netwire | 7c9df5ab3b23d6f93f280a7b29fdcd39cd5f68100a83d3b30aefee4990f34aef

General

Target

0w1XziesiBaxbYs.exe
Size

520KB
MD5

f0cac1110e145d3b260ad6be1566dc10
SHA1

f0cf3f3d9ff962752dbf993ac5b75f1d574e0450
SHA256

506445199001be9096b17efc9f3e2a8025d0b167b1ce581831366b4d00e875dc
SHA512

b93c8925b7bb992debd30a374ad3c0e7a2eecfc5ff7a6972b02753e9e04f0a7886034f40fd20979734c49c1cdb3ff05d41486c4ffbcbfe07141ace3250ae80a2

Score

10^/10

netwire botnet evasion persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

sepp.myq-see.com:2001

Attributes

activex_autorun
true
activex_key
{50L4QLIK-5N0E-1U7P-5W65-RDN0R6N72FF0}
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
XdWObmml
offline_keylogger
true
password
Password
registry_autorun
false
startup_name
use_mutex
true

Signatures

NetWire RAT payload 11 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1748-67-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1748-68-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1748-66-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1748-70-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1748-71-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1748-72-0x000000000040242D-mapping.dmp	netwire
behavioral1/memory/1748-75-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1748-79-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1072-96-0x000000000040242D-mapping.dmp	netwire
behavioral1/memory/1072-100-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1072-101-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Executes dropped EXE 2 IoCs

Processes:

Host.exeHost.exe

pid process

1720 Host.exe
1072 Host.exe
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
1720	Host.exe
1072	Host.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0w1XziesiBaxbYs.exeHost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0w1XziesiBaxbYs.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0w1XziesiBaxbYs.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Host.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Host.exe

Loads dropped DLL 1 IoCs

Processes:

0w1XziesiBaxbYs.exe

pid process

1748 0w1XziesiBaxbYs.exe

pid	process
1748	0w1XziesiBaxbYs.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

0w1XziesiBaxbYs.exeHost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	0w1XziesiBaxbYs.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	0w1XziesiBaxbYs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Host.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	Host.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

0w1XziesiBaxbYs.exeHost.exe

description	pid	process	target process
PID 1836 set thread context of 1748	1836	0w1XziesiBaxbYs.exe	0w1XziesiBaxbYs.exe
PID 1720 set thread context of 1072	1720	Host.exe	Host.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1776 schtasks.exe
952 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

0w1XziesiBaxbYs.exeHost.exe

pid process

1836 0w1XziesiBaxbYs.exe
1836 0w1XziesiBaxbYs.exe
1836 0w1XziesiBaxbYs.exe
1720 Host.exe
1720 Host.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

0w1XziesiBaxbYs.exeHost.exe

description pid process

Token: SeDebugPrivilege 1836 0w1XziesiBaxbYs.exe
Token: SeDebugPrivilege 1720 Host.exe

pid	process
1776	schtasks.exe
952	schtasks.exe

pid	process
1836	0w1XziesiBaxbYs.exe
1836	0w1XziesiBaxbYs.exe
1836	0w1XziesiBaxbYs.exe
1720	Host.exe
1720	Host.exe

description	pid	process
Token: SeDebugPrivilege	1836	0w1XziesiBaxbYs.exe
Token: SeDebugPrivilege	1720	Host.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

0w1XziesiBaxbYs.exe0w1XziesiBaxbYs.exeHost.exe

description	pid	process	target process
PID 1836 wrote to memory of 1776	1836	0w1XziesiBaxbYs.exe	schtasks.exe
PID 1836 wrote to memory of 1776	1836	0w1XziesiBaxbYs.exe	schtasks.exe
PID 1836 wrote to memory of 1776	1836	0w1XziesiBaxbYs.exe	schtasks.exe
PID 1836 wrote to memory of 1776	1836	0w1XziesiBaxbYs.exe	schtasks.exe
PID 1836 wrote to memory of 1748	1836	0w1XziesiBaxbYs.exe	0w1XziesiBaxbYs.exe
PID 1836 wrote to memory of 1748	1836	0w1XziesiBaxbYs.exe	0w1XziesiBaxbYs.exe
PID 1836 wrote to memory of 1748	1836	0w1XziesiBaxbYs.exe	0w1XziesiBaxbYs.exe
PID 1836 wrote to memory of 1748	1836	0w1XziesiBaxbYs.exe	0w1XziesiBaxbYs.exe
PID 1836 wrote to memory of 1748	1836	0w1XziesiBaxbYs.exe	0w1XziesiBaxbYs.exe
PID 1836 wrote to memory of 1748	1836	0w1XziesiBaxbYs.exe	0w1XziesiBaxbYs.exe
PID 1836 wrote to memory of 1748	1836	0w1XziesiBaxbYs.exe	0w1XziesiBaxbYs.exe
PID 1836 wrote to memory of 1748	1836	0w1XziesiBaxbYs.exe	0w1XziesiBaxbYs.exe
PID 1836 wrote to memory of 1748	1836	0w1XziesiBaxbYs.exe	0w1XziesiBaxbYs.exe
PID 1836 wrote to memory of 1748	1836	0w1XziesiBaxbYs.exe	0w1XziesiBaxbYs.exe
PID 1836 wrote to memory of 1748	1836	0w1XziesiBaxbYs.exe	0w1XziesiBaxbYs.exe
PID 1836 wrote to memory of 1748	1836	0w1XziesiBaxbYs.exe	0w1XziesiBaxbYs.exe
PID 1748 wrote to memory of 1720	1748	0w1XziesiBaxbYs.exe	Host.exe
PID 1748 wrote to memory of 1720	1748	0w1XziesiBaxbYs.exe	Host.exe
PID 1748 wrote to memory of 1720	1748	0w1XziesiBaxbYs.exe	Host.exe
PID 1748 wrote to memory of 1720	1748	0w1XziesiBaxbYs.exe	Host.exe
PID 1720 wrote to memory of 952	1720	Host.exe	schtasks.exe
PID 1720 wrote to memory of 952	1720	Host.exe	schtasks.exe
PID 1720 wrote to memory of 952	1720	Host.exe	schtasks.exe
PID 1720 wrote to memory of 952	1720	Host.exe	schtasks.exe
PID 1720 wrote to memory of 1072	1720	Host.exe	Host.exe
PID 1720 wrote to memory of 1072	1720	Host.exe	Host.exe
PID 1720 wrote to memory of 1072	1720	Host.exe	Host.exe
PID 1720 wrote to memory of 1072	1720	Host.exe	Host.exe
PID 1720 wrote to memory of 1072	1720	Host.exe	Host.exe
PID 1720 wrote to memory of 1072	1720	Host.exe	Host.exe
PID 1720 wrote to memory of 1072	1720	Host.exe	Host.exe
PID 1720 wrote to memory of 1072	1720	Host.exe	Host.exe
PID 1720 wrote to memory of 1072	1720	Host.exe	Host.exe
PID 1720 wrote to memory of 1072	1720	Host.exe	Host.exe
PID 1720 wrote to memory of 1072	1720	Host.exe	Host.exe
PID 1720 wrote to memory of 1072	1720	Host.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\0w1XziesiBaxbYs.exe
"C:\Users\Admin\AppData\Local\Temp\0w1XziesiBaxbYs.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IKzePvXcZPlcKe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC7F2.tmp"
2⤵
- Creates scheduled task(s)
PID:1776

C:\Users\Admin\AppData\Local\Temp\0w1XziesiBaxbYs.exe
"{path}"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IKzePvXcZPlcKe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5590.tmp"
4⤵
- Creates scheduled task(s)
PID:952

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"{path}"
4⤵
- Executes dropped EXE
PID:1072

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5590.tmp
Filesize
1KB

MD5
9591b88c972bde3b944a76086daa332f

SHA1
b51193523166482343f8929f45466c1950cbb4db

SHA256
efbcd98173aff5ae302acb80f3c3e3b0874bc3c5720949ad32701ffdb2215c4d

SHA512
f8ce873b1cadbf0133fa31e5b0198ef063031a561c18152d9867ae4f825474be0cf11ec3262705b8561df174f90231e5694232ed6d8412f892b54deccf0b1f72

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC7F2.tmp
Filesize
1KB

MD5
9591b88c972bde3b944a76086daa332f

SHA1
b51193523166482343f8929f45466c1950cbb4db

SHA256
efbcd98173aff5ae302acb80f3c3e3b0874bc3c5720949ad32701ffdb2215c4d

SHA512
f8ce873b1cadbf0133fa31e5b0198ef063031a561c18152d9867ae4f825474be0cf11ec3262705b8561df174f90231e5694232ed6d8412f892b54deccf0b1f72

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
520KB

MD5
f0cac1110e145d3b260ad6be1566dc10

SHA1
f0cf3f3d9ff962752dbf993ac5b75f1d574e0450

SHA256
506445199001be9096b17efc9f3e2a8025d0b167b1ce581831366b4d00e875dc

SHA512
b93c8925b7bb992debd30a374ad3c0e7a2eecfc5ff7a6972b02753e9e04f0a7886034f40fd20979734c49c1cdb3ff05d41486c4ffbcbfe07141ace3250ae80a2

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
520KB

MD5
f0cac1110e145d3b260ad6be1566dc10

SHA1
f0cf3f3d9ff962752dbf993ac5b75f1d574e0450

SHA256
506445199001be9096b17efc9f3e2a8025d0b167b1ce581831366b4d00e875dc

SHA512
b93c8925b7bb992debd30a374ad3c0e7a2eecfc5ff7a6972b02753e9e04f0a7886034f40fd20979734c49c1cdb3ff05d41486c4ffbcbfe07141ace3250ae80a2

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
520KB

MD5
f0cac1110e145d3b260ad6be1566dc10

SHA1
f0cf3f3d9ff962752dbf993ac5b75f1d574e0450

SHA256
506445199001be9096b17efc9f3e2a8025d0b167b1ce581831366b4d00e875dc

SHA512
b93c8925b7bb992debd30a374ad3c0e7a2eecfc5ff7a6972b02753e9e04f0a7886034f40fd20979734c49c1cdb3ff05d41486c4ffbcbfe07141ace3250ae80a2

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
520KB

MD5
f0cac1110e145d3b260ad6be1566dc10

SHA1
f0cf3f3d9ff962752dbf993ac5b75f1d574e0450

SHA256
506445199001be9096b17efc9f3e2a8025d0b167b1ce581831366b4d00e875dc

SHA512
b93c8925b7bb992debd30a374ad3c0e7a2eecfc5ff7a6972b02753e9e04f0a7886034f40fd20979734c49c1cdb3ff05d41486c4ffbcbfe07141ace3250ae80a2

Download Submit
memory/952-83-0x0000000000000000-mapping.dmp

Download
memory/1072-101-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1072-100-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1072-96-0x000000000040242D-mapping.dmp

Download
memory/1720-81-0x00000000012B0000-0x0000000001338000-memory.dmp

Filesize
544KB

Download
memory/1720-77-0x0000000000000000-mapping.dmp

Download
memory/1748-62-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1748-67-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1748-71-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1748-72-0x000000000040242D-mapping.dmp

Download
memory/1748-75-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1748-70-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1748-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1748-66-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1748-68-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1748-61-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1748-79-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1776-59-0x0000000000000000-mapping.dmp

Download
memory/1836-54-0x0000000000BD0000-0x0000000000C58000-memory.dmp

Filesize
544KB

Download
memory/1836-58-0x0000000000600000-0x000000000065E000-memory.dmp

Filesize
376KB

Download
memory/1836-57-0x0000000004FF0000-0x000000000506E000-memory.dmp

Filesize
504KB

Download
memory/1836-56-0x00000000002D0000-0x00000000002DA000-memory.dmp

Filesize
40KB

Download
memory/1836-55-0x0000000075741000-0x0000000075743000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads