netwire | b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd

General

Target

b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd.exe
Size

618KB
MD5

8c55cba01db3ea37db03917b97c49b2f
SHA1

e86a93f9b85527e330a2c03e01d243ce38231c09
SHA256

b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd
SHA512

801c578d0a5910210c16143aa1f7911a228d8f17c301773316c36b1ea42bbc9ef0c5b70cc363bcdf4df837f701f55fd23602c3fd025d70462912a6d871420efd

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

fdghfghdfghjhgjkgfgjh234569.ru:6974

Attributes

activex_autorun
false
activex_key
copy_executable
false
delete_original
false
host_id
a2nw
install_path
keylogger_dir
lock_executable
false
mutex
NrPiWfVe
offline_keylogger
false
password
rdfs34df32sdf
registry_autorun
false
startup_name
use_mutex
true

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3676-149-0x0000000000400000-0x0000000000425000-memory.dmp	netwire
behavioral2/memory/3676-151-0x0000000000400000-0x0000000000425000-memory.dmp	netwire
behavioral2/memory/3676-152-0x0000000000400000-0x0000000000425000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 1 IoCs

Processes:

sdvbcxs.exe

pid process

1868 sdvbcxs.exe

pid	process
1868	sdvbcxs.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd.exesdvbcxs.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	sdvbcxs.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

sdvbcxs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sdvbcxs = "C:\\Users\\Admin\\AppData\\Local\\sdvbcxs.exe -boot"	sdvbcxs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

sdvbcxs.exe

description pid process target process

PID 1868 set thread context of 3676 1868 sdvbcxs.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1868 set thread context of 3676	1868	sdvbcxs.exe	svchost.exe

NTFS ADS 5 IoCs

Processes:

cmd.execmd.execmd.execmd.execmd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\sdvbcxs.exe:Zone.Identifier	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\sdvbcxs.exe:Zone.Identifier	cmd.exe
File created	C:\Users\Admin\AppData\Local\Temp\b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd.exe:Zone.Identifier	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd.exe:Zone.Identifier	cmd.exe
File created	C:\Users\Admin\AppData\Local\sdvbcxs.exe\:Zone.Identifier:$DATA	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd.exesdvbcxs.exe

description	pid	process
Token: SeDebugPrivilege	2224	b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd.exe
Token: SeDebugPrivilege	1868	sdvbcxs.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd.execmd.exesdvbcxs.exe

description	pid	process	target process
PID 2224 wrote to memory of 3176	2224	b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd.exe	cmd.exe
PID 2224 wrote to memory of 3176	2224	b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd.exe	cmd.exe
PID 2224 wrote to memory of 3176	2224	b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd.exe	cmd.exe
PID 2224 wrote to memory of 4176	2224	b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd.exe	cmd.exe
PID 2224 wrote to memory of 4176	2224	b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd.exe	cmd.exe
PID 2224 wrote to memory of 4176	2224	b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd.exe	cmd.exe
PID 2224 wrote to memory of 1288	2224	b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd.exe	cmd.exe
PID 2224 wrote to memory of 1288	2224	b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd.exe	cmd.exe
PID 2224 wrote to memory of 1288	2224	b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd.exe	cmd.exe
PID 2224 wrote to memory of 1020	2224	b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd.exe	cmd.exe
PID 2224 wrote to memory of 1020	2224	b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd.exe	cmd.exe
PID 2224 wrote to memory of 1020	2224	b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd.exe	cmd.exe
PID 1020 wrote to memory of 1868	1020	cmd.exe	sdvbcxs.exe
PID 1020 wrote to memory of 1868	1020	cmd.exe	sdvbcxs.exe
PID 1020 wrote to memory of 1868	1020	cmd.exe	sdvbcxs.exe
PID 1868 wrote to memory of 4820	1868	sdvbcxs.exe	cmd.exe
PID 1868 wrote to memory of 4820	1868	sdvbcxs.exe	cmd.exe
PID 1868 wrote to memory of 4820	1868	sdvbcxs.exe	cmd.exe
PID 1868 wrote to memory of 3000	1868	sdvbcxs.exe	cmd.exe
PID 1868 wrote to memory of 3000	1868	sdvbcxs.exe	cmd.exe
PID 1868 wrote to memory of 3000	1868	sdvbcxs.exe	cmd.exe
PID 1868 wrote to memory of 4984	1868	sdvbcxs.exe	svchost.exe
PID 1868 wrote to memory of 4984	1868	sdvbcxs.exe	svchost.exe
PID 1868 wrote to memory of 4984	1868	sdvbcxs.exe	svchost.exe
PID 1868 wrote to memory of 1036	1868	sdvbcxs.exe	svchost.exe
PID 1868 wrote to memory of 1036	1868	sdvbcxs.exe	svchost.exe
PID 1868 wrote to memory of 1036	1868	sdvbcxs.exe	svchost.exe
PID 1868 wrote to memory of 3676	1868	sdvbcxs.exe	svchost.exe
PID 1868 wrote to memory of 3676	1868	sdvbcxs.exe	svchost.exe
PID 1868 wrote to memory of 3676	1868	sdvbcxs.exe	svchost.exe
PID 1868 wrote to memory of 3676	1868	sdvbcxs.exe	svchost.exe
PID 1868 wrote to memory of 3676	1868	sdvbcxs.exe	svchost.exe
PID 1868 wrote to memory of 3676	1868	sdvbcxs.exe	svchost.exe
PID 1868 wrote to memory of 3676	1868	sdvbcxs.exe	svchost.exe
PID 1868 wrote to memory of 3676	1868	sdvbcxs.exe	svchost.exe
PID 1868 wrote to memory of 3676	1868	sdvbcxs.exe	svchost.exe
PID 1868 wrote to memory of 3676	1868	sdvbcxs.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd.exe
"C:\Users\Admin\AppData\Local\Temp\b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd.exe:Zone.Identifier"
2⤵
- NTFS ADS
PID:3176

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd.exe:Zone.Identifier"
2⤵
- NTFS ADS
PID:4176

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd.exe" "C:\Users\Admin\AppData\Local\sdvbcxs.exe"
2⤵
- NTFS ADS
PID:1288

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\sdvbcxs.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1020

C:\Users\Admin\AppData\Local\sdvbcxs.exe
"C:\Users\Admin\AppData\Local\sdvbcxs.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1868

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\sdvbcxs.exe:Zone.Identifier"
4⤵
- NTFS ADS
PID:4820

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\sdvbcxs.exe:Zone.Identifier"
4⤵
- NTFS ADS
PID:3000

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
4⤵
PID:4984

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
4⤵
PID:1036

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
4⤵
PID:3676

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\sdvbcxs.exe
Filesize
618KB

MD5
8c55cba01db3ea37db03917b97c49b2f

SHA1
e86a93f9b85527e330a2c03e01d243ce38231c09

SHA256
b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd

SHA512
801c578d0a5910210c16143aa1f7911a228d8f17c301773316c36b1ea42bbc9ef0c5b70cc363bcdf4df837f701f55fd23602c3fd025d70462912a6d871420efd

Download Submit
C:\Users\Admin\AppData\Local\sdvbcxs.exe
Filesize
618KB

MD5
8c55cba01db3ea37db03917b97c49b2f

SHA1
e86a93f9b85527e330a2c03e01d243ce38231c09

SHA256
b4342b4b5f8e08badc18fc540b8da2c526fb1b9b1988f87fd877648f53e952cd

SHA512
801c578d0a5910210c16143aa1f7911a228d8f17c301773316c36b1ea42bbc9ef0c5b70cc363bcdf4df837f701f55fd23602c3fd025d70462912a6d871420efd

Download Submit
memory/1020-139-0x0000000000000000-mapping.dmp

Download
memory/1036-147-0x0000000000000000-mapping.dmp

Download
memory/1288-138-0x0000000000000000-mapping.dmp

Download
memory/1868-145-0x0000000006A40000-0x0000000006ADC000-memory.dmp

Filesize
624KB

Download
memory/1868-140-0x0000000000000000-mapping.dmp

Download
memory/2224-130-0x0000000000250000-0x00000000002EE000-memory.dmp

Filesize
632KB

Download
memory/2224-137-0x00000000059E0000-0x0000000005A72000-memory.dmp

Filesize
584KB

Download
memory/2224-135-0x0000000005B10000-0x0000000005CD2000-memory.dmp

Filesize
1.8MB

Download
memory/2224-134-0x0000000005EF0000-0x0000000006494000-memory.dmp

Filesize
5.6MB

Download
memory/2224-131-0x0000000004E90000-0x0000000004EB2000-memory.dmp

Filesize
136KB

Download
memory/2224-132-0x0000000004F30000-0x0000000004F96000-memory.dmp

Filesize
408KB

Download
memory/3000-144-0x0000000000000000-mapping.dmp

Download
memory/3176-133-0x0000000000000000-mapping.dmp

Download
memory/3676-148-0x0000000000000000-mapping.dmp

Download
memory/3676-149-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3676-151-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3676-152-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4176-136-0x0000000000000000-mapping.dmp

Download
memory/4820-143-0x0000000000000000-mapping.dmp

Download
memory/4984-146-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads