netwire | 4a8587f61a4969ae73d103ee83d1cdb1a12ebe6734bf32ab00a1de1529e54cf5

General

Target

SCANDA_Statement_of_Account_July_2020.exe
Size

486KB
MD5

32c10b0b4bb8a7e70cf58c573a05f16a
SHA1

a22e8814f215f2564d6c476506d7f76eb78fe80e
SHA256

146856560590ec6f2434f34fe94b4dd5de0d7ed700cdaccc15663db1fbc8c4aa
SHA512

717ea71453999846b87dfe952b9d6cc64617a69909e07de9934668e48f320b7be52ec370917adf520a36de5a0441091e73565c3083e58f251e8b8af5776b7042

Score

10^/10

netwire botnet rat stealer upx

Malware Config

Signatures

NetWire RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1144-65-0x0000000000640000-0x0000000000673000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1668-55-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral1/memory/1668-61-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral1/memory/1408-62-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral1/memory/1408-64-0x0000000000400000-0x00000000004EF000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

Processes:

SCANDA_Statement_of_Account_July_2020.exe

description	pid	process	target process
PID 1668 set thread context of 1144	1668	SCANDA_Statement_of_Account_July_2020.exe	SCANDA_Statement_of_Account_July_2020.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

SCANDA_Statement_of_Account_July_2020.exeSCANDA_Statement_of_Account_July_2020.exeSCANDA_Statement_of_Account_July_2020.exe

pid	process
1668	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe
1144	SCANDA_Statement_of_Account_July_2020.exe
1144	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe
1408	SCANDA_Statement_of_Account_July_2020.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

SCANDA_Statement_of_Account_July_2020.exe

pid process

1668 SCANDA_Statement_of_Account_July_2020.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

1764 AcroRd32.exe
1764 AcroRd32.exe
1764 AcroRd32.exe
1764 AcroRd32.exe

pid	process
1764	AcroRd32.exe
1764	AcroRd32.exe
1764	AcroRd32.exe
1764	AcroRd32.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

SCANDA_Statement_of_Account_July_2020.exe

description	pid	process	target process
PID 1668 wrote to memory of 1764	1668	SCANDA_Statement_of_Account_July_2020.exe	AcroRd32.exe
PID 1668 wrote to memory of 1764	1668	SCANDA_Statement_of_Account_July_2020.exe	AcroRd32.exe
PID 1668 wrote to memory of 1764	1668	SCANDA_Statement_of_Account_July_2020.exe	AcroRd32.exe
PID 1668 wrote to memory of 1764	1668	SCANDA_Statement_of_Account_July_2020.exe	AcroRd32.exe
PID 1668 wrote to memory of 1144	1668	SCANDA_Statement_of_Account_July_2020.exe	SCANDA_Statement_of_Account_July_2020.exe
PID 1668 wrote to memory of 1144	1668	SCANDA_Statement_of_Account_July_2020.exe	SCANDA_Statement_of_Account_July_2020.exe
PID 1668 wrote to memory of 1144	1668	SCANDA_Statement_of_Account_July_2020.exe	SCANDA_Statement_of_Account_July_2020.exe
PID 1668 wrote to memory of 1144	1668	SCANDA_Statement_of_Account_July_2020.exe	SCANDA_Statement_of_Account_July_2020.exe
PID 1668 wrote to memory of 1408	1668	SCANDA_Statement_of_Account_July_2020.exe	SCANDA_Statement_of_Account_July_2020.exe
PID 1668 wrote to memory of 1408	1668	SCANDA_Statement_of_Account_July_2020.exe	SCANDA_Statement_of_Account_July_2020.exe
PID 1668 wrote to memory of 1408	1668	SCANDA_Statement_of_Account_July_2020.exe	SCANDA_Statement_of_Account_July_2020.exe
PID 1668 wrote to memory of 1408	1668	SCANDA_Statement_of_Account_July_2020.exe	SCANDA_Statement_of_Account_July_2020.exe

C:\Users\Admin\AppData\Local\Temp\SCANDA_Statement_of_Account_July_2020.exe
"C:\Users\Admin\AppData\Local\Temp\SCANDA_Statement_of_Account_July_2020.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1668

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Order.pdf"
2⤵
- Suspicious use of SetWindowsHookEx
PID:1764

C:\Users\Admin\AppData\Local\Temp\SCANDA_Statement_of_Account_July_2020.exe
"C:\Users\Admin\AppData\Local\Temp\SCANDA_Statement_of_Account_July_2020.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1144

C:\Users\Admin\AppData\Local\Temp\SCANDA_Statement_of_Account_July_2020.exe
"C:\Users\Admin\AppData\Local\Temp\SCANDA_Statement_of_Account_July_2020.exe" 2 1144 7078030
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1408

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Order.pdf
Filesize
38KB

MD5
64c51e428b3aae202fe3b1f250783e38

SHA1
9c37ca4019a5ed8b6368a2c8a9319cac7541d86d

SHA256
0f92458dfe74bca8a5fb6e5db0d52d0227e9126a846f311a6b3b7ba16d8021d4

SHA512
dab4a6fe5331d757311737dffa73ebca4a91c6fa53b50e50c1d39f839039ab46b8e5fd029259394292c30ec85a88726de31fb2fa99d87e9a7350e9f82f4985dd

Download Submit
memory/1144-58-0x0000000000600087-mapping.dmp

Download
memory/1144-65-0x0000000000640000-0x0000000000673000-memory.dmp

Filesize
204KB

Download
memory/1408-59-0x0000000000000000-mapping.dmp

Download
memory/1408-62-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1408-64-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1668-54-0x0000000075BF1000-0x0000000075BF3000-memory.dmp

Filesize
8KB

Download
memory/1668-55-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1668-61-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1764-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads