netwire | db6722df4057c66c0ecad864f0d34b96e4eeb82f2b4bbc383a808ad4cdebfda8

Analysis

max time kernel
151s
max time network
164s
platform
windows7_x64
resource
win7-20220414-en
submitted
20-05-2022 13:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cnf3669009.exe
Size

625KB
MD5

f13aa37174903d14951c141da29ec4bc
SHA1

f54aa0b0a452ffba34bb154a467dbef3bf347fd9
SHA256

b5f9a952c4009061a21147103fc6d762c60e070fc588cab92846fc1c29679715
SHA512

bc682d8c2fbd050a9100f5716a783580067eb553b5f7ddffe8bf39efc4e389145c104dc46c3765ac4bd3d464c891f53b1ae50dca3c2727065ffadfa932573736

Score

10^/10

netwire botnet persistence stealer upx

Malware Config

Signatures

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 3 IoCs

Processes:

Host.exeHost.exeHost.exe

pid process

112 Host.exe
1144 Host.exe
540 Host.exe

pid	process
112	Host.exe
1144	Host.exe
540	Host.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1668-55-0x0000000000400000-0x0000000000520000-memory.dmp	upx
behavioral1/memory/1668-62-0x0000000000400000-0x0000000000520000-memory.dmp	upx
behavioral1/memory/772-63-0x0000000000400000-0x0000000000520000-memory.dmp	upx
\Users\Admin\AppData\Roaming\Install\Host.exe	upx
\Users\Admin\AppData\Roaming\Install\Host.exe	upx
C:\Users\Admin\AppData\Roaming\Install\Host.exe	upx
behavioral1/memory/112-69-0x0000000000400000-0x0000000000520000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\Install\Host.exe	upx
behavioral1/memory/112-80-0x0000000000400000-0x0000000000520000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\Install\Host.exe	upx
C:\Users\Admin\AppData\Roaming\Install\Host.exe	upx
behavioral1/memory/772-81-0x0000000000400000-0x0000000000520000-memory.dmp	upx
behavioral1/memory/540-82-0x0000000000400000-0x0000000000520000-memory.dmp	upx
behavioral1/memory/1548-85-0x0000000000400000-0x0000000000520000-memory.dmp	upx
behavioral1/memory/1548-92-0x0000000000400000-0x0000000000520000-memory.dmp	upx
behavioral1/memory/1808-94-0x0000000000400000-0x0000000000520000-memory.dmp	upx
behavioral1/memory/540-96-0x0000000000400000-0x0000000000520000-memory.dmp	upx
behavioral1/memory/1808-97-0x0000000000400000-0x0000000000520000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

cnf3669009.exe

pid process

1036 cnf3669009.exe
1036 cnf3669009.exe

pid	process
1036	cnf3669009.exe
1036	cnf3669009.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cnf3669009.exeHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cnf3669009.exe"	cnf3669009.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Host.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe"	Host.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	cnf3669009.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

cnf3669009.exeHost.execnf3669009.exe

description	pid	process	target process
PID 1668 set thread context of 1036	1668	cnf3669009.exe	cnf3669009.exe
PID 112 set thread context of 1144	112	Host.exe	Host.exe
PID 1548 set thread context of 1164	1548	cnf3669009.exe	cnf3669009.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

cnf3669009.execnf3669009.exeHost.exeHost.execnf3669009.execnf3669009.exe

pid	process
1668	cnf3669009.exe
772	cnf3669009.exe
772	cnf3669009.exe
112	Host.exe
540	Host.exe
540	Host.exe
772	cnf3669009.exe
1548	cnf3669009.exe
1808	cnf3669009.exe
1808	cnf3669009.exe
540	Host.exe
1808	cnf3669009.exe
540	Host.exe
1808	cnf3669009.exe
540	Host.exe
1808	cnf3669009.exe
540	Host.exe
1808	cnf3669009.exe
540	Host.exe
1808	cnf3669009.exe
540	Host.exe
1808	cnf3669009.exe
540	Host.exe
1808	cnf3669009.exe
540	Host.exe
1808	cnf3669009.exe
540	Host.exe
1808	cnf3669009.exe
540	Host.exe
1808	cnf3669009.exe
540	Host.exe
1808	cnf3669009.exe
540	Host.exe
1808	cnf3669009.exe
540	Host.exe
1808	cnf3669009.exe
540	Host.exe
1808	cnf3669009.exe
540	Host.exe
1808	cnf3669009.exe
540	Host.exe
1808	cnf3669009.exe
540	Host.exe
1808	cnf3669009.exe
540	Host.exe
1808	cnf3669009.exe
540	Host.exe
1808	cnf3669009.exe
540	Host.exe
1808	cnf3669009.exe
540	Host.exe
1808	cnf3669009.exe
540	Host.exe
1808	cnf3669009.exe
540	Host.exe
1808	cnf3669009.exe
540	Host.exe
1808	cnf3669009.exe
540	Host.exe
1808	cnf3669009.exe
540	Host.exe
1808	cnf3669009.exe
540	Host.exe
1808	cnf3669009.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

cnf3669009.exeHost.execnf3669009.exe

pid process

1668 cnf3669009.exe
112 Host.exe
1548 cnf3669009.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

1556 AcroRd32.exe
1556 AcroRd32.exe
1556 AcroRd32.exe
1556 AcroRd32.exe

pid	process
1556	AcroRd32.exe
1556	AcroRd32.exe
1556	AcroRd32.exe
1556	AcroRd32.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

cnf3669009.execnf3669009.exeHost.execnf3669009.execnf3669009.exe

description	pid	process	target process
PID 1668 wrote to memory of 1352	1668	cnf3669009.exe	AcroRd32.exe
PID 1668 wrote to memory of 1352	1668	cnf3669009.exe	AcroRd32.exe
PID 1668 wrote to memory of 1352	1668	cnf3669009.exe	AcroRd32.exe
PID 1668 wrote to memory of 1352	1668	cnf3669009.exe	AcroRd32.exe
PID 1668 wrote to memory of 1036	1668	cnf3669009.exe	cnf3669009.exe
PID 1668 wrote to memory of 1036	1668	cnf3669009.exe	cnf3669009.exe
PID 1668 wrote to memory of 1036	1668	cnf3669009.exe	cnf3669009.exe
PID 1668 wrote to memory of 1036	1668	cnf3669009.exe	cnf3669009.exe
PID 1668 wrote to memory of 772	1668	cnf3669009.exe	cnf3669009.exe
PID 1668 wrote to memory of 772	1668	cnf3669009.exe	cnf3669009.exe
PID 1668 wrote to memory of 772	1668	cnf3669009.exe	cnf3669009.exe
PID 1668 wrote to memory of 772	1668	cnf3669009.exe	cnf3669009.exe
PID 1036 wrote to memory of 112	1036	cnf3669009.exe	Host.exe
PID 1036 wrote to memory of 112	1036	cnf3669009.exe	Host.exe
PID 1036 wrote to memory of 112	1036	cnf3669009.exe	Host.exe
PID 1036 wrote to memory of 112	1036	cnf3669009.exe	Host.exe
PID 112 wrote to memory of 888	112	Host.exe	AcroRd32.exe
PID 112 wrote to memory of 888	112	Host.exe	AcroRd32.exe
PID 112 wrote to memory of 888	112	Host.exe	AcroRd32.exe
PID 112 wrote to memory of 888	112	Host.exe	AcroRd32.exe
PID 112 wrote to memory of 1144	112	Host.exe	Host.exe
PID 112 wrote to memory of 1144	112	Host.exe	Host.exe
PID 112 wrote to memory of 1144	112	Host.exe	Host.exe
PID 112 wrote to memory of 1144	112	Host.exe	Host.exe
PID 112 wrote to memory of 540	112	Host.exe	Host.exe
PID 112 wrote to memory of 540	112	Host.exe	Host.exe
PID 112 wrote to memory of 540	112	Host.exe	Host.exe
PID 112 wrote to memory of 540	112	Host.exe	Host.exe
PID 772 wrote to memory of 1548	772	cnf3669009.exe	cnf3669009.exe
PID 772 wrote to memory of 1548	772	cnf3669009.exe	cnf3669009.exe
PID 772 wrote to memory of 1548	772	cnf3669009.exe	cnf3669009.exe
PID 772 wrote to memory of 1548	772	cnf3669009.exe	cnf3669009.exe
PID 1548 wrote to memory of 1556	1548	cnf3669009.exe	AcroRd32.exe
PID 1548 wrote to memory of 1556	1548	cnf3669009.exe	AcroRd32.exe
PID 1548 wrote to memory of 1556	1548	cnf3669009.exe	AcroRd32.exe
PID 1548 wrote to memory of 1556	1548	cnf3669009.exe	AcroRd32.exe
PID 1548 wrote to memory of 1164	1548	cnf3669009.exe	cnf3669009.exe
PID 1548 wrote to memory of 1164	1548	cnf3669009.exe	cnf3669009.exe
PID 1548 wrote to memory of 1164	1548	cnf3669009.exe	cnf3669009.exe
PID 1548 wrote to memory of 1164	1548	cnf3669009.exe	cnf3669009.exe
PID 1548 wrote to memory of 1808	1548	cnf3669009.exe	cnf3669009.exe
PID 1548 wrote to memory of 1808	1548	cnf3669009.exe	cnf3669009.exe
PID 1548 wrote to memory of 1808	1548	cnf3669009.exe	cnf3669009.exe
PID 1548 wrote to memory of 1808	1548	cnf3669009.exe	cnf3669009.exe

C:\Users\Admin\AppData\Local\Temp\cnf3669009.exe
"C:\Users\Admin\AppData\Local\Temp\cnf3669009.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1668

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Caixa.pdf"
2⤵
PID:1352

C:\Users\Admin\AppData\Local\Temp\cnf3669009.exe
"C:\Users\Admin\AppData\Local\Temp\cnf3669009.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1036

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:112

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Caixa.pdf"
4⤵
PID:888

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1144

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe" 2 1144 7086548
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:540

C:\Users\Admin\AppData\Local\Temp\cnf3669009.exe
"C:\Users\Admin\AppData\Local\Temp\cnf3669009.exe" 2 1036 7086111
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:772

C:\Users\Admin\AppData\Local\Temp\cnf3669009.exe
"C:\Users\Admin\AppData\Local\Temp\cnf3669009.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1548

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Caixa.pdf"
4⤵
- Suspicious use of SetWindowsHookEx
PID:1556

C:\Users\Admin\AppData\Local\Temp\cnf3669009.exe
"C:\Users\Admin\AppData\Local\Temp\cnf3669009.exe"
4⤵
- Adds Run key to start application
PID:1164

C:\Users\Admin\AppData\Local\Temp\cnf3669009.exe
"C:\Users\Admin\AppData\Local\Temp\cnf3669009.exe" 2 1164 7087297
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1808

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Caixa.pdf
Filesize
207KB

MD5
246222bebe4293c15d735017e635f27a

SHA1
9d57e7dd21ad9da29c274980cf7e0ac2ae05be19

SHA256
09f3e707d2854559554d317aec887c91e752e78a28caf46f24441b8884409d0d

SHA512
9a254cf2158a7f883a1bfdf318af39916cdc97ad39a444155bc7694c6f2078d285dee44ee67ae66db028dc84624f096edd84b629df973490caed974ed44cc611

Download Submit
C:\Users\Admin\AppData\Local\Temp\Caixa.pdf
Filesize
207KB

MD5
246222bebe4293c15d735017e635f27a

SHA1
9d57e7dd21ad9da29c274980cf7e0ac2ae05be19

SHA256
09f3e707d2854559554d317aec887c91e752e78a28caf46f24441b8884409d0d

SHA512
9a254cf2158a7f883a1bfdf318af39916cdc97ad39a444155bc7694c6f2078d285dee44ee67ae66db028dc84624f096edd84b629df973490caed974ed44cc611

Download Submit
C:\Users\Admin\AppData\Local\Temp\Caixa.pdf
Filesize
207KB

MD5
246222bebe4293c15d735017e635f27a

SHA1
9d57e7dd21ad9da29c274980cf7e0ac2ae05be19

SHA256
09f3e707d2854559554d317aec887c91e752e78a28caf46f24441b8884409d0d

SHA512
9a254cf2158a7f883a1bfdf318af39916cdc97ad39a444155bc7694c6f2078d285dee44ee67ae66db028dc84624f096edd84b629df973490caed974ed44cc611

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
625KB

MD5
f13aa37174903d14951c141da29ec4bc

SHA1
f54aa0b0a452ffba34bb154a467dbef3bf347fd9

SHA256
b5f9a952c4009061a21147103fc6d762c60e070fc588cab92846fc1c29679715

SHA512
bc682d8c2fbd050a9100f5716a783580067eb553b5f7ddffe8bf39efc4e389145c104dc46c3765ac4bd3d464c891f53b1ae50dca3c2727065ffadfa932573736

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
625KB

MD5
f13aa37174903d14951c141da29ec4bc

SHA1
f54aa0b0a452ffba34bb154a467dbef3bf347fd9

SHA256
b5f9a952c4009061a21147103fc6d762c60e070fc588cab92846fc1c29679715

SHA512
bc682d8c2fbd050a9100f5716a783580067eb553b5f7ddffe8bf39efc4e389145c104dc46c3765ac4bd3d464c891f53b1ae50dca3c2727065ffadfa932573736

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
625KB

MD5
f13aa37174903d14951c141da29ec4bc

SHA1
f54aa0b0a452ffba34bb154a467dbef3bf347fd9

SHA256
b5f9a952c4009061a21147103fc6d762c60e070fc588cab92846fc1c29679715

SHA512
bc682d8c2fbd050a9100f5716a783580067eb553b5f7ddffe8bf39efc4e389145c104dc46c3765ac4bd3d464c891f53b1ae50dca3c2727065ffadfa932573736

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
625KB

MD5
f13aa37174903d14951c141da29ec4bc

SHA1
f54aa0b0a452ffba34bb154a467dbef3bf347fd9

SHA256
b5f9a952c4009061a21147103fc6d762c60e070fc588cab92846fc1c29679715

SHA512
bc682d8c2fbd050a9100f5716a783580067eb553b5f7ddffe8bf39efc4e389145c104dc46c3765ac4bd3d464c891f53b1ae50dca3c2727065ffadfa932573736

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
625KB

MD5
f13aa37174903d14951c141da29ec4bc

SHA1
f54aa0b0a452ffba34bb154a467dbef3bf347fd9

SHA256
b5f9a952c4009061a21147103fc6d762c60e070fc588cab92846fc1c29679715

SHA512
bc682d8c2fbd050a9100f5716a783580067eb553b5f7ddffe8bf39efc4e389145c104dc46c3765ac4bd3d464c891f53b1ae50dca3c2727065ffadfa932573736

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
625KB

MD5
f13aa37174903d14951c141da29ec4bc

SHA1
f54aa0b0a452ffba34bb154a467dbef3bf347fd9

SHA256
b5f9a952c4009061a21147103fc6d762c60e070fc588cab92846fc1c29679715

SHA512
bc682d8c2fbd050a9100f5716a783580067eb553b5f7ddffe8bf39efc4e389145c104dc46c3765ac4bd3d464c891f53b1ae50dca3c2727065ffadfa932573736

Download Submit
memory/112-69-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/112-66-0x0000000000000000-mapping.dmp

Download
memory/112-80-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/540-96-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/540-77-0x0000000000000000-mapping.dmp

Download
memory/540-82-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/772-60-0x0000000000000000-mapping.dmp

Download
memory/772-81-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/772-63-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/888-71-0x0000000000000000-mapping.dmp

Download
memory/1036-57-0x000000000040242D-mapping.dmp

Download
memory/1144-73-0x000000000040242D-mapping.dmp

Download
memory/1164-89-0x000000000040242D-mapping.dmp

Download
memory/1352-56-0x0000000000000000-mapping.dmp

Download
memory/1548-85-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/1548-83-0x0000000000000000-mapping.dmp

Download
memory/1548-92-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/1556-87-0x0000000000000000-mapping.dmp

Download
memory/1668-54-0x0000000075EF1000-0x0000000075EF3000-memory.dmp

Filesize
8KB

Download
memory/1668-55-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/1668-62-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/1808-91-0x0000000000000000-mapping.dmp

Download
memory/1808-94-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/1808-97-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download