netwire | 9a0550bcf1c770a3febe17adb59aa91717654e4d660fca29bd7ccff14da6256f

Analysis

max time kernel
47s
max time network
98s
platform
windows7_x64
resource
win7v20210408
submitted
21/04/2021, 06:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KR033172A562700243.PDF.exe
Size

789KB
MD5

5ca9ea11f89e982fc93ad12e656648a8
SHA1

0d0bd9cb9549638218db8c3442a3047e25ffc9a9
SHA256

9a0550bcf1c770a3febe17adb59aa91717654e4d660fca29bd7ccff14da6256f
SHA512

cd4f2d1ba153dea1d28a12d9566fdf5bb183ba795584b7e6dc049cb5e4fb1c007fa6581c1cec77f0c0917b9050300dc54213fdc877ab5c69905237dd8dff8262

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

194.156.90.31:5008

Attributes

activex_autorun
false
activex_key
copy_executable
false
delete_original
false
host_id
APRL-WORK
install_path
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
offline_keylogger
true
password
Password
registry_autorun
false
startup_name
use_mutex
false

Signatures

NetWire RAT payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/1840-68-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1840-69-0x000000000040242D-mapping.dmp	netwire
behavioral1/memory/1840-71-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1684 set thread context of 1840	1684	KR033172A562700243.PDF.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
852	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1684	KR033172A562700243.PDF.exe
1684	KR033172A562700243.PDF.exe
1684	KR033172A562700243.PDF.exe
1684	KR033172A562700243.PDF.exe
1684	KR033172A562700243.PDF.exe
1684	KR033172A562700243.PDF.exe
1684	KR033172A562700243.PDF.exe
1684	KR033172A562700243.PDF.exe
1684	KR033172A562700243.PDF.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1684	KR033172A562700243.PDF.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 852	1684	KR033172A562700243.PDF.exe	29
PID 1684 wrote to memory of 852	1684	KR033172A562700243.PDF.exe	29
PID 1684 wrote to memory of 852	1684	KR033172A562700243.PDF.exe	29
PID 1684 wrote to memory of 852	1684	KR033172A562700243.PDF.exe	29
PID 1684 wrote to memory of 1504	1684	KR033172A562700243.PDF.exe	31
PID 1684 wrote to memory of 1504	1684	KR033172A562700243.PDF.exe	31
PID 1684 wrote to memory of 1504	1684	KR033172A562700243.PDF.exe	31
PID 1684 wrote to memory of 1504	1684	KR033172A562700243.PDF.exe	31
PID 1684 wrote to memory of 1564	1684	KR033172A562700243.PDF.exe	32
PID 1684 wrote to memory of 1564	1684	KR033172A562700243.PDF.exe	32
PID 1684 wrote to memory of 1564	1684	KR033172A562700243.PDF.exe	32
PID 1684 wrote to memory of 1564	1684	KR033172A562700243.PDF.exe	32
PID 1684 wrote to memory of 1708	1684	KR033172A562700243.PDF.exe	33
PID 1684 wrote to memory of 1708	1684	KR033172A562700243.PDF.exe	33
PID 1684 wrote to memory of 1708	1684	KR033172A562700243.PDF.exe	33
PID 1684 wrote to memory of 1708	1684	KR033172A562700243.PDF.exe	33
PID 1684 wrote to memory of 1616	1684	KR033172A562700243.PDF.exe	34
PID 1684 wrote to memory of 1616	1684	KR033172A562700243.PDF.exe	34
PID 1684 wrote to memory of 1616	1684	KR033172A562700243.PDF.exe	34
PID 1684 wrote to memory of 1616	1684	KR033172A562700243.PDF.exe	34
PID 1684 wrote to memory of 1840	1684	KR033172A562700243.PDF.exe	35
PID 1684 wrote to memory of 1840	1684	KR033172A562700243.PDF.exe	35
PID 1684 wrote to memory of 1840	1684	KR033172A562700243.PDF.exe	35
PID 1684 wrote to memory of 1840	1684	KR033172A562700243.PDF.exe	35
PID 1684 wrote to memory of 1840	1684	KR033172A562700243.PDF.exe	35
PID 1684 wrote to memory of 1840	1684	KR033172A562700243.PDF.exe	35
PID 1684 wrote to memory of 1840	1684	KR033172A562700243.PDF.exe	35
PID 1684 wrote to memory of 1840	1684	KR033172A562700243.PDF.exe	35
PID 1684 wrote to memory of 1840	1684	KR033172A562700243.PDF.exe	35
PID 1684 wrote to memory of 1840	1684	KR033172A562700243.PDF.exe	35
PID 1684 wrote to memory of 1840	1684	KR033172A562700243.PDF.exe	35
PID 1684 wrote to memory of 1840	1684	KR033172A562700243.PDF.exe	35

C:\Users\Admin\AppData\Local\Temp\KR033172A562700243.PDF.exe
"C:\Users\Admin\AppData\Local\Temp\KR033172A562700243.PDF.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qZYahesl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp25F8.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:852
- C:\Users\Admin\AppData\Local\Temp\KR033172A562700243.PDF.exe
  "{path}"
  2⤵
  PID:1504
- C:\Users\Admin\AppData\Local\Temp\KR033172A562700243.PDF.exe
  "{path}"
  2⤵
  PID:1564
- C:\Users\Admin\AppData\Local\Temp\KR033172A562700243.PDF.exe
  "{path}"
  2⤵
  PID:1708
- C:\Users\Admin\AppData\Local\Temp\KR033172A562700243.PDF.exe
  "{path}"
  2⤵
  PID:1616
- C:\Users\Admin\AppData\Local\Temp\KR033172A562700243.PDF.exe
  "{path}"
  2⤵
  PID:1840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1684-60-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/1684-62-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

Filesize
4KB

Download
memory/1684-63-0x0000000000630000-0x000000000063E000-memory.dmp

Filesize
56KB

Download
memory/1684-64-0x0000000007EA0000-0x0000000007F5D000-memory.dmp

Filesize
756KB

Download
memory/1684-65-0x0000000005230000-0x00000000052A9000-memory.dmp

Filesize
484KB

Download
memory/1840-68-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1840-70-0x0000000075B31000-0x0000000075B33000-memory.dmp

Filesize
8KB

Download
memory/1840-71-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download