netwire | 09c5712ccf983f5013d3cd1157a15050b909b9f5f6318334e9f7da2174385015

General

Target

INV7783763278.exe
Size

690KB
MD5

0a6510aeaf92285a224cb8cb76332aeb
SHA1

106bee5b6dac97c9480fb96e99619704d9e58de1
SHA256

09c5712ccf983f5013d3cd1157a15050b909b9f5f6318334e9f7da2174385015
SHA512

bfe38ceee89109de01f7c7b63b5192bbedd34e5ef35bc4b4b8fb8e86d217761f2a05f12200b6d30503ca2c12eadd916090c54785c35656e5c9170b6eb7d830ee

Score

10^/10

netwire botnet rat stealer

Malware Config

Signatures

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/936-142-0x0000000000400000-0x0000000000450000-memory.dmp	netwire
behavioral2/memory/936-143-0x0000000000400000-0x0000000000450000-memory.dmp	netwire
behavioral2/memory/936-144-0x0000000000400000-0x0000000000450000-memory.dmp	netwire
behavioral2/memory/936-147-0x0000000000400000-0x0000000000450000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

INV7783763278.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	INV7783763278.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

INV7783763278.exe

description pid process target process

PID 1496 set thread context of 936 1496 INV7783763278.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1500 schtasks.exe

description	pid	process	target process
PID 1496 set thread context of 936	1496	INV7783763278.exe	vbc.exe

pid	process
1500	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

INV7783763278.exepowershell.exe

pid	process
1496	INV7783763278.exe
1496	INV7783763278.exe
1496	INV7783763278.exe
1496	INV7783763278.exe
1496	INV7783763278.exe
1496	INV7783763278.exe
1496	INV7783763278.exe
2300	powershell.exe
1496	INV7783763278.exe
1496	INV7783763278.exe
1496	INV7783763278.exe
1496	INV7783763278.exe
1496	INV7783763278.exe
1496	INV7783763278.exe
1496	INV7783763278.exe
2300	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

INV7783763278.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1496 INV7783763278.exe
Token: SeDebugPrivilege 2300 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1496	INV7783763278.exe
Token: SeDebugPrivilege	2300	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

INV7783763278.exe

description	pid	process	target process
PID 1496 wrote to memory of 2300	1496	INV7783763278.exe	powershell.exe
PID 1496 wrote to memory of 2300	1496	INV7783763278.exe	powershell.exe
PID 1496 wrote to memory of 2300	1496	INV7783763278.exe	powershell.exe
PID 1496 wrote to memory of 1500	1496	INV7783763278.exe	schtasks.exe
PID 1496 wrote to memory of 1500	1496	INV7783763278.exe	schtasks.exe
PID 1496 wrote to memory of 1500	1496	INV7783763278.exe	schtasks.exe
PID 1496 wrote to memory of 936	1496	INV7783763278.exe	vbc.exe
PID 1496 wrote to memory of 936	1496	INV7783763278.exe	vbc.exe
PID 1496 wrote to memory of 936	1496	INV7783763278.exe	vbc.exe
PID 1496 wrote to memory of 936	1496	INV7783763278.exe	vbc.exe
PID 1496 wrote to memory of 936	1496	INV7783763278.exe	vbc.exe
PID 1496 wrote to memory of 936	1496	INV7783763278.exe	vbc.exe
PID 1496 wrote to memory of 936	1496	INV7783763278.exe	vbc.exe
PID 1496 wrote to memory of 936	1496	INV7783763278.exe	vbc.exe
PID 1496 wrote to memory of 936	1496	INV7783763278.exe	vbc.exe
PID 1496 wrote to memory of 936	1496	INV7783763278.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\INV7783763278.exe
"C:\Users\Admin\AppData\Local\Temp\INV7783763278.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vPvuFxdhVD.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vPvuFxdhVD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7E19.tmp"
2⤵
- Creates scheduled task(s)
PID:1500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:936

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7E19.tmp
Filesize
1KB

MD5
cd38eac9ecae2bdf4325241693c984cf

SHA1
c0f1f7a31844b0bd53f25fc7711bdd60b1b6eb17

SHA256
d3546055c865f284dd40c22006eaa629db5606943b49c9bb69a3238e500ed806

SHA512
fb114679bae1ea239bbd97dd07a41e589e27fd53469092799455a95fd9b7ce24947c86a0eef09a73f43d8048a864d1606a3b66009d016e267d2855566d9a5889

Download Submit
memory/936-147-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/936-143-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/936-144-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/936-141-0x0000000000000000-mapping.dmp

Download
memory/936-142-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1496-132-0x0000000005110000-0x00000000051A2000-memory.dmp

Filesize
584KB

Download
memory/1496-133-0x0000000005510000-0x00000000055AC000-memory.dmp

Filesize
624KB

Download
memory/1496-134-0x0000000005610000-0x000000000561A000-memory.dmp

Filesize
40KB

Download
memory/1496-135-0x0000000000F60000-0x0000000000FC6000-memory.dmp

Filesize
408KB

Download
memory/1496-131-0x0000000005620000-0x0000000005BC4000-memory.dmp

Filesize
5.6MB

Download
memory/1496-130-0x0000000000610000-0x00000000006C2000-memory.dmp

Filesize
712KB

Download
memory/1500-137-0x0000000000000000-mapping.dmp

Download
memory/2300-145-0x0000000004ED0000-0x0000000004EF2000-memory.dmp

Filesize
136KB

Download
memory/2300-150-0x00000000734F0000-0x000000007353C000-memory.dmp

Filesize
304KB

Download
memory/2300-138-0x00000000023A0000-0x00000000023D6000-memory.dmp

Filesize
216KB

Download
memory/2300-146-0x00000000056B0000-0x0000000005716000-memory.dmp

Filesize
408KB

Download
memory/2300-136-0x0000000000000000-mapping.dmp

Download
memory/2300-148-0x0000000005D00000-0x0000000005D1E000-memory.dmp

Filesize
120KB

Download
memory/2300-149-0x0000000006250000-0x0000000006282000-memory.dmp

Filesize
200KB

Download
memory/2300-140-0x0000000004F80000-0x00000000055A8000-memory.dmp

Filesize
6.2MB

Download
memory/2300-151-0x0000000006210000-0x000000000622E000-memory.dmp

Filesize
120KB

Download
memory/2300-152-0x00000000076A0000-0x0000000007D1A000-memory.dmp

Filesize
6.5MB

Download
memory/2300-153-0x0000000007040000-0x000000000705A000-memory.dmp

Filesize
104KB

Download
memory/2300-154-0x00000000070A0000-0x00000000070AA000-memory.dmp

Filesize
40KB

Download
memory/2300-155-0x00000000072B0000-0x0000000007346000-memory.dmp

Filesize
600KB

Download
memory/2300-156-0x0000000007260000-0x000000000726E000-memory.dmp

Filesize
56KB

Download
memory/2300-157-0x0000000007370000-0x000000000738A000-memory.dmp

Filesize
104KB

Download
memory/2300-158-0x0000000007350000-0x0000000007358000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads