netwire | 42949a2f912c87695ebffdd714eae9ae470935a2323f75a937fa3521155b3701

General

Target

Nizi International S.A. #New Order.exe
Size

468KB
MD5

4697f45d7a2c5e60372f8d9548d4b75a
SHA1

ee7ba79d497b776b301a7a233e1b84a325ba07b9
SHA256

42949a2f912c87695ebffdd714eae9ae470935a2323f75a937fa3521155b3701
SHA512

78b32bf01891c31307221223ad91f3a57c99766d80ba39b1d53fd454ff029542d5d094650e31fe7e440e5b99474e778730d131877cd8e8131c25ecbff922cb42

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

sipex2021.ddns.net:8753

Attributes

activex_autorun
false
activex_key
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
install_path
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
offline_keylogger
true
password
Password
registry_autorun
false
startup_name
use_mutex
false

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/820-72-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/820-73-0x000000000040242D-mapping.dmp	netwire
behavioral1/memory/820-81-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 1 IoCs

Processes:

MSBuild.exe

pid process

820 MSBuild.exe
Loads dropped DLL 1 IoCs

Processes:

Nizi International S.A. #New Order.exe

pid process

1040 Nizi International S.A. #New Order.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Nizi International S.A. #New Order.exe

description pid process target process

PID 1040 set thread context of 820 1040 Nizi International S.A. #New Order.exe MSBuild.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Nizi International S.A. #New Order.exepowershell.exe

pid process

1040 Nizi International S.A. #New Order.exe
1040 Nizi International S.A. #New Order.exe
1828 powershell.exe
1828 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Nizi International S.A. #New Order.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1040 Nizi International S.A. #New Order.exe
Token: SeDebugPrivilege 1828 powershell.exe

pid	process
820	MSBuild.exe

pid	process
1040	Nizi International S.A. #New Order.exe

description	pid	process	target process
PID 1040 set thread context of 820	1040	Nizi International S.A. #New Order.exe	MSBuild.exe

pid	process
1040	Nizi International S.A. #New Order.exe
1040	Nizi International S.A. #New Order.exe
1828	powershell.exe
1828	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1040	Nizi International S.A. #New Order.exe
Token: SeDebugPrivilege	1828	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

Nizi International S.A. #New Order.exeWScript.exe

description	pid	process	target process
PID 1040 wrote to memory of 752	1040	Nizi International S.A. #New Order.exe	WScript.exe
PID 1040 wrote to memory of 752	1040	Nizi International S.A. #New Order.exe	WScript.exe
PID 1040 wrote to memory of 752	1040	Nizi International S.A. #New Order.exe	WScript.exe
PID 1040 wrote to memory of 752	1040	Nizi International S.A. #New Order.exe	WScript.exe
PID 1040 wrote to memory of 820	1040	Nizi International S.A. #New Order.exe	MSBuild.exe
PID 1040 wrote to memory of 820	1040	Nizi International S.A. #New Order.exe	MSBuild.exe
PID 1040 wrote to memory of 820	1040	Nizi International S.A. #New Order.exe	MSBuild.exe
PID 1040 wrote to memory of 820	1040	Nizi International S.A. #New Order.exe	MSBuild.exe
PID 1040 wrote to memory of 820	1040	Nizi International S.A. #New Order.exe	MSBuild.exe
PID 1040 wrote to memory of 820	1040	Nizi International S.A. #New Order.exe	MSBuild.exe
PID 1040 wrote to memory of 820	1040	Nizi International S.A. #New Order.exe	MSBuild.exe
PID 1040 wrote to memory of 820	1040	Nizi International S.A. #New Order.exe	MSBuild.exe
PID 1040 wrote to memory of 820	1040	Nizi International S.A. #New Order.exe	MSBuild.exe
PID 1040 wrote to memory of 820	1040	Nizi International S.A. #New Order.exe	MSBuild.exe
PID 1040 wrote to memory of 820	1040	Nizi International S.A. #New Order.exe	MSBuild.exe
PID 1040 wrote to memory of 820	1040	Nizi International S.A. #New Order.exe	MSBuild.exe
PID 752 wrote to memory of 1828	752	WScript.exe	powershell.exe
PID 752 wrote to memory of 1828	752	WScript.exe	powershell.exe
PID 752 wrote to memory of 1828	752	WScript.exe	powershell.exe
PID 752 wrote to memory of 1828	752	WScript.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\Nizi International S.A. #New Order.exe
"C:\Users\Admin\AppData\Local\Temp\Nizi International S.A. #New Order.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1040

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Xpivccxvyw.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chrome\Google\chrome.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1828

C:\Users\Admin\AppData\Local\Temp\MSBuild.exe
C:\Users\Admin\AppData\Local\Temp\MSBuild.exe
2⤵
- Executes dropped EXE
PID:820

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSBuild.exe
MD5
9af17c8393f0970ee5136bd3ffa27001

SHA1
4b285b72c1a11285a25f31f2597e090da6bbc049

SHA256
71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

SHA512
b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Xpivccxvyw.vbs
MD5
dd324fe7f7eb1af18e2f0c011669c28d

SHA1
f1c148fe260963d257eaba866de68ffc09b5ef32

SHA256
192db1efb34c22fc3e03aab1f7c74bcfb263d57a75b25d90e1ea5e078207bb6f

SHA512
57bc4417a7b458833b1a08c9e949102f336725669b970758bc23720257cb33decd95e42b65bcf259997b5c53ab60912433ac91cd9df674bf52a85e9b6cb3ad59

Download Submit
\Users\Admin\AppData\Local\Temp\MSBuild.exe
MD5
9af17c8393f0970ee5136bd3ffa27001

SHA1
4b285b72c1a11285a25f31f2597e090da6bbc049

SHA256
71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

SHA512
b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

Download Submit
memory/752-68-0x0000000000000000-mapping.dmp

Download
memory/752-70-0x0000000074F31000-0x0000000074F33000-memory.dmp

Filesize
8KB

Download
memory/820-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/820-73-0x000000000040242D-mapping.dmp

Download
memory/820-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1040-59-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/1040-61-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/1040-62-0x0000000000810000-0x0000000000863000-memory.dmp

Filesize
332KB

Download
memory/1040-67-0x0000000004F30000-0x0000000004F91000-memory.dmp

Filesize
388KB

Download
memory/1828-78-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/1828-87-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/1828-80-0x0000000004770000-0x0000000004771000-memory.dmp

Filesize
4KB

Download
memory/1828-82-0x00000000047D0000-0x00000000047D1000-memory.dmp

Filesize
4KB

Download
memory/1828-76-0x0000000000000000-mapping.dmp

Download
memory/1828-83-0x00000000047D2000-0x00000000047D3000-memory.dmp

Filesize
4KB

Download
memory/1828-84-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/1828-79-0x0000000004810000-0x0000000004811000-memory.dmp

Filesize
4KB

Download
memory/1828-88-0x0000000005660000-0x0000000005661000-memory.dmp

Filesize
4KB

Download
memory/1828-93-0x00000000056B0000-0x00000000056B1000-memory.dmp

Filesize
4KB

Download
memory/1828-94-0x0000000006120000-0x0000000006121000-memory.dmp

Filesize
4KB

Download
memory/1828-101-0x0000000006200000-0x0000000006201000-memory.dmp

Filesize
4KB

Download
memory/1828-102-0x0000000005620000-0x0000000005621000-memory.dmp

Filesize
4KB

Download
memory/1828-116-0x0000000006300000-0x0000000006301000-memory.dmp

Filesize
4KB

Download
memory/1828-117-0x0000000006310000-0x0000000006311000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing