Analysis
-
max time kernel
80s -
max time network
111s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
21-07-2021 12:57
Behavioral task
behavioral1
Sample
netwire.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
netwire.exe
Resource
win10v20210408
General
-
Target
netwire.exe
-
Size
160KB
-
MD5
d6767cc7cdce715557846a82d03f5d9a
-
SHA1
7abd865e995f2814acf232f6526724a1492908dc
-
SHA256
bddb7252c2d691e0888558115054bf0643132547fd69aab2704a6f2d0d4c310b
-
SHA512
669095b6a2197bd6d6eb0396f1cb4713d6b01639792fbc410b7ed1e3bd4ce1f336da29d8796d6f4b6a24f3e3a14fc17c60241adfcebd4e4a8e0ab0cc3d87092c
Malware Config
Extracted
netwire
185.244.30.43:1776
185.244.30.43:1660
-
activex_autorun
false
- activex_key
-
copy_executable
true
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
tGWLMrlt
-
offline_keylogger
true
-
password
vk12345
-
registry_autorun
true
-
startup_name
Firefoxx
-
use_mutex
true
Signatures
-
NetWire RAT payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Install\Host.exe netwire \Users\Admin\AppData\Roaming\Install\Host.exe netwire C:\Users\Admin\AppData\Roaming\Install\Host.exe netwire -
Executes dropped EXE 1 IoCs
Processes:
Host.exepid process 1520 Host.exe -
Loads dropped DLL 2 IoCs
Processes:
netwire.exepid process 1724 netwire.exe 1724 netwire.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Host.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Host.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Firefoxx = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe" Host.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
netwire.exedescription pid process target process PID 1724 wrote to memory of 1520 1724 netwire.exe Host.exe PID 1724 wrote to memory of 1520 1724 netwire.exe Host.exe PID 1724 wrote to memory of 1520 1724 netwire.exe Host.exe PID 1724 wrote to memory of 1520 1724 netwire.exe Host.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\netwire.exe"C:\Users\Admin\AppData\Local\Temp\netwire.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeMD5
d6767cc7cdce715557846a82d03f5d9a
SHA17abd865e995f2814acf232f6526724a1492908dc
SHA256bddb7252c2d691e0888558115054bf0643132547fd69aab2704a6f2d0d4c310b
SHA512669095b6a2197bd6d6eb0396f1cb4713d6b01639792fbc410b7ed1e3bd4ce1f336da29d8796d6f4b6a24f3e3a14fc17c60241adfcebd4e4a8e0ab0cc3d87092c
-
\Users\Admin\AppData\Roaming\Install\Host.exeMD5
d6767cc7cdce715557846a82d03f5d9a
SHA17abd865e995f2814acf232f6526724a1492908dc
SHA256bddb7252c2d691e0888558115054bf0643132547fd69aab2704a6f2d0d4c310b
SHA512669095b6a2197bd6d6eb0396f1cb4713d6b01639792fbc410b7ed1e3bd4ce1f336da29d8796d6f4b6a24f3e3a14fc17c60241adfcebd4e4a8e0ab0cc3d87092c
-
\Users\Admin\AppData\Roaming\Install\Host.exeMD5
d6767cc7cdce715557846a82d03f5d9a
SHA17abd865e995f2814acf232f6526724a1492908dc
SHA256bddb7252c2d691e0888558115054bf0643132547fd69aab2704a6f2d0d4c310b
SHA512669095b6a2197bd6d6eb0396f1cb4713d6b01639792fbc410b7ed1e3bd4ce1f336da29d8796d6f4b6a24f3e3a14fc17c60241adfcebd4e4a8e0ab0cc3d87092c
-
memory/1520-63-0x0000000000000000-mapping.dmp
-
memory/1724-60-0x0000000075161000-0x0000000075163000-memory.dmpFilesize
8KB