Analysis
-
max time kernel
93s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
21-07-2021 12:57
Behavioral task
behavioral1
Sample
netwire.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
netwire.exe
Resource
win10v20210408
General
-
Target
netwire.exe
-
Size
160KB
-
MD5
d6767cc7cdce715557846a82d03f5d9a
-
SHA1
7abd865e995f2814acf232f6526724a1492908dc
-
SHA256
bddb7252c2d691e0888558115054bf0643132547fd69aab2704a6f2d0d4c310b
-
SHA512
669095b6a2197bd6d6eb0396f1cb4713d6b01639792fbc410b7ed1e3bd4ce1f336da29d8796d6f4b6a24f3e3a14fc17c60241adfcebd4e4a8e0ab0cc3d87092c
Malware Config
Extracted
netwire
185.244.30.43:1776
185.244.30.43:1660
-
activex_autorun
false
- activex_key
-
copy_executable
true
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
tGWLMrlt
-
offline_keylogger
true
-
password
vk12345
-
registry_autorun
true
-
startup_name
Firefoxx
-
use_mutex
true
Signatures
-
NetWire RAT payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Install\Host.exe netwire C:\Users\Admin\AppData\Roaming\Install\Host.exe netwire -
Executes dropped EXE 1 IoCs
Processes:
Host.exepid process 3280 Host.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Host.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Host.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Firefoxx = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe" Host.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
netwire.exedescription pid process target process PID 640 wrote to memory of 3280 640 netwire.exe Host.exe PID 640 wrote to memory of 3280 640 netwire.exe Host.exe PID 640 wrote to memory of 3280 640 netwire.exe Host.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\netwire.exe"C:\Users\Admin\AppData\Local\Temp\netwire.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeMD5
d6767cc7cdce715557846a82d03f5d9a
SHA17abd865e995f2814acf232f6526724a1492908dc
SHA256bddb7252c2d691e0888558115054bf0643132547fd69aab2704a6f2d0d4c310b
SHA512669095b6a2197bd6d6eb0396f1cb4713d6b01639792fbc410b7ed1e3bd4ce1f336da29d8796d6f4b6a24f3e3a14fc17c60241adfcebd4e4a8e0ab0cc3d87092c
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeMD5
d6767cc7cdce715557846a82d03f5d9a
SHA17abd865e995f2814acf232f6526724a1492908dc
SHA256bddb7252c2d691e0888558115054bf0643132547fd69aab2704a6f2d0d4c310b
SHA512669095b6a2197bd6d6eb0396f1cb4713d6b01639792fbc410b7ed1e3bd4ce1f336da29d8796d6f4b6a24f3e3a14fc17c60241adfcebd4e4a8e0ab0cc3d87092c
-
memory/3280-114-0x0000000000000000-mapping.dmp