netwire | 472bd26e0dec365a75bb00046b1025c75cbddc7cad4eef7c50213c6382f5d063

Analysis

max time kernel
151s
max time network
157s
platform
windows7_x64
resource
win7-20220414-en
submitted
20-05-2022 13:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Solictud_de_cotizacion (3699663-2020).exe
Size

553KB
MD5

748e4a49b7e306d7eb45aaa7b10faf5d
SHA1

ed4e974775f050e65233116fdbb28921618fceb7
SHA256

e232e9c0d66770fe8e50466f3dd073160a8ddaf565ed0382ce997226c1b364dd
SHA512

378f5c0ed4b94405a1287febc6a12901cbc8b386b41b66d9f2d007d704780424f3427b6e6973480656954f3d31540cacdc5e935118d4d561bba1bf399fc8d839

Score

10^/10

netwire botnet persistence stealer upx

Malware Config

Signatures

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 3 IoCs

Processes:

Host.exeHost.exeHost.exe

pid process

1288 Host.exe
1900 Host.exe
1872 Host.exe

pid	process
1288	Host.exe
1900	Host.exe
1872	Host.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Install\Host.exe	upx
C:\Users\Admin\AppData\Roaming\Install\Host.exe	upx
\Users\Admin\AppData\Roaming\Install\Host.exe	upx
C:\Users\Admin\AppData\Roaming\Install\Host.exe	upx
C:\Users\Admin\AppData\Roaming\Install\Host.exe	upx
C:\Users\Admin\AppData\Roaming\Install\Host.exe	upx

Loads dropped DLL 2 IoCs

Processes:

Solictud_de_cotizacion (3699663-2020).exe

pid process

1548 Solictud_de_cotizacion (3699663-2020).exe
1548 Solictud_de_cotizacion (3699663-2020).exe

pid	process
1548	Solictud_de_cotizacion (3699663-2020).exe
1548	Solictud_de_cotizacion (3699663-2020).exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Host.exeSolictud_de_cotizacion (3699663-2020).exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Host.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe"	Host.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Solictud_de_cotizacion (3699663-2020).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solictud_de_cotizacion (3699663-2020).exe"	Solictud_de_cotizacion (3699663-2020).exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Solictud_de_cotizacion (3699663-2020).exeHost.exeSolictud_de_cotizacion (3699663-2020).exe

description	pid	process	target process
PID 1500 set thread context of 1548	1500	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 1288 set thread context of 1900	1288	Host.exe	Host.exe
PID 796 set thread context of 1180	796	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Solictud_de_cotizacion (3699663-2020).exeSolictud_de_cotizacion (3699663-2020).exeHost.exeHost.exeSolictud_de_cotizacion (3699663-2020).exeSolictud_de_cotizacion (3699663-2020).exe

pid	process
1500	Solictud_de_cotizacion (3699663-2020).exe
2032	Solictud_de_cotizacion (3699663-2020).exe
2032	Solictud_de_cotizacion (3699663-2020).exe
1288	Host.exe
2032	Solictud_de_cotizacion (3699663-2020).exe
1872	Host.exe
1872	Host.exe
796	Solictud_de_cotizacion (3699663-2020).exe
2036	Solictud_de_cotizacion (3699663-2020).exe
2036	Solictud_de_cotizacion (3699663-2020).exe
1872	Host.exe
2036	Solictud_de_cotizacion (3699663-2020).exe
1872	Host.exe
2036	Solictud_de_cotizacion (3699663-2020).exe
1872	Host.exe
2036	Solictud_de_cotizacion (3699663-2020).exe
1872	Host.exe
2036	Solictud_de_cotizacion (3699663-2020).exe
1872	Host.exe
2036	Solictud_de_cotizacion (3699663-2020).exe
1872	Host.exe
2036	Solictud_de_cotizacion (3699663-2020).exe
1872	Host.exe
2036	Solictud_de_cotizacion (3699663-2020).exe
1872	Host.exe
2036	Solictud_de_cotizacion (3699663-2020).exe
1872	Host.exe
2036	Solictud_de_cotizacion (3699663-2020).exe
1872	Host.exe
2036	Solictud_de_cotizacion (3699663-2020).exe
1872	Host.exe
2036	Solictud_de_cotizacion (3699663-2020).exe
1872	Host.exe
2036	Solictud_de_cotizacion (3699663-2020).exe
1872	Host.exe
2036	Solictud_de_cotizacion (3699663-2020).exe
1872	Host.exe
2036	Solictud_de_cotizacion (3699663-2020).exe
1872	Host.exe
2036	Solictud_de_cotizacion (3699663-2020).exe
1872	Host.exe
2036	Solictud_de_cotizacion (3699663-2020).exe
1872	Host.exe
2036	Solictud_de_cotizacion (3699663-2020).exe
1872	Host.exe
2036	Solictud_de_cotizacion (3699663-2020).exe
1872	Host.exe
2036	Solictud_de_cotizacion (3699663-2020).exe
1872	Host.exe
2036	Solictud_de_cotizacion (3699663-2020).exe
1872	Host.exe
2036	Solictud_de_cotizacion (3699663-2020).exe
1872	Host.exe
2036	Solictud_de_cotizacion (3699663-2020).exe
1872	Host.exe
2036	Solictud_de_cotizacion (3699663-2020).exe
1872	Host.exe
2036	Solictud_de_cotizacion (3699663-2020).exe
1872	Host.exe
2036	Solictud_de_cotizacion (3699663-2020).exe
1872	Host.exe
2036	Solictud_de_cotizacion (3699663-2020).exe
1872	Host.exe
2036	Solictud_de_cotizacion (3699663-2020).exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

Solictud_de_cotizacion (3699663-2020).exeHost.exeSolictud_de_cotizacion (3699663-2020).exe

pid process

1500 Solictud_de_cotizacion (3699663-2020).exe
1288 Host.exe
796 Solictud_de_cotizacion (3699663-2020).exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

1840 AcroRd32.exe
1840 AcroRd32.exe
1840 AcroRd32.exe
1840 AcroRd32.exe

pid	process
1840	AcroRd32.exe
1840	AcroRd32.exe
1840	AcroRd32.exe
1840	AcroRd32.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

Solictud_de_cotizacion (3699663-2020).exeSolictud_de_cotizacion (3699663-2020).exeHost.exeSolictud_de_cotizacion (3699663-2020).exeSolictud_de_cotizacion (3699663-2020).exe

description	pid	process	target process
PID 1500 wrote to memory of 1840	1500	Solictud_de_cotizacion (3699663-2020).exe	AcroRd32.exe
PID 1500 wrote to memory of 1840	1500	Solictud_de_cotizacion (3699663-2020).exe	AcroRd32.exe
PID 1500 wrote to memory of 1840	1500	Solictud_de_cotizacion (3699663-2020).exe	AcroRd32.exe
PID 1500 wrote to memory of 1840	1500	Solictud_de_cotizacion (3699663-2020).exe	AcroRd32.exe
PID 1500 wrote to memory of 1548	1500	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 1500 wrote to memory of 1548	1500	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 1500 wrote to memory of 1548	1500	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 1500 wrote to memory of 1548	1500	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 1500 wrote to memory of 2032	1500	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 1500 wrote to memory of 2032	1500	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 1500 wrote to memory of 2032	1500	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 1500 wrote to memory of 2032	1500	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 1548 wrote to memory of 1288	1548	Solictud_de_cotizacion (3699663-2020).exe	Host.exe
PID 1548 wrote to memory of 1288	1548	Solictud_de_cotizacion (3699663-2020).exe	Host.exe
PID 1548 wrote to memory of 1288	1548	Solictud_de_cotizacion (3699663-2020).exe	Host.exe
PID 1548 wrote to memory of 1288	1548	Solictud_de_cotizacion (3699663-2020).exe	Host.exe
PID 1288 wrote to memory of 1844	1288	Host.exe	AcroRd32.exe
PID 1288 wrote to memory of 1844	1288	Host.exe	AcroRd32.exe
PID 1288 wrote to memory of 1844	1288	Host.exe	AcroRd32.exe
PID 1288 wrote to memory of 1844	1288	Host.exe	AcroRd32.exe
PID 1288 wrote to memory of 1900	1288	Host.exe	Host.exe
PID 1288 wrote to memory of 1900	1288	Host.exe	Host.exe
PID 1288 wrote to memory of 1900	1288	Host.exe	Host.exe
PID 1288 wrote to memory of 1900	1288	Host.exe	Host.exe
PID 1288 wrote to memory of 1872	1288	Host.exe	Host.exe
PID 1288 wrote to memory of 1872	1288	Host.exe	Host.exe
PID 1288 wrote to memory of 1872	1288	Host.exe	Host.exe
PID 1288 wrote to memory of 1872	1288	Host.exe	Host.exe
PID 2032 wrote to memory of 796	2032	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 2032 wrote to memory of 796	2032	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 2032 wrote to memory of 796	2032	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 2032 wrote to memory of 796	2032	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 796 wrote to memory of 640	796	Solictud_de_cotizacion (3699663-2020).exe	AcroRd32.exe
PID 796 wrote to memory of 640	796	Solictud_de_cotizacion (3699663-2020).exe	AcroRd32.exe
PID 796 wrote to memory of 640	796	Solictud_de_cotizacion (3699663-2020).exe	AcroRd32.exe
PID 796 wrote to memory of 640	796	Solictud_de_cotizacion (3699663-2020).exe	AcroRd32.exe
PID 796 wrote to memory of 1180	796	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 796 wrote to memory of 1180	796	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 796 wrote to memory of 1180	796	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 796 wrote to memory of 1180	796	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 796 wrote to memory of 2036	796	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 796 wrote to memory of 2036	796	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 796 wrote to memory of 2036	796	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 796 wrote to memory of 2036	796	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe

C:\Users\Admin\AppData\Local\Temp\Solictud_de_cotizacion (3699663-2020).exe
"C:\Users\Admin\AppData\Local\Temp\Solictud_de_cotizacion (3699663-2020).exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1500

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Orden.pdf"
2⤵
- Suspicious use of SetWindowsHookEx
PID:1840

C:\Users\Admin\AppData\Local\Temp\Solictud_de_cotizacion (3699663-2020).exe
"C:\Users\Admin\AppData\Local\Temp\Solictud_de_cotizacion (3699663-2020).exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1548

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1288

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Orden.pdf"
4⤵
PID:1844

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1900

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe" 2 1900 7080869
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1872

C:\Users\Admin\AppData\Local\Temp\Solictud_de_cotizacion (3699663-2020).exe
"C:\Users\Admin\AppData\Local\Temp\Solictud_de_cotizacion (3699663-2020).exe" 2 1548 7080011
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2032

C:\Users\Admin\AppData\Local\Temp\Solictud_de_cotizacion (3699663-2020).exe
"C:\Users\Admin\AppData\Local\Temp\Solictud_de_cotizacion (3699663-2020).exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:796

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Orden.pdf"
4⤵
PID:640

C:\Users\Admin\AppData\Local\Temp\Solictud_de_cotizacion (3699663-2020).exe
"C:\Users\Admin\AppData\Local\Temp\Solictud_de_cotizacion (3699663-2020).exe"
4⤵
- Adds Run key to start application
PID:1180

C:\Users\Admin\AppData\Local\Temp\Solictud_de_cotizacion (3699663-2020).exe
"C:\Users\Admin\AppData\Local\Temp\Solictud_de_cotizacion (3699663-2020).exe" 2 1180 7081290
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Orden.pdf
Filesize
175KB

MD5
d4005f6c245d66fe21b8671d28dfbf12

SHA1
f9405fc9f33a084c689df8dcd6dc59afa98b4282

SHA256
49e52034c5e32c1c4c2f3bbfc4e99ce4ac917e934373a93d5ad2df5c364d63d8

SHA512
6efb3cccd57e30c80f0bf00be0aa646fde75df78b014ed0aa85aaeb35644e7fb96c1c089ba34946627c1df2368c67ff5ce49fd7e44e224dc5980af59814f3f10

Download Submit
C:\Users\Admin\AppData\Local\Temp\Orden.pdf
Filesize
175KB

MD5
d4005f6c245d66fe21b8671d28dfbf12

SHA1
f9405fc9f33a084c689df8dcd6dc59afa98b4282

SHA256
49e52034c5e32c1c4c2f3bbfc4e99ce4ac917e934373a93d5ad2df5c364d63d8

SHA512
6efb3cccd57e30c80f0bf00be0aa646fde75df78b014ed0aa85aaeb35644e7fb96c1c089ba34946627c1df2368c67ff5ce49fd7e44e224dc5980af59814f3f10

Download Submit
C:\Users\Admin\AppData\Local\Temp\Orden.pdf
Filesize
175KB

MD5
d4005f6c245d66fe21b8671d28dfbf12

SHA1
f9405fc9f33a084c689df8dcd6dc59afa98b4282

SHA256
49e52034c5e32c1c4c2f3bbfc4e99ce4ac917e934373a93d5ad2df5c364d63d8

SHA512
6efb3cccd57e30c80f0bf00be0aa646fde75df78b014ed0aa85aaeb35644e7fb96c1c089ba34946627c1df2368c67ff5ce49fd7e44e224dc5980af59814f3f10

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
553KB

MD5
748e4a49b7e306d7eb45aaa7b10faf5d

SHA1
ed4e974775f050e65233116fdbb28921618fceb7

SHA256
e232e9c0d66770fe8e50466f3dd073160a8ddaf565ed0382ce997226c1b364dd

SHA512
378f5c0ed4b94405a1287febc6a12901cbc8b386b41b66d9f2d007d704780424f3427b6e6973480656954f3d31540cacdc5e935118d4d561bba1bf399fc8d839

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
553KB

MD5
748e4a49b7e306d7eb45aaa7b10faf5d

SHA1
ed4e974775f050e65233116fdbb28921618fceb7

SHA256
e232e9c0d66770fe8e50466f3dd073160a8ddaf565ed0382ce997226c1b364dd

SHA512
378f5c0ed4b94405a1287febc6a12901cbc8b386b41b66d9f2d007d704780424f3427b6e6973480656954f3d31540cacdc5e935118d4d561bba1bf399fc8d839

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
553KB

MD5
748e4a49b7e306d7eb45aaa7b10faf5d

SHA1
ed4e974775f050e65233116fdbb28921618fceb7

SHA256
e232e9c0d66770fe8e50466f3dd073160a8ddaf565ed0382ce997226c1b364dd

SHA512
378f5c0ed4b94405a1287febc6a12901cbc8b386b41b66d9f2d007d704780424f3427b6e6973480656954f3d31540cacdc5e935118d4d561bba1bf399fc8d839

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
553KB

MD5
748e4a49b7e306d7eb45aaa7b10faf5d

SHA1
ed4e974775f050e65233116fdbb28921618fceb7

SHA256
e232e9c0d66770fe8e50466f3dd073160a8ddaf565ed0382ce997226c1b364dd

SHA512
378f5c0ed4b94405a1287febc6a12901cbc8b386b41b66d9f2d007d704780424f3427b6e6973480656954f3d31540cacdc5e935118d4d561bba1bf399fc8d839

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
553KB

MD5
748e4a49b7e306d7eb45aaa7b10faf5d

SHA1
ed4e974775f050e65233116fdbb28921618fceb7

SHA256
e232e9c0d66770fe8e50466f3dd073160a8ddaf565ed0382ce997226c1b364dd

SHA512
378f5c0ed4b94405a1287febc6a12901cbc8b386b41b66d9f2d007d704780424f3427b6e6973480656954f3d31540cacdc5e935118d4d561bba1bf399fc8d839

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
553KB

MD5
748e4a49b7e306d7eb45aaa7b10faf5d

SHA1
ed4e974775f050e65233116fdbb28921618fceb7

SHA256
e232e9c0d66770fe8e50466f3dd073160a8ddaf565ed0382ce997226c1b364dd

SHA512
378f5c0ed4b94405a1287febc6a12901cbc8b386b41b66d9f2d007d704780424f3427b6e6973480656954f3d31540cacdc5e935118d4d561bba1bf399fc8d839

Download Submit
memory/640-80-0x0000000000000000-mapping.dmp

Download
memory/796-77-0x0000000000000000-mapping.dmp

Download
memory/1180-82-0x000000000040242D-mapping.dmp

Download
memory/1288-64-0x0000000000000000-mapping.dmp

Download
memory/1500-55-0x00000000001D0000-0x00000000001E1000-memory.dmp

Filesize
68KB

Download
memory/1500-54-0x0000000074F91000-0x0000000074F93000-memory.dmp

Filesize
8KB

Download
memory/1548-57-0x000000000040242D-mapping.dmp

Download
memory/1840-56-0x0000000000000000-mapping.dmp

Download
memory/1844-68-0x0000000000000000-mapping.dmp

Download
memory/1872-72-0x0000000000000000-mapping.dmp

Download
memory/1900-71-0x000000000040242D-mapping.dmp

Download
memory/2032-59-0x0000000000000000-mapping.dmp

Download
memory/2036-84-0x0000000000000000-mapping.dmp

Download