netwire | 20229d2217d12e73f130c72645d7edf384c630973775d9f38326dfee0295cb12

Analysis

max time kernel
119s
max time network
314s
platform
windows10_x64
resource
win10-en-20210920
submitted
21-10-2021 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DigiCertUtil.bin.exe
Size

3.1MB
MD5

cd08f5aee51ce2ef2d4b1bd567adac90
SHA1

32ebfee9645f42c3719101df980832eccd24ee4c
SHA256

20229d2217d12e73f130c72645d7edf384c630973775d9f38326dfee0295cb12
SHA512

78d3c08da6f854774498f257e0a5479245376cda115773a47bfb3b621db6a0e132ad3539237bb09336f0de7b34bbf42e24c53fb02ef450edf430f2d7cf245424

Score

10^/10

netwire botnet rat stealer

Malware Config

Signatures

NetWire RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/520-173-0x0000000003350000-0x000000000349A000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Drops file in Program Files directory 3 IoCs

Processes:

xcopy.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Security	xcopy.exe
File created	C:\Program Files (x86)\Security\DigiCertUtil.bin.exe	xcopy.exe
File opened for modification	C:\Program Files (x86)\Security\DigiCertUtil.bin.exe	xcopy.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2712 schtasks.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

xcopy.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

DigiCertUtil.bin.exe

pid process

3588 DigiCertUtil.bin.exe
3588 DigiCertUtil.bin.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

DigiCertUtil.bin.exe

pid process

3588 DigiCertUtil.bin.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

DigiCertUtil.bin.exe

pid process

3588 DigiCertUtil.bin.exe

pid	process
2712	schtasks.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

pid	process
3588	DigiCertUtil.bin.exe
3588	DigiCertUtil.bin.exe

pid	process
3588	DigiCertUtil.bin.exe

pid	process
3588	DigiCertUtil.bin.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

DigiCertUtil.bin.execmd.execmd.exe

description	pid	process	target process
PID 3588 wrote to memory of 3156	3588	DigiCertUtil.bin.exe	cmd.exe
PID 3588 wrote to memory of 3156	3588	DigiCertUtil.bin.exe	cmd.exe
PID 3588 wrote to memory of 3156	3588	DigiCertUtil.bin.exe	cmd.exe
PID 3156 wrote to memory of 4556	3156	cmd.exe	xcopy.exe
PID 3156 wrote to memory of 4556	3156	cmd.exe	xcopy.exe
PID 3156 wrote to memory of 4556	3156	cmd.exe	xcopy.exe
PID 3588 wrote to memory of 2872	3588	DigiCertUtil.bin.exe	cmd.exe
PID 3588 wrote to memory of 2872	3588	DigiCertUtil.bin.exe	cmd.exe
PID 3588 wrote to memory of 2872	3588	DigiCertUtil.bin.exe	cmd.exe
PID 2872 wrote to memory of 2712	2872	cmd.exe	schtasks.exe
PID 2872 wrote to memory of 2712	2872	cmd.exe	schtasks.exe
PID 2872 wrote to memory of 2712	2872	cmd.exe	schtasks.exe
PID 3588 wrote to memory of 520	3588	DigiCertUtil.bin.exe	xwizard.exe
PID 3588 wrote to memory of 520	3588	DigiCertUtil.bin.exe	xwizard.exe
PID 3588 wrote to memory of 520	3588	DigiCertUtil.bin.exe	xwizard.exe
PID 3588 wrote to memory of 520	3588	DigiCertUtil.bin.exe	xwizard.exe
PID 3588 wrote to memory of 520	3588	DigiCertUtil.bin.exe	xwizard.exe
PID 3588 wrote to memory of 520	3588	DigiCertUtil.bin.exe	xwizard.exe
PID 3588 wrote to memory of 520	3588	DigiCertUtil.bin.exe	xwizard.exe

C:\Users\Admin\AppData\Local\Temp\DigiCertUtil.bin.exe
"C:\Users\Admin\AppData\Local\Temp\DigiCertUtil.bin.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3588

C:\Windows\SysWOW64\cmd.exe
cmd /c xcopy "C:\Users\Admin\AppData\Local\Temp\DigiCertUtil.bin.exe" "%ProgramFiles%\Security\" /y /i /c /q
2⤵
- Suspicious use of WriteProcessMemory
PID:3156

C:\Windows\SysWOW64\xcopy.exe
xcopy "C:\Users\Admin\AppData\Local\Temp\DigiCertUtil.bin.exe" "C:\Program Files (x86)\Security\" /y /i /c /q
3⤵
- Drops file in Program Files directory
- Enumerates system info in registry
PID:4556

C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks /create /sc ONLOGON /tn "Security" /tr "%ProgramFiles%\Security\DigiCertUtil.bin.exe" /it /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2872

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc ONLOGON /tn "Security" /tr "C:\Program Files (x86)\Security\DigiCertUtil.bin.exe" /it /f
3⤵
- Creates scheduled task(s)
PID:2712

C:\Windows\SysWOW64\xwizard.exe
C:\Windows\System32\xwizard.exe
2⤵
PID:520

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/520-172-0x0000000003350000-0x000000000349A000-memory.dmp

Filesize
1.3MB

Download
memory/520-170-0x0000000003350000-0x000000000349A000-memory.dmp

Filesize
1.3MB

Download
memory/520-189-0x0000000005330000-0x00000000054BE000-memory.dmp

Filesize
1.6MB

Download
memory/520-190-0x0000000005330000-0x00000000054BE000-memory.dmp

Filesize
1.6MB

Download
memory/520-188-0x0000000005330000-0x00000000054BE000-memory.dmp

Filesize
1.6MB

Download
memory/520-152-0x0000000000F40000-0x0000000000F43000-memory.dmp

Filesize
12KB

Download
memory/520-186-0x0000000005330000-0x00000000054BE000-memory.dmp

Filesize
1.6MB

Download
memory/520-185-0x0000000005330000-0x00000000054BE000-memory.dmp

Filesize
1.6MB

Download
memory/520-184-0x0000000005330000-0x00000000054BE000-memory.dmp

Filesize
1.6MB

Download
memory/520-180-0x0000000003350000-0x000000000349A000-memory.dmp

Filesize
1.3MB

Download
memory/520-183-0x0000000005330000-0x00000000054BE000-memory.dmp

Filesize
1.6MB

Download
memory/520-182-0x0000000005330000-0x00000000054BE000-memory.dmp

Filesize
1.6MB

Download
memory/520-181-0x00007FFDD8870000-0x00007FFDD8A4B000-memory.dmp

Filesize
1.9MB

Download
memory/520-153-0x0000000077790000-0x000000007791E000-memory.dmp

Filesize
1.6MB

Download
memory/520-178-0x0000000003350000-0x000000000349A000-memory.dmp

Filesize
1.3MB

Download
memory/520-177-0x0000000003350000-0x000000000349A000-memory.dmp

Filesize
1.3MB

Download
memory/520-175-0x0000000003350000-0x000000000349A000-memory.dmp

Filesize
1.3MB

Download
memory/520-176-0x0000000003350000-0x000000000349A000-memory.dmp

Filesize
1.3MB

Download
memory/520-174-0x0000000003350000-0x000000000349A000-memory.dmp

Filesize
1.3MB

Download
memory/520-173-0x0000000003350000-0x000000000349A000-memory.dmp

Filesize
1.3MB

Download
memory/520-171-0x0000000003350000-0x000000000349A000-memory.dmp

Filesize
1.3MB

Download
memory/520-169-0x0000000003350000-0x000000000349A000-memory.dmp

Filesize
1.3MB

Download
memory/520-168-0x0000000003350000-0x000000000349A000-memory.dmp

Filesize
1.3MB

Download
memory/520-166-0x0000000003350000-0x000000000349A000-memory.dmp

Filesize
1.3MB

Download
memory/520-167-0x0000000003350000-0x000000000349A000-memory.dmp

Filesize
1.3MB

Download
memory/520-165-0x0000000003350000-0x000000000349A000-memory.dmp

Filesize
1.3MB

Download
memory/520-164-0x0000000003350000-0x000000000349A000-memory.dmp

Filesize
1.3MB

Download
memory/520-149-0x0000000000000000-mapping.dmp

Download
memory/520-162-0x0000000005330000-0x00000000054BE000-memory.dmp

Filesize
1.6MB

Download
memory/520-161-0x0000000005330000-0x00000000054BE000-memory.dmp

Filesize
1.6MB

Download
memory/520-160-0x0000000005330000-0x00000000054BE000-memory.dmp

Filesize
1.6MB

Download
memory/520-159-0x0000000005330000-0x00000000054BE000-memory.dmp

Filesize
1.6MB

Download
memory/520-158-0x0000000005330000-0x00000000054BE000-memory.dmp

Filesize
1.6MB

Download
memory/520-148-0x0000000000F40000-0x0000000000F43000-memory.dmp

Filesize
12KB

Download
memory/520-150-0x0000000000E50000-0x0000000000E51000-memory.dmp

Filesize
4KB

Download
memory/520-151-0x0000000000E50000-0x0000000000E51000-memory.dmp

Filesize
4KB

Download
memory/520-163-0x0000000003350000-0x000000000349A000-memory.dmp

Filesize
1.3MB

Download
memory/520-187-0x0000000005330000-0x00000000054BE000-memory.dmp

Filesize
1.6MB

Download
memory/520-179-0x0000000003350000-0x000000000349A000-memory.dmp

Filesize
1.3MB

Download
memory/520-154-0x0000000000F50000-0x0000000000FFE000-memory.dmp

Filesize
696KB

Download
memory/520-156-0x0000000005330000-0x00000000054BE000-memory.dmp

Filesize
1.6MB

Download
memory/520-155-0x0000000005330000-0x00000000054BE000-memory.dmp

Filesize
1.6MB

Download
memory/520-157-0x0000000005330000-0x00000000054BE000-memory.dmp

Filesize
1.6MB

Download
memory/2712-134-0x0000000000000000-mapping.dmp

Download
memory/2872-133-0x0000000000000000-mapping.dmp

Download
memory/3156-131-0x0000000000000000-mapping.dmp

Download
memory/3588-125-0x0000000002D90000-0x0000000002F1E000-memory.dmp

Filesize
1.6MB

Download
memory/3588-141-0x000000000EC90000-0x000000000EE6B000-memory.dmp

Filesize
1.9MB

Download
memory/3588-145-0x0000000000D00000-0x0000000000E4A000-memory.dmp

Filesize
1.3MB

Download
memory/3588-146-0x0000000000D00000-0x0000000000E4A000-memory.dmp

Filesize
1.3MB

Download
memory/3588-140-0x000000000EC90000-0x000000000EE6B000-memory.dmp

Filesize
1.9MB

Download
memory/3588-139-0x000000000EC90000-0x000000000EE6B000-memory.dmp

Filesize
1.9MB

Download
memory/3588-138-0x000000000EC90000-0x000000000EE6B000-memory.dmp

Filesize
1.9MB

Download
memory/3588-135-0x000000000EC90000-0x000000000EE6B000-memory.dmp

Filesize
1.9MB

Download
memory/3588-136-0x000000000EC90000-0x000000000EE6B000-memory.dmp

Filesize
1.9MB

Download
memory/3588-116-0x0000000000D00000-0x0000000000E4A000-memory.dmp

Filesize
1.3MB

Download
memory/3588-137-0x000000000EC90000-0x000000000EE6B000-memory.dmp

Filesize
1.9MB

Download
memory/3588-115-0x0000000077790000-0x000000007791E000-memory.dmp

Filesize
1.6MB

Download
memory/3588-144-0x000000000EC90000-0x000000000EE6B000-memory.dmp

Filesize
1.9MB

Download
memory/3588-142-0x000000000EC90000-0x000000000EE6B000-memory.dmp

Filesize
1.9MB

Download
memory/3588-117-0x0000000002D90000-0x0000000002F1E000-memory.dmp

Filesize
1.6MB

Download
memory/3588-143-0x000000000EC90000-0x000000000EE6B000-memory.dmp

Filesize
1.9MB

Download
memory/3588-130-0x00007FFDD8870000-0x00007FFDD8A4B000-memory.dmp

Filesize
1.9MB

Download
memory/3588-129-0x0000000002D90000-0x0000000002F1E000-memory.dmp

Filesize
1.6MB

Download
memory/3588-128-0x0000000002D90000-0x0000000002F1E000-memory.dmp

Filesize
1.6MB

Download
memory/3588-127-0x0000000002D90000-0x0000000002F1E000-memory.dmp

Filesize
1.6MB

Download
memory/3588-126-0x0000000002D90000-0x0000000002F1E000-memory.dmp

Filesize
1.6MB

Download
memory/3588-147-0x0000000000D00000-0x0000000000E4A000-memory.dmp

Filesize
1.3MB

Download
memory/3588-124-0x0000000002D90000-0x0000000002F1E000-memory.dmp

Filesize
1.6MB

Download
memory/3588-120-0x0000000000E60000-0x0000000000E61000-memory.dmp

Filesize
4KB

Download
memory/3588-121-0x0000000006500000-0x0000000006501000-memory.dmp

Filesize
4KB

Download
memory/3588-123-0x0000000002D90000-0x0000000002F1E000-memory.dmp

Filesize
1.6MB

Download
memory/3588-122-0x0000000002D90000-0x0000000002F1E000-memory.dmp

Filesize
1.6MB

Download
memory/3588-119-0x0000000000E50000-0x0000000000E51000-memory.dmp

Filesize
4KB

Download
memory/3588-118-0x0000000002D90000-0x0000000002F1E000-memory.dmp

Filesize
1.6MB

Download
memory/4556-132-0x0000000000000000-mapping.dmp

Download