netwire | 9fa55761cbb245c1f1ffae0470cac581ad2c6483e2ff35e55d1c92a66f938b44

General

Target

Quotation 21946 3MuR7U.exe
Size

351KB
MD5

b5f8fb837bc7904e1689291c8d64b1ad
SHA1

4fc08863ec08a7372e7fa0449501e5fd99c3ab93
SHA256

2e54ae1fe78471492cc217d238fcd7f0158ae8f22a35e9576a91b3a6614c2d08
SHA512

9e1dcf8e46940f41ab07fe69fe6b8c3397b6429a3c0d1163f69b16a36ce4a1e3462a4a6c11c4dbba2ab9d2f23c5ef77f3fd939db4b2e62fdc7970b406fda856f

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

evapimp.myq-see.com:2424

Attributes

activex_autorun
false
activex_key
copy_executable
false
delete_original
false
host_id
NEW
install_path
keylogger_dir
lock_executable
true
mutex
VtbDeAKY
offline_keylogger
false
password
evapimp
registry_autorun
false
startup_name
use_mutex
true

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1624-136-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/1624-138-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/1624-139-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Quotation 21946 3MuR7U.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	Quotation 21946 3MuR7U.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Quotation 21946 3MuR7U.exe

description pid process target process

PID 3204 set thread context of 1624 3204 Quotation 21946 3MuR7U.exe Quotation 21946 3MuR7U.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3956 schtasks.exe

description	pid	process	target process
PID 3204 set thread context of 1624	3204	Quotation 21946 3MuR7U.exe	Quotation 21946 3MuR7U.exe

pid	process
3956	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Quotation 21946 3MuR7U.exe

pid	process
3204	Quotation 21946 3MuR7U.exe
3204	Quotation 21946 3MuR7U.exe
3204	Quotation 21946 3MuR7U.exe
3204	Quotation 21946 3MuR7U.exe
3204	Quotation 21946 3MuR7U.exe
3204	Quotation 21946 3MuR7U.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Quotation 21946 3MuR7U.exe

description pid process

Token: SeDebugPrivilege 3204 Quotation 21946 3MuR7U.exe

description	pid	process
Token: SeDebugPrivilege	3204	Quotation 21946 3MuR7U.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

Quotation 21946 3MuR7U.exe

description	pid	process	target process
PID 3204 wrote to memory of 3956	3204	Quotation 21946 3MuR7U.exe	schtasks.exe
PID 3204 wrote to memory of 3956	3204	Quotation 21946 3MuR7U.exe	schtasks.exe
PID 3204 wrote to memory of 3956	3204	Quotation 21946 3MuR7U.exe	schtasks.exe
PID 3204 wrote to memory of 1624	3204	Quotation 21946 3MuR7U.exe	Quotation 21946 3MuR7U.exe
PID 3204 wrote to memory of 1624	3204	Quotation 21946 3MuR7U.exe	Quotation 21946 3MuR7U.exe
PID 3204 wrote to memory of 1624	3204	Quotation 21946 3MuR7U.exe	Quotation 21946 3MuR7U.exe
PID 3204 wrote to memory of 1624	3204	Quotation 21946 3MuR7U.exe	Quotation 21946 3MuR7U.exe
PID 3204 wrote to memory of 1624	3204	Quotation 21946 3MuR7U.exe	Quotation 21946 3MuR7U.exe
PID 3204 wrote to memory of 1624	3204	Quotation 21946 3MuR7U.exe	Quotation 21946 3MuR7U.exe
PID 3204 wrote to memory of 1624	3204	Quotation 21946 3MuR7U.exe	Quotation 21946 3MuR7U.exe
PID 3204 wrote to memory of 1624	3204	Quotation 21946 3MuR7U.exe	Quotation 21946 3MuR7U.exe
PID 3204 wrote to memory of 1624	3204	Quotation 21946 3MuR7U.exe	Quotation 21946 3MuR7U.exe
PID 3204 wrote to memory of 1624	3204	Quotation 21946 3MuR7U.exe	Quotation 21946 3MuR7U.exe
PID 3204 wrote to memory of 1624	3204	Quotation 21946 3MuR7U.exe	Quotation 21946 3MuR7U.exe

C:\Users\Admin\AppData\Local\Temp\Quotation 21946 3MuR7U.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation 21946 3MuR7U.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3204

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qIJlpBtJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8B96.tmp"
2⤵
- Creates scheduled task(s)
PID:3956

C:\Users\Admin\AppData\Local\Temp\Quotation 21946 3MuR7U.exe
"{path}"
2⤵
PID:1624

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8B96.tmp
Filesize
1KB

MD5
2374e3de984db3fa7712d1176f45a8dd

SHA1
cc8ab0f186b4d1f27b4ce43b851d4d9cd8b83047

SHA256
f2d3cca38c5f48705e47abe051c3ae3d7fda0b737ec839cfbea9af98ea56462f

SHA512
c1c7d6634031552f55cfedbd68238117d7e72569573d84fa6b16a309c640c95d4688bb829ad2a1b3e8c7be269c865a7c95dde2446109765b50c3e07fcc0c4cc4

Download Submit
memory/1624-135-0x0000000000000000-mapping.dmp

Download
memory/1624-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1624-138-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1624-139-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3204-130-0x00000000001D0000-0x000000000022E000-memory.dmp

Filesize
376KB

Download
memory/3204-131-0x0000000005020000-0x00000000050BC000-memory.dmp

Filesize
624KB

Download
memory/3204-132-0x00000000050C0000-0x0000000005152000-memory.dmp

Filesize
584KB

Download
memory/3956-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads