netwire | 9530267408a020ad51d1152af9d09129f78ac294080ba334cc6843a9a44d07e6

Analysis

max time kernel
130s
max time network
163s
platform
windows7_x64
resource
win7-20220414-en
submitted
20-05-2022 14:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Proof of Payment.exe
Size

1.1MB
MD5

f818cb764aab5e0d02545172edf9d6a3
SHA1

019ed52ad6f7026e83ce7ed2c63d3ca62f3d9276
SHA256

5f2b6faf1de19342f874c50bad45b66727e24218cd8d2610f7d3fbb5d47cccab
SHA512

f4d635f57e2ed13b2f3a3ed057ed9da08bcda819c8925049d0b0fb60f3c9c461646c353d39f85766e6309b324a27f091aef3591fcdc49a1765648635a0acf1ab

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

154.16.93.182:3361

154.16.93.182:3368

Attributes

activex_autorun
false
activex_key
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
install_path
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
offline_keylogger
true
password
south123456
registry_autorun
false
startup_name
use_mutex
false

Signatures

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1340-67-0x0000000000250000-0x0000000000812000-memory.dmp	netwire
behavioral1/memory/1340-68-0x000000000025242D-mapping.dmp	netwire
behavioral1/memory/1340-72-0x0000000000250000-0x0000000000812000-memory.dmp	netwire
behavioral1/memory/1340-73-0x0000000000250000-0x0000000000812000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

lblhvtsgb.pifRegSvcs.exe

pid process

2008 lblhvtsgb.pif
1340 RegSvcs.exe
Loads dropped DLL 5 IoCs

Processes:

Proof of Payment.exelblhvtsgb.pif

pid process

1884 Proof of Payment.exe
1884 Proof of Payment.exe
1884 Proof of Payment.exe
1884 Proof of Payment.exe
2008 lblhvtsgb.pif

pid	process
2008	lblhvtsgb.pif
1340	RegSvcs.exe

pid	process
1884	Proof of Payment.exe
1884	Proof of Payment.exe
1884	Proof of Payment.exe
1884	Proof of Payment.exe
2008	lblhvtsgb.pif

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

lblhvtsgb.pif

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	lblhvtsgb.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\89835103\\LBLHVT~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\89835103\\dfvgx.mvn"	lblhvtsgb.pif

Suspicious use of SetThreadContext 1 IoCs

Processes:

lblhvtsgb.pif

description pid process target process

PID 2008 set thread context of 1340 2008 lblhvtsgb.pif RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 2008 set thread context of 1340	2008	lblhvtsgb.pif	RegSvcs.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

Proof of Payment.exelblhvtsgb.pif

description	pid	process	target process
PID 1884 wrote to memory of 2008	1884	Proof of Payment.exe	lblhvtsgb.pif
PID 1884 wrote to memory of 2008	1884	Proof of Payment.exe	lblhvtsgb.pif
PID 1884 wrote to memory of 2008	1884	Proof of Payment.exe	lblhvtsgb.pif
PID 1884 wrote to memory of 2008	1884	Proof of Payment.exe	lblhvtsgb.pif
PID 2008 wrote to memory of 1340	2008	lblhvtsgb.pif	RegSvcs.exe
PID 2008 wrote to memory of 1340	2008	lblhvtsgb.pif	RegSvcs.exe
PID 2008 wrote to memory of 1340	2008	lblhvtsgb.pif	RegSvcs.exe
PID 2008 wrote to memory of 1340	2008	lblhvtsgb.pif	RegSvcs.exe
PID 2008 wrote to memory of 1340	2008	lblhvtsgb.pif	RegSvcs.exe
PID 2008 wrote to memory of 1340	2008	lblhvtsgb.pif	RegSvcs.exe
PID 2008 wrote to memory of 1340	2008	lblhvtsgb.pif	RegSvcs.exe
PID 2008 wrote to memory of 1340	2008	lblhvtsgb.pif	RegSvcs.exe
PID 2008 wrote to memory of 1340	2008	lblhvtsgb.pif	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\Proof of Payment.exe
"C:\Users\Admin\AppData\Local\Temp\Proof of Payment.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1884

C:\Users\Admin\AppData\Local\Temp\89835103\lblhvtsgb.pif
"C:\Users\Admin\AppData\Local\Temp\89835103\lblhvtsgb.pif" dfvgx.mvn
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2008

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
3⤵
- Executes dropped EXE
PID:1340

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\89835103\dfvgx.mvn
Filesize
200.5MB

MD5
f71424726a0bbed041b9a75800af0741

SHA1
466d0636296ca0aaf6164ed2e0d92354ec79e18d

SHA256
7b34608b3c4c2fbc141e6deebb87df9c92d26533713e4ce00aae9f7a756f1fc9

SHA512
7b6b96c2a0f7ec0374cbf7fed42af7851c84a198f92e9b513ca9c8d7e3cd8cfc0f0409ed91981a6c2761d490067b5af23b0815a1282ee09a0ff95cdffeea4a5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\89835103\lblhvtsgb.pif
Filesize
655KB

MD5
a75bc752c50fb74f7597c2bb59b93d43

SHA1
d2dcd3d104b6b04f0828844aeda188798669b41f

SHA256
877365dfcbe9d4896e9ca544c7d19e106ab78339edbc1bd410f2e11bd32cd2ee

SHA512
e856238e3cb519786365faf17d0d590692fa991d9ca81e2fb8ce094cd090583f4ed1823b7ca9c0f702320398054ba682644a02f8d99d4e0f53733564611d3f97

Download Submit
C:\Users\Admin\AppData\Local\Temp\89835103\sjsxnhqkmb.bmp
Filesize
375KB

MD5
500f2c5f0d04596b91e6a3ea5f1d5cfd

SHA1
07f36f97f40d4ffd1c4f18f47af950a95ffd1ad7

SHA256
f86645f528a3073e5f490d627dc35130f815ec0cf72fd1a3ddadd2830dbbd6e1

SHA512
3e18f06f47c2ae0e65f5af88c7c51c1b46ba57c5fd374da9dc2f99069a11a80c9b6bb44f084e02b239c542cf12fb656109eece97243dc4f0ff1bfc36043404cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
\Users\Admin\AppData\Local\Temp\89835103\lblhvtsgb.pif
Filesize
655KB

MD5
a75bc752c50fb74f7597c2bb59b93d43

SHA1
d2dcd3d104b6b04f0828844aeda188798669b41f

SHA256
877365dfcbe9d4896e9ca544c7d19e106ab78339edbc1bd410f2e11bd32cd2ee

SHA512
e856238e3cb519786365faf17d0d590692fa991d9ca81e2fb8ce094cd090583f4ed1823b7ca9c0f702320398054ba682644a02f8d99d4e0f53733564611d3f97

Download Submit
\Users\Admin\AppData\Local\Temp\89835103\lblhvtsgb.pif
Filesize
655KB

MD5
a75bc752c50fb74f7597c2bb59b93d43

SHA1
d2dcd3d104b6b04f0828844aeda188798669b41f

SHA256
877365dfcbe9d4896e9ca544c7d19e106ab78339edbc1bd410f2e11bd32cd2ee

SHA512
e856238e3cb519786365faf17d0d590692fa991d9ca81e2fb8ce094cd090583f4ed1823b7ca9c0f702320398054ba682644a02f8d99d4e0f53733564611d3f97

Download Submit
\Users\Admin\AppData\Local\Temp\89835103\lblhvtsgb.pif
Filesize
655KB

MD5
a75bc752c50fb74f7597c2bb59b93d43

SHA1
d2dcd3d104b6b04f0828844aeda188798669b41f

SHA256
877365dfcbe9d4896e9ca544c7d19e106ab78339edbc1bd410f2e11bd32cd2ee

SHA512
e856238e3cb519786365faf17d0d590692fa991d9ca81e2fb8ce094cd090583f4ed1823b7ca9c0f702320398054ba682644a02f8d99d4e0f53733564611d3f97

Download Submit
\Users\Admin\AppData\Local\Temp\89835103\lblhvtsgb.pif
Filesize
655KB

MD5
a75bc752c50fb74f7597c2bb59b93d43

SHA1
d2dcd3d104b6b04f0828844aeda188798669b41f

SHA256
877365dfcbe9d4896e9ca544c7d19e106ab78339edbc1bd410f2e11bd32cd2ee

SHA512
e856238e3cb519786365faf17d0d590692fa991d9ca81e2fb8ce094cd090583f4ed1823b7ca9c0f702320398054ba682644a02f8d99d4e0f53733564611d3f97

Download Submit
\Users\Admin\AppData\Local\Temp\RegSvcs.exe
Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
memory/1340-65-0x0000000000250000-0x0000000000812000-memory.dmp

Filesize
5.8MB

Download
memory/1340-67-0x0000000000250000-0x0000000000812000-memory.dmp

Filesize
5.8MB

Download
memory/1340-68-0x000000000025242D-mapping.dmp

Download
memory/1340-72-0x0000000000250000-0x0000000000812000-memory.dmp

Filesize
5.8MB

Download
memory/1340-73-0x0000000000250000-0x0000000000812000-memory.dmp

Filesize
5.8MB

Download
memory/1884-54-0x0000000075D21000-0x0000000075D23000-memory.dmp

Filesize
8KB

Download
memory/2008-59-0x0000000000000000-mapping.dmp

Download