netwire | 17c5a1d3469610c95de445590f2a3d66a2c7a3ffac39085982620449ce42a008

General

Target

17c5a1d3469610c95de445590f2a3d66a2c7a3ffac39085982620449ce42a008.exe
Size

827KB
MD5

03f29ca4710c10bcd05f1e07bbbb2eac
SHA1

471c5eace5ea0811771c162206c797283722d92a
SHA256

17c5a1d3469610c95de445590f2a3d66a2c7a3ffac39085982620449ce42a008
SHA512

98236e96cfd46c96dc818722d2efbed379c715972efab37414d15000379f10d539195b8a7f2d53a2c3628955c953aa230bdcac2cbd44ed2f444af4a398a90218

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3724-140-0x0000000000000000-mapping.dmp	netwire
behavioral2/memory/3724-141-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/3724-143-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/3724-144-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

bbe.exebbe.exe

pid process

4768 bbe.exe
3568 bbe.exe

pid	process
4768	bbe.exe
3568	bbe.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

17c5a1d3469610c95de445590f2a3d66a2c7a3ffac39085982620449ce42a008.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	17c5a1d3469610c95de445590f2a3d66a2c7a3ffac39085982620449ce42a008.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

bbe.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	bbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\21161715\\bbe.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\21161715\\FPG_UW~1"	bbe.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

bbe.exe

description pid process target process

PID 3568 set thread context of 3724 3568 bbe.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

bbe.exe

pid process

4768 bbe.exe
4768 bbe.exe

description	pid	process	target process
PID 3568 set thread context of 3724	3568	bbe.exe	RegSvcs.exe

pid	process
4768	bbe.exe
4768	bbe.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

17c5a1d3469610c95de445590f2a3d66a2c7a3ffac39085982620449ce42a008.exebbe.exebbe.exe

description	pid	process	target process
PID 3300 wrote to memory of 4768	3300	17c5a1d3469610c95de445590f2a3d66a2c7a3ffac39085982620449ce42a008.exe	bbe.exe
PID 3300 wrote to memory of 4768	3300	17c5a1d3469610c95de445590f2a3d66a2c7a3ffac39085982620449ce42a008.exe	bbe.exe
PID 3300 wrote to memory of 4768	3300	17c5a1d3469610c95de445590f2a3d66a2c7a3ffac39085982620449ce42a008.exe	bbe.exe
PID 4768 wrote to memory of 3568	4768	bbe.exe	bbe.exe
PID 4768 wrote to memory of 3568	4768	bbe.exe	bbe.exe
PID 4768 wrote to memory of 3568	4768	bbe.exe	bbe.exe
PID 3568 wrote to memory of 3724	3568	bbe.exe	RegSvcs.exe
PID 3568 wrote to memory of 3724	3568	bbe.exe	RegSvcs.exe
PID 3568 wrote to memory of 3724	3568	bbe.exe	RegSvcs.exe
PID 3568 wrote to memory of 3724	3568	bbe.exe	RegSvcs.exe
PID 3568 wrote to memory of 3724	3568	bbe.exe	RegSvcs.exe
PID 3568 wrote to memory of 3724	3568	bbe.exe	RegSvcs.exe
PID 3568 wrote to memory of 3724	3568	bbe.exe	RegSvcs.exe
PID 3568 wrote to memory of 3724	3568	bbe.exe	RegSvcs.exe
PID 3568 wrote to memory of 3724	3568	bbe.exe	RegSvcs.exe
PID 3568 wrote to memory of 3724	3568	bbe.exe	RegSvcs.exe
PID 3568 wrote to memory of 3724	3568	bbe.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\17c5a1d3469610c95de445590f2a3d66a2c7a3ffac39085982620449ce42a008.exe
"C:\Users\Admin\AppData\Local\Temp\17c5a1d3469610c95de445590f2a3d66a2c7a3ffac39085982620449ce42a008.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3300

C:\Users\Admin\AppData\Local\Temp\21161715\bbe.exe
"C:\Users\Admin\AppData\Local\Temp\21161715\bbe.exe" fpg=uwm
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4768

C:\Users\Admin\AppData\Local\Temp\21161715\bbe.exe
C:\Users\Admin\AppData\Local\Temp\21161715\bbe.exe C:\Users\Admin\AppData\Local\Temp\21161715\XCRNZ
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
PID:3724

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\21161715\BorderConstants.xl
Filesize
576B

MD5
c70ea7b6d88db0c5cd97fa2efe22bf8d

SHA1
ea1c0083b8ca51a70b4214994ab1859c103dfa93

SHA256
dc44534ae92970892fd4f51b036e390a2ba65637d11930f68d8b7bfac24d3128

SHA512
60a42e9e126fba6c160b40f596cb2ae803564786dd38ff4b184e71e900d5d15eaef1ad1ccd1807751b2fb1dfbbb0e34a23705aa2c40610091d0a9f1840861e3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\21161715\ComboConstants.mp4
Filesize
520B

MD5
f3d68f63f8aff549b377a90e77cb4721

SHA1
ad49349d0760f937294d23ce1e173eac8f9b6c25

SHA256
93ef582f1a6a8c06a7234eb166f740125117468ebc94c673c424cc602611f2dd

SHA512
f63de220186e08fbc362e41fa3df064ad64dac84d56b7b1d7be1fa0ceee3d4151bf3cc40a751ed9c63067dfe1b2bc7ca4917679adb13e9ee0c3921bd17b309cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\21161715\XCRNZ
Filesize
87KB

MD5
f9b544fabc755202b2f74f178abe108f

SHA1
6c45bd6233a35394e4d4c40324f1352b3cb4c340

SHA256
4b2460cce20810a6e4d3cc2f240aa15f2718fa2ff0e51c6d6f0857dc27f8f864

SHA512
da8b66cea58e990b68e2bf65417ab53b5304d030826ca70bb203c9050c89a3048ed6d1e55b65f5870f32fbe095d1277759f56cbc4790b31ed72afd5d5b01a796

Download Submit
C:\Users\Admin\AppData\Local\Temp\21161715\bbe.exe
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\21161715\bbe.exe
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\21161715\bbe.exe
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\21161715\fpg=uwm
Filesize
280KB

MD5
176a20d994d96686d0a7ec9525a2ba0e

SHA1
48b3e7681d933d735164541691a19b4cfeac65f0

SHA256
b6b8be8649fdb7af5900c6b365730ce9bff9fc48362d6187e78c7e3f1b3c1016

SHA512
86d6ec68abd29537200d95e515d42b838191a846d3af6795c78d6511b9056d344879a1d231b694d94aba7f199e7a34682e0f46e9e19786676b8d827ce2e6f52f

Download Submit
C:\Users\Admin\AppData\Local\Temp\21161715\opu.ppt
Filesize
494KB

MD5
9288da0210ddd40ed821add4b136121a

SHA1
403215f03349bcacf35ad897b0134d44828458ac

SHA256
a313d5ca6b2b6190eb76b15f47c9a84cb0d95c9c9fb83624d82254c17a29ecae

SHA512
4905aef88ffdd2e60c2d517571d0cad2a98fed5a94a145e3dff40b0e4b1593c95bc7e72c9382b97713aa60294660357c3967783990ed84a6d21d8f4a7ac41913

Download Submit
memory/3568-137-0x0000000000000000-mapping.dmp

Download
memory/3724-140-0x0000000000000000-mapping.dmp

Download
memory/3724-141-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3724-143-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3724-144-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4768-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads