netwire | 791b2bf682699cf97e3925dee40ddd5c2cb728e80f798225a7fb0b713c1b1544

General

Target

First Order 1050522.exe
Size

23KB
MD5

0a5658ae9bc75b17d7d591f8411c2b89
SHA1

97a8540c7b213ab33231735e73a01f0903e51182
SHA256

791b2bf682699cf97e3925dee40ddd5c2cb728e80f798225a7fb0b713c1b1544
SHA512

bdcdda71261c750be6c59bfc7daeb113a7d0550fb189941e234189b49b5d4058cee359813ace409045db3cf3c4bef24842fb2a15d0d211ffee939713730cc3d0

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

First Order 1050522.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\browser.exe\","	First Order 1050522.exe

NetWire RAT payload 7 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/468-65-0x0000000000400000-0x0000000000450000-memory.dmp	netwire
behavioral1/memory/468-67-0x0000000000400000-0x0000000000450000-memory.dmp	netwire
behavioral1/memory/468-68-0x0000000000400000-0x0000000000450000-memory.dmp	netwire
behavioral1/memory/468-71-0x000000000041AE7B-mapping.dmp	netwire
behavioral1/memory/468-70-0x0000000000400000-0x0000000000450000-memory.dmp	netwire
behavioral1/memory/468-74-0x0000000000400000-0x0000000000450000-memory.dmp	netwire
behavioral1/memory/468-75-0x0000000000400000-0x0000000000450000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Suspicious use of SetThreadContext 1 IoCs

Processes:

First Order 1050522.exe

description pid process target process

PID 1836 set thread context of 468 1836 First Order 1050522.exe MSBuild.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

932 timeout.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

First Order 1050522.exe

pid process

1836 First Order 1050522.exe
1836 First Order 1050522.exe
1836 First Order 1050522.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

First Order 1050522.exe

description pid process

Token: SeDebugPrivilege 1836 First Order 1050522.exe

description	pid	process	target process
PID 1836 set thread context of 468	1836	First Order 1050522.exe	MSBuild.exe

pid	process
932	timeout.exe

pid	process
1836	First Order 1050522.exe
1836	First Order 1050522.exe
1836	First Order 1050522.exe

description	pid	process
Token: SeDebugPrivilege	1836	First Order 1050522.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

First Order 1050522.execmd.exe

description	pid	process	target process
PID 1836 wrote to memory of 1200	1836	First Order 1050522.exe	cmd.exe
PID 1836 wrote to memory of 1200	1836	First Order 1050522.exe	cmd.exe
PID 1836 wrote to memory of 1200	1836	First Order 1050522.exe	cmd.exe
PID 1836 wrote to memory of 1200	1836	First Order 1050522.exe	cmd.exe
PID 1200 wrote to memory of 932	1200	cmd.exe	timeout.exe
PID 1200 wrote to memory of 932	1200	cmd.exe	timeout.exe
PID 1200 wrote to memory of 932	1200	cmd.exe	timeout.exe
PID 1200 wrote to memory of 932	1200	cmd.exe	timeout.exe
PID 1836 wrote to memory of 268	1836	First Order 1050522.exe	MSBuild.exe
PID 1836 wrote to memory of 268	1836	First Order 1050522.exe	MSBuild.exe
PID 1836 wrote to memory of 268	1836	First Order 1050522.exe	MSBuild.exe
PID 1836 wrote to memory of 268	1836	First Order 1050522.exe	MSBuild.exe
PID 1836 wrote to memory of 468	1836	First Order 1050522.exe	MSBuild.exe
PID 1836 wrote to memory of 468	1836	First Order 1050522.exe	MSBuild.exe
PID 1836 wrote to memory of 468	1836	First Order 1050522.exe	MSBuild.exe
PID 1836 wrote to memory of 468	1836	First Order 1050522.exe	MSBuild.exe
PID 1836 wrote to memory of 468	1836	First Order 1050522.exe	MSBuild.exe
PID 1836 wrote to memory of 468	1836	First Order 1050522.exe	MSBuild.exe
PID 1836 wrote to memory of 468	1836	First Order 1050522.exe	MSBuild.exe
PID 1836 wrote to memory of 468	1836	First Order 1050522.exe	MSBuild.exe
PID 1836 wrote to memory of 468	1836	First Order 1050522.exe	MSBuild.exe
PID 1836 wrote to memory of 468	1836	First Order 1050522.exe	MSBuild.exe
PID 1836 wrote to memory of 468	1836	First Order 1050522.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\First Order 1050522.exe
"C:\Users\Admin\AppData\Local\Temp\First Order 1050522.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 30
2⤵
- Suspicious use of WriteProcessMemory
PID:1200

C:\Windows\SysWOW64\timeout.exe
timeout 30
3⤵
- Delays execution with timeout.exe
PID:932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
2⤵
PID:268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
2⤵
PID:468

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/468-71-0x000000000041AE7B-mapping.dmp

Download
memory/468-60-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/468-75-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/468-74-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/468-63-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/468-70-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/468-68-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/468-61-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/468-67-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/468-65-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/932-58-0x0000000000000000-mapping.dmp

Download
memory/1200-57-0x0000000000000000-mapping.dmp

Download
memory/1836-55-0x0000000075501000-0x0000000075503000-memory.dmp

Filesize
8KB

Download
memory/1836-54-0x0000000000140000-0x000000000014C000-memory.dmp

Filesize
48KB

Download
memory/1836-59-0x0000000004A00000-0x0000000004A50000-memory.dmp

Filesize
320KB

Download
memory/1836-56-0x00000000113C0000-0x0000000011556000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads