netwire | 089c37a0afa3e281d1784c54442e67572690496a7795f28d93fa9cc3284e93c4

General

Target

Second Order 050522.scr.exe
Size

23KB
MD5

028e3a8a96adf5e51fb571ff91a602e4
SHA1

272e32f9d6f9585439a2abe6b60737198cd40195
SHA256

089c37a0afa3e281d1784c54442e67572690496a7795f28d93fa9cc3284e93c4
SHA512

49a5befdcae505cf5a13bdd9fcd3993db9462f53f7b127a381a62f8b369304dfc1094d16694b4322ceea29ee02e2f9b4676a93818c5f1c7fc9fcc63ef8749dc2

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\browser.exe\","	Second Order 050522.scr.exe

NetWire RAT payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/1532-135-0x0000000000400000-0x0000000000450000-memory.dmp	netwire
behavioral2/memory/1532-136-0x0000000000400000-0x0000000000450000-memory.dmp	netwire
behavioral2/memory/1532-137-0x0000000000400000-0x0000000000450000-memory.dmp	netwire
behavioral2/memory/1532-138-0x0000000000400000-0x0000000000450000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	Second Order 050522.scr.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1108 set thread context of 1532	1108	Second Order 050522.scr.exe	93

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3136	timeout.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1108	Second Order 050522.scr.exe
1108	Second Order 050522.scr.exe
1108	Second Order 050522.scr.exe
1108	Second Order 050522.scr.exe
1108	Second Order 050522.scr.exe
1108	Second Order 050522.scr.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1108	Second Order 050522.scr.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1108 wrote to memory of 2684	1108	Second Order 050522.scr.exe	86
PID 1108 wrote to memory of 2684	1108	Second Order 050522.scr.exe	86
PID 1108 wrote to memory of 2684	1108	Second Order 050522.scr.exe	86
PID 2684 wrote to memory of 3136	2684	cmd.exe	88
PID 2684 wrote to memory of 3136	2684	cmd.exe	88
PID 2684 wrote to memory of 3136	2684	cmd.exe	88
PID 1108 wrote to memory of 1768	1108	Second Order 050522.scr.exe	92
PID 1108 wrote to memory of 1768	1108	Second Order 050522.scr.exe	92
PID 1108 wrote to memory of 1768	1108	Second Order 050522.scr.exe	92
PID 1108 wrote to memory of 1532	1108	Second Order 050522.scr.exe	93
PID 1108 wrote to memory of 1532	1108	Second Order 050522.scr.exe	93
PID 1108 wrote to memory of 1532	1108	Second Order 050522.scr.exe	93
PID 1108 wrote to memory of 1532	1108	Second Order 050522.scr.exe	93
PID 1108 wrote to memory of 1532	1108	Second Order 050522.scr.exe	93
PID 1108 wrote to memory of 1532	1108	Second Order 050522.scr.exe	93
PID 1108 wrote to memory of 1532	1108	Second Order 050522.scr.exe	93
PID 1108 wrote to memory of 1532	1108	Second Order 050522.scr.exe	93
PID 1108 wrote to memory of 1532	1108	Second Order 050522.scr.exe	93
PID 1108 wrote to memory of 1532	1108	Second Order 050522.scr.exe	93

C:\Users\Admin\AppData\Local\Temp\Second Order 050522.scr.exe
"C:\Users\Admin\AppData\Local\Temp\Second Order 050522.scr.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout 30
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\SysWOW64\timeout.exe
    timeout 30
    3⤵
    - Delays execution with timeout.exe
    PID:3136
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  2⤵
  PID:1768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  2⤵
  PID:1532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:2908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1108-130-0x0000000000940000-0x000000000094C000-memory.dmp

Filesize
48KB

Download
memory/1532-135-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1532-136-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1532-137-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1532-138-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing