netwire | 9a0550bcf1c770a3febe17adb59aa91717654e4d660fca29bd7ccff14da6256f

General

Target

KR033172A562700243.PDF.exe
Size

789KB
MD5

5ca9ea11f89e982fc93ad12e656648a8
SHA1

0d0bd9cb9549638218db8c3442a3047e25ffc9a9
SHA256

9a0550bcf1c770a3febe17adb59aa91717654e4d660fca29bd7ccff14da6256f
SHA512

cd4f2d1ba153dea1d28a12d9566fdf5bb183ba795584b7e6dc049cb5e4fb1c007fa6581c1cec77f0c0917b9050300dc54213fdc877ab5c69905237dd8dff8262

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

194.156.90.31:5008

Attributes

activex_autorun
false
activex_key
copy_executable
false
delete_original
false
host_id
APRL-WORK
install_path
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
offline_keylogger
true
password
Password
registry_autorun
false
startup_name
use_mutex
false

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2772-126-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/2772-127-0x000000000040242D-mapping.dmp	netwire
behavioral2/memory/2772-128-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Suspicious use of SetThreadContext 1 IoCs

Processes:

KR033172A562700243.PDF.exe

description	pid	Process	procid_target
PID 512 set thread context of 2772	512	KR033172A562700243.PDF.exe	82

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exe

pid	Process
4016	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

KR033172A562700243.PDF.exe

pid	Process
512	KR033172A562700243.PDF.exe
512	KR033172A562700243.PDF.exe
512	KR033172A562700243.PDF.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

KR033172A562700243.PDF.exe

description	pid	Process
Token: SeDebugPrivilege	512	KR033172A562700243.PDF.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

KR033172A562700243.PDF.exe

description	pid	Process	procid_target
PID 512 wrote to memory of 4016	512	KR033172A562700243.PDF.exe	79
PID 512 wrote to memory of 4016	512	KR033172A562700243.PDF.exe	79
PID 512 wrote to memory of 4016	512	KR033172A562700243.PDF.exe	79
PID 512 wrote to memory of 2728	512	KR033172A562700243.PDF.exe	81
PID 512 wrote to memory of 2728	512	KR033172A562700243.PDF.exe	81
PID 512 wrote to memory of 2728	512	KR033172A562700243.PDF.exe	81
PID 512 wrote to memory of 2772	512	KR033172A562700243.PDF.exe	82
PID 512 wrote to memory of 2772	512	KR033172A562700243.PDF.exe	82
PID 512 wrote to memory of 2772	512	KR033172A562700243.PDF.exe	82
PID 512 wrote to memory of 2772	512	KR033172A562700243.PDF.exe	82
PID 512 wrote to memory of 2772	512	KR033172A562700243.PDF.exe	82
PID 512 wrote to memory of 2772	512	KR033172A562700243.PDF.exe	82
PID 512 wrote to memory of 2772	512	KR033172A562700243.PDF.exe	82
PID 512 wrote to memory of 2772	512	KR033172A562700243.PDF.exe	82
PID 512 wrote to memory of 2772	512	KR033172A562700243.PDF.exe	82
PID 512 wrote to memory of 2772	512	KR033172A562700243.PDF.exe	82
PID 512 wrote to memory of 2772	512	KR033172A562700243.PDF.exe	82

C:\Users\Admin\AppData\Local\Temp\KR033172A562700243.PDF.exe
"C:\Users\Admin\AppData\Local\Temp\KR033172A562700243.PDF.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:512
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qZYahesl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7EEA.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:4016
- C:\Users\Admin\AppData\Local\Temp\KR033172A562700243.PDF.exe
  "{path}"
  2⤵
  PID:2728
- C:\Users\Admin\AppData\Local\Temp\KR033172A562700243.PDF.exe
  "{path}"
  2⤵
  PID:2772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7EEA.tmp

MD5
0e6bc0c8be74ddebc8e30c44e7cac2fc

SHA1
0f5b45070bd18ad2fc87183a3f685e8937a6f753

SHA256
a86f67266049224a7a5c1eb4be6489543db2848038df683c38e686f7002b13df

SHA512
66282a7d2e39d74c0950e68f12286e249452378e3f5af30f15db519bb2d5bdc479ec59ead12c5c3f276eaaddd3285adf5a15081030f8de33c7fa5c7671c613bd

Download Submit
memory/512-121-0x0000000006A60000-0x0000000006A61000-memory.dmp

Filesize
4KB

Download
memory/512-117-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

Filesize
4KB

Download
memory/512-118-0x0000000005120000-0x0000000005121000-memory.dmp

Filesize
4KB

Download
memory/512-119-0x0000000004EF0000-0x0000000004F82000-memory.dmp

Filesize
584KB

Download
memory/512-120-0x00000000054A0000-0x00000000054AE000-memory.dmp

Filesize
56KB

Download
memory/512-114-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/512-122-0x00000000086F0000-0x00000000087AD000-memory.dmp

Filesize
756KB

Download
memory/512-123-0x000000000AEA0000-0x000000000AF19000-memory.dmp

Filesize
484KB

Download
memory/512-116-0x00000000054C0000-0x00000000054C1000-memory.dmp

Filesize
4KB

Download
memory/2772-126-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-127-0x000000000040242D-mapping.dmp

Download
memory/2772-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4016-124-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads