netwire | 3a01de5d3ac9d4bc94221c451ab5fb25d154b032c7b7e8d20f5cbb380434beed

General

Target

Purchase Order NO#XL005465 pdf.exe
Size

596KB
MD5

422bfefe6ab8872a886c7b43a64c2375
SHA1

a2311ff345e7eb8cc4ce7cc380a14cd34062b762
SHA256

3a01de5d3ac9d4bc94221c451ab5fb25d154b032c7b7e8d20f5cbb380434beed
SHA512

8ba97d4d10b89d0acd2864a3f44a62cdcd4e71dada6f4b67f81597d0ce940c28c145c31b5950b5efa544fbb77c1a46bfbe82c596ee94f9d8f347ab0678cd02bb

Score

10^/10

netwire botnet rat stealer

Malware Config

Signatures

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2268-143-0x0000000000400000-0x0000000000450000-memory.dmp	netwire
behavioral2/memory/2268-144-0x0000000000400000-0x0000000000450000-memory.dmp	netwire
behavioral2/memory/2268-145-0x0000000000400000-0x0000000000450000-memory.dmp	netwire
behavioral2/memory/2268-148-0x0000000000400000-0x0000000000450000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Purchase Order NO#XL005465 pdf.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	Purchase Order NO#XL005465 pdf.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Purchase Order NO#XL005465 pdf.exe

description pid process target process

PID 4748 set thread context of 2268 4748 Purchase Order NO#XL005465 pdf.exe Purchase Order NO#XL005465 pdf.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4972 schtasks.exe

description	pid	process	target process
PID 4748 set thread context of 2268	4748	Purchase Order NO#XL005465 pdf.exe	Purchase Order NO#XL005465 pdf.exe

pid	process
4972	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

Purchase Order NO#XL005465 pdf.exepowershell.exe

pid	process
4748	Purchase Order NO#XL005465 pdf.exe
4748	Purchase Order NO#XL005465 pdf.exe
4748	Purchase Order NO#XL005465 pdf.exe
4748	Purchase Order NO#XL005465 pdf.exe
4748	Purchase Order NO#XL005465 pdf.exe
4748	Purchase Order NO#XL005465 pdf.exe
4748	Purchase Order NO#XL005465 pdf.exe
4748	Purchase Order NO#XL005465 pdf.exe
3252	powershell.exe
4748	Purchase Order NO#XL005465 pdf.exe
3252	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Purchase Order NO#XL005465 pdf.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4748 Purchase Order NO#XL005465 pdf.exe
Token: SeDebugPrivilege 3252 powershell.exe

description	pid	process
Token: SeDebugPrivilege	4748	Purchase Order NO#XL005465 pdf.exe
Token: SeDebugPrivilege	3252	powershell.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

Purchase Order NO#XL005465 pdf.exe

C:\Users\Admin\AppData\Local\Temp\Purchase Order NO#XL005465 pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order NO#XL005465 pdf.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4748
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BTyCTg.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3252
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BTyCTg" /XML "C:\Users\Admin\AppData\Local\Temp\tmp51C9.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:4972
- C:\Users\Admin\AppData\Local\Temp\Purchase Order NO#XL005465 pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase Order NO#XL005465 pdf.exe"
  2⤵
  PID:204
- C:\Users\Admin\AppData\Local\Temp\Purchase Order NO#XL005465 pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase Order NO#XL005465 pdf.exe"
  2⤵
  PID:2268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp51C9.tmp

Filesize
1KB

MD5
f01a4103fa35f75509f536232577db36

SHA1
013d073eda95c2033f2faefcf1c9dcaf55d8b111

SHA256
42358a59c06a49bc7bb7d124cf39b44627c33449a77862bfc03c133a338db2a5

SHA512
dee2cea188a9bd2f28adf737980fcb06efa6f29602099d1a0d27435a26ba3de3b3660ab3122171eaf79b60dceca482cc9f3de4ada61cd81e31357b9f41befb76

Download Submit
memory/204-141-0x0000000000000000-mapping.dmp

Download
memory/2268-148-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2268-145-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2268-144-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2268-143-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2268-142-0x0000000000000000-mapping.dmp

Download
memory/3252-151-0x00000000715E0000-0x000000007162C000-memory.dmp

Filesize
304KB

Download
memory/3252-157-0x0000000007C10000-0x0000000007C1E000-memory.dmp

Filesize
56KB

Download
memory/3252-159-0x0000000007D00000-0x0000000007D08000-memory.dmp

Filesize
32KB

Download
memory/3252-136-0x0000000000000000-mapping.dmp

Download
memory/3252-140-0x00000000059A0000-0x0000000005FC8000-memory.dmp

Filesize
6.2MB

Download
memory/3252-158-0x0000000007D20000-0x0000000007D3A000-memory.dmp

Filesize
104KB

Download
memory/3252-138-0x0000000002DD0000-0x0000000002E06000-memory.dmp

Filesize
216KB

Download
memory/3252-153-0x0000000008030000-0x00000000086AA000-memory.dmp

Filesize
6.5MB

Download
memory/3252-146-0x0000000005920000-0x0000000005942000-memory.dmp

Filesize
136KB

Download
memory/3252-156-0x0000000007C60000-0x0000000007CF6000-memory.dmp

Filesize
600KB

Download
memory/3252-147-0x0000000006040000-0x00000000060A6000-memory.dmp

Filesize
408KB

Download
memory/3252-155-0x0000000007A50000-0x0000000007A5A000-memory.dmp

Filesize
40KB

Download
memory/3252-149-0x00000000066E0000-0x00000000066FE000-memory.dmp

Filesize
120KB

Download
memory/3252-150-0x0000000006CA0000-0x0000000006CD2000-memory.dmp

Filesize
200KB

Download
memory/3252-154-0x00000000079E0000-0x00000000079FA000-memory.dmp

Filesize
104KB

Download
memory/3252-152-0x0000000006C80000-0x0000000006C9E000-memory.dmp

Filesize
120KB

Download
memory/4748-134-0x0000000005760000-0x000000000576A000-memory.dmp

Filesize
40KB

Download
memory/4748-130-0x0000000000C60000-0x0000000000CFC000-memory.dmp

Filesize
624KB

Download
memory/4748-131-0x0000000005BA0000-0x0000000006144000-memory.dmp

Filesize
5.6MB

Download
memory/4748-132-0x00000000056A0000-0x0000000005732000-memory.dmp

Filesize
584KB

Download
memory/4748-133-0x00000000057E0000-0x000000000587C000-memory.dmp

Filesize
624KB

Download
memory/4748-135-0x0000000009560000-0x00000000095C6000-memory.dmp

Filesize
408KB

Download
memory/4972-137-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 4748 wrote to memory of 3252	4748	Purchase Order NO#XL005465 pdf.exe	powershell.exe
PID 4748 wrote to memory of 3252	4748	Purchase Order NO#XL005465 pdf.exe	powershell.exe
PID 4748 wrote to memory of 3252	4748	Purchase Order NO#XL005465 pdf.exe	powershell.exe
PID 4748 wrote to memory of 4972	4748	Purchase Order NO#XL005465 pdf.exe	schtasks.exe
PID 4748 wrote to memory of 4972	4748	Purchase Order NO#XL005465 pdf.exe	schtasks.exe
PID 4748 wrote to memory of 4972	4748	Purchase Order NO#XL005465 pdf.exe	schtasks.exe
PID 4748 wrote to memory of 204	4748	Purchase Order NO#XL005465 pdf.exe	Purchase Order NO#XL005465 pdf.exe
PID 4748 wrote to memory of 204	4748	Purchase Order NO#XL005465 pdf.exe	Purchase Order NO#XL005465 pdf.exe
PID 4748 wrote to memory of 204	4748	Purchase Order NO#XL005465 pdf.exe	Purchase Order NO#XL005465 pdf.exe
PID 4748 wrote to memory of 2268	4748	Purchase Order NO#XL005465 pdf.exe	Purchase Order NO#XL005465 pdf.exe
PID 4748 wrote to memory of 2268	4748	Purchase Order NO#XL005465 pdf.exe	Purchase Order NO#XL005465 pdf.exe
PID 4748 wrote to memory of 2268	4748	Purchase Order NO#XL005465 pdf.exe	Purchase Order NO#XL005465 pdf.exe
PID 4748 wrote to memory of 2268	4748	Purchase Order NO#XL005465 pdf.exe	Purchase Order NO#XL005465 pdf.exe
PID 4748 wrote to memory of 2268	4748	Purchase Order NO#XL005465 pdf.exe	Purchase Order NO#XL005465 pdf.exe
PID 4748 wrote to memory of 2268	4748	Purchase Order NO#XL005465 pdf.exe	Purchase Order NO#XL005465 pdf.exe
PID 4748 wrote to memory of 2268	4748	Purchase Order NO#XL005465 pdf.exe	Purchase Order NO#XL005465 pdf.exe
PID 4748 wrote to memory of 2268	4748	Purchase Order NO#XL005465 pdf.exe	Purchase Order NO#XL005465 pdf.exe
PID 4748 wrote to memory of 2268	4748	Purchase Order NO#XL005465 pdf.exe	Purchase Order NO#XL005465 pdf.exe
PID 4748 wrote to memory of 2268	4748	Purchase Order NO#XL005465 pdf.exe	Purchase Order NO#XL005465 pdf.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads