpdater.exe
PID 920 wrote to memory of 556	920	WindowsDefenderUpdater.exe	WindowsDefenderUpdater.exe
PID 920 wrote to memory of 556	920	WindowsDefenderUpdater.exe	WindowsDefenderUpdater.exe
PID 920 wrote to memory of 556	920	WindowsDefenderUpdater.exe	WindowsDefenderUpdater.exe
PID 920 wrote to memory of 556	920	WindowsDefenderUpdater.exe	WindowsDefenderUpdater.exe
PID 920 wrote to memory of 556	920	WindowsDefenderUpdater.exe	WindowsDefenderUpdater.exe
PID 920 wrote to memory of 1208	920	WindowsDefenderUpdater.exe	tmpD69.tmp.exe
PID 920 wrote to memory of 1208	920	WindowsDefenderUpdater.exe	tmpD69.tmp.exe
PID 920 wrote to memory of 1208	920	WindowsDefenderUpdater.exe	tmpD69.tmp.exe
PID 920 wrote to memory of 1208	920	WindowsDefenderUpdater.exe	tmpD69.tmp.exe

C:\Users\Admin\AppData\Local\Temp\36f108b320d0b177b1fb3e20fb917cb1.exe
"C:\Users\Admin\AppData\Local\Temp\36f108b320d0b177b1fb3e20fb917cb1.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:932

C:\Users\Admin\AppData\Local\Temp\36f108b320d0b177b1fb3e20fb917cb1.exe
"C:\Users\Admin\AppData\Local\Temp\36f108b320d0b177b1fb3e20fb917cb1.exe"
2⤵
PID:1236

C:\ProgramData\WindowsDefenderUpdater.exe
"C:\ProgramData\WindowsDefenderUpdater.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:920

C:\ProgramData\WindowsDefenderUpdater.exe
"C:\ProgramData\WindowsDefenderUpdater.exe"
3⤵
- Executes dropped EXE
PID:556

C:\Users\Admin\AppData\Local\Temp\tmpD69.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpD69.tmp.exe"
3⤵
- Executes dropped EXE
PID:1208

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WindowsDefenderUpdater.exe
MD5
36f108b320d0b177b1fb3e20fb917cb1

SHA1
a3a40037b451c4d25758eec72009e703f1f80534

SHA256
ac5172fa3b434962c4f2e12b9c47dfd29a939b1d15c358ead485c4843ae065aa

SHA512
9e97b0984a711244e5783dd772490a12858557a4c4dc677f5f1189e92d4232db48e5e56471fd0af3e78b2cd801ac34df4b71bceba84d26fe76e3b15ae109bd62

Download Submit
C:\ProgramData\WindowsDefenderUpdater.exe
MD5
36f108b320d0b177b1fb3e20fb917cb1

SHA1
a3a40037b451c4d25758eec72009e703f1f80534

SHA256
ac5172fa3b434962c4f2e12b9c47dfd29a939b1d15c358ead485c4843ae065aa

SHA512
9e97b0984a711244e5783dd772490a12858557a4c4dc677f5f1189e92d4232db48e5e56471fd0af3e78b2cd801ac34df4b71bceba84d26fe76e3b15ae109bd62

Download Submit
C:\ProgramData\WindowsDefenderUpdater.exe
MD5
36f108b320d0b177b1fb3e20fb917cb1

SHA1
a3a40037b451c4d25758eec72009e703f1f80534

SHA256
ac5172fa3b434962c4f2e12b9c47dfd29a939b1d15c358ead485c4843ae065aa

SHA512
9e97b0984a711244e5783dd772490a12858557a4c4dc677f5f1189e92d4232db48e5e56471fd0af3e78b2cd801ac34df4b71bceba84d26fe76e3b15ae109bd62

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD69.tmp.exe
MD5
2e0385c717b435d1614c025465325343

SHA1
868299f19bf85a53586f29532680143b250ced96

SHA256
45efc02dded7360d03dd32e16ab04a06ced012605f85ef187e63357c89cb6d61

SHA512
1b84e45aefed2abc921f61da93fd65b9971bb38b0b54b5793271c1150ecabfa9ec7afa4dce1622e2c5f67cf7b76e40c5a008694b267190f2d693f0a1b3333e98

Download Submit
\ProgramData\WindowsDefenderUpdater.exe
MD5
36f108b320d0b177b1fb3e20fb917cb1

SHA1
a3a40037b451c4d25758eec72009e703f1f80534

SHA256
ac5172fa3b434962c4f2e12b9c47dfd29a939b1d15c358ead485c4843ae065aa

SHA512
9e97b0984a711244e5783dd772490a12858557a4c4dc677f5f1189e92d4232db48e5e56471fd0af3e78b2cd801ac34df4b71bceba84d26fe76e3b15ae109bd62

Download Submit
\ProgramData\WindowsDefenderUpdater.exe
MD5
36f108b320d0b177b1fb3e20fb917cb1

SHA1
a3a40037b451c4d25758eec72009e703f1f80534

SHA256
ac5172fa3b434962c4f2e12b9c47dfd29a939b1d15c358ead485c4843ae065aa

SHA512
9e97b0984a711244e5783dd772490a12858557a4c4dc677f5f1189e92d4232db48e5e56471fd0af3e78b2cd801ac34df4b71bceba84d26fe76e3b15ae109bd62

Download Submit
\Users\Admin\AppData\Local\Temp\tmpD69.tmp.exe
MD5
2e0385c717b435d1614c025465325343

SHA1
868299f19bf85a53586f29532680143b250ced96

SHA256
45efc02dded7360d03dd32e16ab04a06ced012605f85ef187e63357c89cb6d61

SHA512
1b84e45aefed2abc921f61da93fd65b9971bb38b0b54b5793271c1150ecabfa9ec7afa4dce1622e2c5f67cf7b76e40c5a008694b267190f2d693f0a1b3333e98

Download Submit
memory/556-21-0x000000000040242D-mapping.dmp

Download
memory/920-15-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/920-11-0x0000000000000000-mapping.dmp

Download
memory/920-14-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download
memory/932-2-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download
memory/932-6-0x00000000002F0000-0x000000000030D000-memory.dmp

Filesize
116KB

Download
memory/932-5-0x0000000007110000-0x0000000007763000-memory.dmp

Filesize
6.3MB

Download
memory/932-3-0x0000000001130000-0x0000000001131000-memory.dmp

Filesize
4KB

Download
memory/1208-25-0x0000000000000000-mapping.dmp

Download
memory/1236-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1236-8-0x000000000040242D-mapping.dmp

Download
memory/1236-7-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads