netwire | efbdd19d4daedfae66e2e249acc960dda45cd56bacce785f48dbe62aee4e5186

Analysis

max time kernel
150s
max time network
132s
platform
windows7_x64
resource
win7-20220414-en
submitted
20-05-2022 13:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PAYMENT NOTIFICATION.exe
Size

1.0MB
MD5

48f2dd0cfdd0ff30ca7af9f48422d9a5
SHA1

04f0c3b03b5992689197e13e0375be9978fef8df
SHA256

9eb4147d9fa5bdb1ad291e70ba7ff90fd005c2aa21ceaf4af8effbebc5cf4621
SHA512

2eedbf47eaee9410aeb8203904b7fde4b8561e2d93a17b16d48e78ab2db5d26ce26b4694badf107998e724cf3abee4d131416b8e0feaca13b330959d67329161

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/692-67-0x0000000000440000-0x0000000000910000-memory.dmp	netwire
behavioral1/memory/692-68-0x0000000000442BCB-mapping.dmp	netwire
behavioral1/memory/692-72-0x0000000000440000-0x0000000000910000-memory.dmp	netwire
behavioral1/memory/692-73-0x0000000000440000-0x0000000000910000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

vtnov.pifRegSvcs.exe

pid process

952 vtnov.pif
692 RegSvcs.exe
Loads dropped DLL 5 IoCs

Processes:

PAYMENT NOTIFICATION.exevtnov.pif

pid process

1784 PAYMENT NOTIFICATION.exe
1784 PAYMENT NOTIFICATION.exe
1784 PAYMENT NOTIFICATION.exe
1784 PAYMENT NOTIFICATION.exe
952 vtnov.pif

pid	process
1784	PAYMENT NOTIFICATION.exe
1784	PAYMENT NOTIFICATION.exe
1784	PAYMENT NOTIFICATION.exe
1784	PAYMENT NOTIFICATION.exe
952	vtnov.pif

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vtnov.pif

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	vtnov.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "0\\29857255\\vtnov.pif 0\\29857255\\caoqldigv.pwr"	vtnov.pif

Suspicious use of SetThreadContext 1 IoCs

Processes:

vtnov.pif

description pid process target process

PID 952 set thread context of 692 952 vtnov.pif RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 952 set thread context of 692	952	vtnov.pif	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

vtnov.pif

pid	process
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif
952	vtnov.pif

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

PAYMENT NOTIFICATION.exevtnov.pif

description	pid	process	target process
PID 1784 wrote to memory of 952	1784	PAYMENT NOTIFICATION.exe	vtnov.pif
PID 1784 wrote to memory of 952	1784	PAYMENT NOTIFICATION.exe	vtnov.pif
PID 1784 wrote to memory of 952	1784	PAYMENT NOTIFICATION.exe	vtnov.pif
PID 1784 wrote to memory of 952	1784	PAYMENT NOTIFICATION.exe	vtnov.pif
PID 952 wrote to memory of 692	952	vtnov.pif	RegSvcs.exe
PID 952 wrote to memory of 692	952	vtnov.pif	RegSvcs.exe
PID 952 wrote to memory of 692	952	vtnov.pif	RegSvcs.exe
PID 952 wrote to memory of 692	952	vtnov.pif	RegSvcs.exe
PID 952 wrote to memory of 692	952	vtnov.pif	RegSvcs.exe
PID 952 wrote to memory of 692	952	vtnov.pif	RegSvcs.exe
PID 952 wrote to memory of 692	952	vtnov.pif	RegSvcs.exe
PID 952 wrote to memory of 692	952	vtnov.pif	RegSvcs.exe
PID 952 wrote to memory of 692	952	vtnov.pif	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\PAYMENT NOTIFICATION.exe
"C:\Users\Admin\AppData\Local\Temp\PAYMENT NOTIFICATION.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1784

C:\Users\Admin\AppData\Local\Temp\29857255\vtnov.pif
"C:\Users\Admin\AppData\Local\Temp\29857255\vtnov.pif" caoqldigv.pwr
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:952

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
3⤵
- Executes dropped EXE
PID:692

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\29857255\caoqldigv.pwr
Filesize
162.6MB

MD5
3921659bda35ddb7ed34b85b4f2d7778

SHA1
0285628f2f7ae58530c8e16bc40097db8732fad3

SHA256
226c96da73e00e3e78b6f72bb310838f0a5e93c1358fbc040cbb0ec8ed44e5bb

SHA512
08c1fa9b2c313a7b5af782955d0b575c0ae34cc52cfbf0bdd79a03220fc638b6d73a6d211b7740513c75f1a35a93466989cef587639b98064b007dfa6e9208f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\29857255\dupconxv.dll
Filesize
313KB

MD5
d5b60c89dedee51bc4a11e197952ac98

SHA1
c731d957473819d20e3be94aa4b3cb187ca9659d

SHA256
ba2a80e18e10029b9f9d1ac6190bc6e7b71470cf35069bdd4293b85572931335

SHA512
d6560667473a0cc7761e4b07dc55c36b9f3b39e61ac068c4554aa11b32fb1f3dedc26c1cca04b5a7fbb2f4bc681a0e85c0abecd9565a6baa14a901b64591ffbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\29857255\vtnov.pif
Filesize
910KB

MD5
503fbeaa015418e1a57880f8a0306d43

SHA1
bd05b27424688e8d8aad7f99ea0d6aa1efbbe8a0

SHA256
ad6a04f8a27507d42f7aa6a668d4892352142be6701ea83b2e0d49d222b586f9

SHA512
17367cdcf5db8d9ca23d8b20a02bcc9e4880a2d62cf1be13eed2b7ccb8848acd50c194f2b864e655dde9ff1e9e9e14412b04d40ce4749bd2e68fdaba9bd29900

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
\Users\Admin\AppData\Local\Temp\29857255\vtnov.pif
Filesize
910KB

MD5
503fbeaa015418e1a57880f8a0306d43

SHA1
bd05b27424688e8d8aad7f99ea0d6aa1efbbe8a0

SHA256
ad6a04f8a27507d42f7aa6a668d4892352142be6701ea83b2e0d49d222b586f9

SHA512
17367cdcf5db8d9ca23d8b20a02bcc9e4880a2d62cf1be13eed2b7ccb8848acd50c194f2b864e655dde9ff1e9e9e14412b04d40ce4749bd2e68fdaba9bd29900

Download Submit
\Users\Admin\AppData\Local\Temp\29857255\vtnov.pif
Filesize
910KB

MD5
503fbeaa015418e1a57880f8a0306d43

SHA1
bd05b27424688e8d8aad7f99ea0d6aa1efbbe8a0

SHA256
ad6a04f8a27507d42f7aa6a668d4892352142be6701ea83b2e0d49d222b586f9

SHA512
17367cdcf5db8d9ca23d8b20a02bcc9e4880a2d62cf1be13eed2b7ccb8848acd50c194f2b864e655dde9ff1e9e9e14412b04d40ce4749bd2e68fdaba9bd29900

Download Submit
\Users\Admin\AppData\Local\Temp\29857255\vtnov.pif
Filesize
910KB

MD5
503fbeaa015418e1a57880f8a0306d43

SHA1
bd05b27424688e8d8aad7f99ea0d6aa1efbbe8a0

SHA256
ad6a04f8a27507d42f7aa6a668d4892352142be6701ea83b2e0d49d222b586f9

SHA512
17367cdcf5db8d9ca23d8b20a02bcc9e4880a2d62cf1be13eed2b7ccb8848acd50c194f2b864e655dde9ff1e9e9e14412b04d40ce4749bd2e68fdaba9bd29900

Download Submit
\Users\Admin\AppData\Local\Temp\29857255\vtnov.pif
Filesize
910KB

MD5
503fbeaa015418e1a57880f8a0306d43

SHA1
bd05b27424688e8d8aad7f99ea0d6aa1efbbe8a0

SHA256
ad6a04f8a27507d42f7aa6a668d4892352142be6701ea83b2e0d49d222b586f9

SHA512
17367cdcf5db8d9ca23d8b20a02bcc9e4880a2d62cf1be13eed2b7ccb8848acd50c194f2b864e655dde9ff1e9e9e14412b04d40ce4749bd2e68fdaba9bd29900

Download Submit
\Users\Admin\AppData\Local\Temp\RegSvcs.exe
Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
memory/692-65-0x0000000000440000-0x0000000000910000-memory.dmp

Filesize
4.8MB

Download
memory/692-67-0x0000000000440000-0x0000000000910000-memory.dmp

Filesize
4.8MB

Download
memory/692-68-0x0000000000442BCB-mapping.dmp

Download
memory/692-72-0x0000000000440000-0x0000000000910000-memory.dmp

Filesize
4.8MB

Download
memory/692-73-0x0000000000440000-0x0000000000910000-memory.dmp

Filesize
4.8MB

Download
memory/952-59-0x0000000000000000-mapping.dmp

Download
memory/1784-54-0x0000000074C81000-0x0000000074C83000-memory.dmp

Filesize
8KB

Download