netwire | 2dc1258101b1183ad4e08320f15310cad541c900919e98e0816c751fee303306

General

Target

Proof of Payment.exe
Size

919KB
MD5

06eea001fb61532885ae0ce6f95d0b3c
SHA1

0cd7c9f2abdd2558333541762903d2f8328dec96
SHA256

2dc1258101b1183ad4e08320f15310cad541c900919e98e0816c751fee303306
SHA512

1bd704ab322497ffc5212aed7283819253113b4f2e306b0f3a8d1eec2d4cb302d3007c859877284d31c988917c712f652bdede16c7fb489568293c28e3860c21

Score

10^/10

netwire botnet rat stealer

Malware Config

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/728-13-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/728-14-0x000000000040242D-mapping.dmp	netwire
behavioral2/memory/728-15-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Suspicious use of SetThreadContext 1 IoCs

Processes:

Proof of Payment.exe

description pid process target process

PID 756 set thread context of 728 756 Proof of Payment.exe Proof of Payment.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1096 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Proof of Payment.exe

pid process

756 Proof of Payment.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Proof of Payment.exe

description pid process

Token: SeDebugPrivilege 756 Proof of Payment.exe

description	pid	process	target process
PID 756 set thread context of 728	756	Proof of Payment.exe	Proof of Payment.exe

pid	process
1096	schtasks.exe

pid	process
756	Proof of Payment.exe

description	pid	process
Token: SeDebugPrivilege	756	Proof of Payment.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

Proof of Payment.exe

description	pid	process	target process
PID 756 wrote to memory of 1096	756	Proof of Payment.exe	schtasks.exe
PID 756 wrote to memory of 1096	756	Proof of Payment.exe	schtasks.exe
PID 756 wrote to memory of 1096	756	Proof of Payment.exe	schtasks.exe
PID 756 wrote to memory of 728	756	Proof of Payment.exe	Proof of Payment.exe
PID 756 wrote to memory of 728	756	Proof of Payment.exe	Proof of Payment.exe
PID 756 wrote to memory of 728	756	Proof of Payment.exe	Proof of Payment.exe
PID 756 wrote to memory of 728	756	Proof of Payment.exe	Proof of Payment.exe
PID 756 wrote to memory of 728	756	Proof of Payment.exe	Proof of Payment.exe
PID 756 wrote to memory of 728	756	Proof of Payment.exe	Proof of Payment.exe
PID 756 wrote to memory of 728	756	Proof of Payment.exe	Proof of Payment.exe
PID 756 wrote to memory of 728	756	Proof of Payment.exe	Proof of Payment.exe
PID 756 wrote to memory of 728	756	Proof of Payment.exe	Proof of Payment.exe
PID 756 wrote to memory of 728	756	Proof of Payment.exe	Proof of Payment.exe
PID 756 wrote to memory of 728	756	Proof of Payment.exe	Proof of Payment.exe

C:\Users\Admin\AppData\Local\Temp\Proof of Payment.exe
"C:\Users\Admin\AppData\Local\Temp\Proof of Payment.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pmbtKQaVLTRS" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC394.tmp"
2⤵
- Creates scheduled task(s)
PID:1096

C:\Users\Admin\AppData\Local\Temp\Proof of Payment.exe
"{path}"
2⤵
PID:728

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC394.tmp
MD5
b14631b8db0e1bfa0772b72e56cf605d

SHA1
3ea002ac46506f874a57cb419f3e1d7fe5857c73

SHA256
b49c9f6ac5b01644800802a59c53cd77295c75e6257367cd01811816128204ed

SHA512
fb8f877e4507692f3a969960c63bc4e8f25e02f9c05f432d383bb79a4b03475aea477e64841fe667add786edc370a86b2836b284126a307efb2b9f68bbdacf9e

Download Submit
memory/728-15-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/728-14-0x000000000040242D-mapping.dmp

Download
memory/728-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/756-6-0x0000000005650000-0x0000000005651000-memory.dmp

Filesize
4KB

Download
memory/756-8-0x0000000005770000-0x000000000577E000-memory.dmp

Filesize
56KB

Download
memory/756-9-0x00000000062B0000-0x00000000062F6000-memory.dmp

Filesize
280KB

Download
memory/756-10-0x0000000006400000-0x0000000006401000-memory.dmp

Filesize
4KB

Download
memory/756-7-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/756-2-0x00000000739A0000-0x000000007408E000-memory.dmp

Filesize
6.9MB

Download
memory/756-5-0x0000000005A90000-0x0000000005A91000-memory.dmp

Filesize
4KB

Download
memory/756-3-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/1096-11-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads