netwire | c539c08e04ef8ab4ee18e69ab3346214ffcbfd262679c558f7b5ca651767d61d

General

Target

D1682AA725C47B89C2066CFEAA8B3B55.exe
Size

793KB
MD5

d1682aa725c47b89c2066cfeaa8b3b55
SHA1

c802cfd2f442200bafaf6a5fbeb70f52ee846bb2
SHA256

c539c08e04ef8ab4ee18e69ab3346214ffcbfd262679c558f7b5ca651767d61d
SHA512

f33216e03bbbb28c6238c903eec0871d6ed4cf7ebe15ebd5ac0dbfd9c468e661e1ec3a9010c571b45176a549f15055b7b85e98c5a35ece4a5f22ed311943b43f

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

nozomi.takanome.io:9030

hikari.takanome.io:9030

Attributes

activex_autorun
false
activex_key
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
install_path
keylogger_dir
%AppData%\Syslog\
lock_executable
false
mutex
offline_keylogger
true
password
Jtenike70+
registry_autorun
false
startup_name
use_mutex
false

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

D1682AA725C47B89C2066CFEAA8B3B55.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Certificate.exe\","	D1682AA725C47B89C2066CFEAA8B3B55.exe

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2052-131-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/2052-132-0x000000000040242D-mapping.dmp	netwire
behavioral2/memory/2052-135-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 1 IoCs

Processes:

aspnet_compiler.exe

pid process

2052 aspnet_compiler.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

D1682AA725C47B89C2066CFEAA8B3B55.exe

description pid process target process

PID 992 set thread context of 2052 992 D1682AA725C47B89C2066CFEAA8B3B55.exe aspnet_compiler.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2052	aspnet_compiler.exe

description	pid	process	target process
PID 992 set thread context of 2052	992	D1682AA725C47B89C2066CFEAA8B3B55.exe	aspnet_compiler.exe

Modifies registry class 1 IoCs

Processes:

D1682AA725C47B89C2066CFEAA8B3B55.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	D1682AA725C47B89C2066CFEAA8B3B55.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

D1682AA725C47B89C2066CFEAA8B3B55.exepowershell.exe

pid	process
992	D1682AA725C47B89C2066CFEAA8B3B55.exe
992	D1682AA725C47B89C2066CFEAA8B3B55.exe
992	D1682AA725C47B89C2066CFEAA8B3B55.exe
992	D1682AA725C47B89C2066CFEAA8B3B55.exe
992	D1682AA725C47B89C2066CFEAA8B3B55.exe
992	D1682AA725C47B89C2066CFEAA8B3B55.exe
992	D1682AA725C47B89C2066CFEAA8B3B55.exe
992	D1682AA725C47B89C2066CFEAA8B3B55.exe
992	D1682AA725C47B89C2066CFEAA8B3B55.exe
992	D1682AA725C47B89C2066CFEAA8B3B55.exe
992	D1682AA725C47B89C2066CFEAA8B3B55.exe
992	D1682AA725C47B89C2066CFEAA8B3B55.exe
992	D1682AA725C47B89C2066CFEAA8B3B55.exe
992	D1682AA725C47B89C2066CFEAA8B3B55.exe
992	D1682AA725C47B89C2066CFEAA8B3B55.exe
4012	powershell.exe
4012	powershell.exe
4012	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

D1682AA725C47B89C2066CFEAA8B3B55.exepowershell.exe

description pid process

Token: SeDebugPrivilege 992 D1682AA725C47B89C2066CFEAA8B3B55.exe
Token: SeDebugPrivilege 4012 powershell.exe

description	pid	process
Token: SeDebugPrivilege	992	D1682AA725C47B89C2066CFEAA8B3B55.exe
Token: SeDebugPrivilege	4012	powershell.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

D1682AA725C47B89C2066CFEAA8B3B55.exeWScript.exe

description	pid	process	target process
PID 992 wrote to memory of 1004	992	D1682AA725C47B89C2066CFEAA8B3B55.exe	WScript.exe
PID 992 wrote to memory of 1004	992	D1682AA725C47B89C2066CFEAA8B3B55.exe	WScript.exe
PID 992 wrote to memory of 1004	992	D1682AA725C47B89C2066CFEAA8B3B55.exe	WScript.exe
PID 992 wrote to memory of 2052	992	D1682AA725C47B89C2066CFEAA8B3B55.exe	aspnet_compiler.exe
PID 992 wrote to memory of 2052	992	D1682AA725C47B89C2066CFEAA8B3B55.exe	aspnet_compiler.exe
PID 992 wrote to memory of 2052	992	D1682AA725C47B89C2066CFEAA8B3B55.exe	aspnet_compiler.exe
PID 992 wrote to memory of 2052	992	D1682AA725C47B89C2066CFEAA8B3B55.exe	aspnet_compiler.exe
PID 992 wrote to memory of 2052	992	D1682AA725C47B89C2066CFEAA8B3B55.exe	aspnet_compiler.exe
PID 992 wrote to memory of 2052	992	D1682AA725C47B89C2066CFEAA8B3B55.exe	aspnet_compiler.exe
PID 992 wrote to memory of 2052	992	D1682AA725C47B89C2066CFEAA8B3B55.exe	aspnet_compiler.exe
PID 992 wrote to memory of 2052	992	D1682AA725C47B89C2066CFEAA8B3B55.exe	aspnet_compiler.exe
PID 992 wrote to memory of 2052	992	D1682AA725C47B89C2066CFEAA8B3B55.exe	aspnet_compiler.exe
PID 992 wrote to memory of 2052	992	D1682AA725C47B89C2066CFEAA8B3B55.exe	aspnet_compiler.exe
PID 992 wrote to memory of 2052	992	D1682AA725C47B89C2066CFEAA8B3B55.exe	aspnet_compiler.exe
PID 1004 wrote to memory of 4012	1004	WScript.exe	powershell.exe
PID 1004 wrote to memory of 4012	1004	WScript.exe	powershell.exe
PID 1004 wrote to memory of 4012	1004	WScript.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\D1682AA725C47B89C2066CFEAA8B3B55.exe
"C:\Users\Admin\AppData\Local\Temp\D1682AA725C47B89C2066CFEAA8B3B55.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:992

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Mmqcqapzpcejexxuxqnpv.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:1004

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Certificate.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4012

C:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exe
C:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exe
2⤵
- Executes dropped EXE
PID:2052

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_Mmqcqapzpcejexxuxqnpv.vbs
MD5
4731312425ffc6b6741d95c7ebcd43a3

SHA1
6a6c9e8827a83ed686e84f193f973ddccde0e317

SHA256
888321ab0fde16b2849d4b8d6b57d69c4e3e645eabe3e286e7f5f36c56a8d3e2

SHA512
6390e7b920765f5d951970ef323ca26cb8190725b30551a34b5725c3aec70324172e5d769d692b821d5e6f8b82b1ec13dddab0860176a20e5c674fe8029ae279

Download Submit
C:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exe
MD5
1e98e92a982af948ee18ee819a2d8ad1

SHA1
6cb0bd87815118351e5e32c50b434079dfba255c

SHA256
235d3f96a78ce2dad584e6eb1a25fc386b3ae5e332c4d3c56f03b0a4978be778

SHA512
6711de2e00462c49852cee03fd8ef720310c4ffa5b3a653c08f2913a6146974f28b8a3b3ff38b3097310852a5aa3b964b77945bcefef3856911eb9acd0e42c6f

Download Submit
memory/992-121-0x0000000006A30000-0x0000000006A31000-memory.dmp

Filesize
4KB

Download
memory/992-118-0x0000000004950000-0x0000000004E4E000-memory.dmp

Filesize
5.0MB

Download
memory/992-119-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/992-120-0x0000000006950000-0x00000000069A4000-memory.dmp

Filesize
336KB

Download
memory/992-117-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/992-126-0x00000000084A0000-0x000000000850E000-memory.dmp

Filesize
440KB

Download
memory/992-127-0x00000000086A0000-0x00000000086A1000-memory.dmp

Filesize
4KB

Download
memory/992-128-0x0000000004950000-0x0000000004E4E000-memory.dmp

Filesize
5.0MB

Download
memory/992-129-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/992-114-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/992-116-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/1004-130-0x0000000000000000-mapping.dmp

Download
memory/2052-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2052-132-0x000000000040242D-mapping.dmp

Download
memory/2052-131-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4012-147-0x0000000008240000-0x0000000008241000-memory.dmp

Filesize
4KB

Download
memory/4012-148-0x0000000008D20000-0x0000000008D21000-memory.dmp

Filesize
4KB

Download
memory/4012-140-0x0000000007AE0000-0x0000000007AE1000-memory.dmp

Filesize
4KB

Download
memory/4012-141-0x0000000007A00000-0x0000000007A01000-memory.dmp

Filesize
4KB

Download
memory/4012-142-0x0000000008110000-0x0000000008111000-memory.dmp

Filesize
4KB

Download
memory/4012-144-0x00000000084E0000-0x00000000084E1000-memory.dmp

Filesize
4KB

Download
memory/4012-145-0x00000000074A0000-0x00000000074A1000-memory.dmp

Filesize
4KB

Download
memory/4012-146-0x00000000074A2000-0x00000000074A3000-memory.dmp

Filesize
4KB

Download
memory/4012-136-0x0000000000000000-mapping.dmp

Download
memory/4012-139-0x00000000072D0000-0x00000000072D1000-memory.dmp

Filesize
4KB

Download
memory/4012-157-0x0000000009A40000-0x0000000009A73000-memory.dmp

Filesize
204KB

Download
memory/4012-164-0x0000000009A20000-0x0000000009A21000-memory.dmp

Filesize
4KB

Download
memory/4012-169-0x0000000009B70000-0x0000000009B71000-memory.dmp

Filesize
4KB

Download
memory/4012-170-0x0000000009D90000-0x0000000009D91000-memory.dmp

Filesize
4KB

Download
memory/4012-172-0x00000000074A3000-0x00000000074A4000-memory.dmp

Filesize
4KB

Download
memory/4012-171-0x000000007E860000-0x000000007E861000-memory.dmp

Filesize
4KB

Download
memory/4012-365-0x00000000075F0000-0x00000000075F1000-memory.dmp

Filesize
4KB

Download
memory/4012-371-0x00000000075E0000-0x00000000075E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads