netwire | afb777c3c1bbd190af137c193d61137833365f73c9e8915e15fa0bc260aecdb5

General

Target

INQUIRY.exe
Size

259KB
MD5

f652086d83ccc25c14bbcebb9229cbd4
SHA1

cadd3972915bd7ffee7442c8b60ff6acc156705e
SHA256

9a6951c6f3c33c217edd9a4e32f5422c4e125b909d0c88e190b76eb695f05b72
SHA512

1fb741fe778c749d465cea204739519bf2a4bad4121d472f3ada7bbd8c7d3f09fb43eb7a3e81c0de88105bc89d1ba32254ef41bc96d13b12920e796a6cee8d0c

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

194.5.97.109:3360

Attributes

activex_autorun
false
activex_key
copy_executable
true
delete_original
true
host_id
MAZI
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
offline_keylogger
true
password
Password
registry_autorun
false
startup_name
use_mutex
false

Signatures

NetWire RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3036-136-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/3036-138-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/3036-141-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/1612-152-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/1612-153-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 3 IoCs

Processes:

Host.exeHost.exeHost.exe

pid process

4188 Host.exe
2052 Host.exe
1612 Host.exe

pid	process
4188	Host.exe
2052	Host.exe
1612	Host.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

INQUIRY.exeINQUIRY.exeHost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	INQUIRY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	INQUIRY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	Host.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

INQUIRY.exeHost.exe

description	pid	process	target process
PID 2612 set thread context of 3036	2612	INQUIRY.exe	INQUIRY.exe
PID 4188 set thread context of 1612	4188	Host.exe	Host.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4716 schtasks.exe
648 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

INQUIRY.exeHost.exe

pid process

2612 INQUIRY.exe
2612 INQUIRY.exe
2612 INQUIRY.exe
2612 INQUIRY.exe
4188 Host.exe
4188 Host.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

INQUIRY.exeHost.exe

description pid process

Token: SeDebugPrivilege 2612 INQUIRY.exe
Token: SeDebugPrivilege 4188 Host.exe

pid	process
4716	schtasks.exe
648	schtasks.exe

pid	process
2612	INQUIRY.exe
2612	INQUIRY.exe
2612	INQUIRY.exe
2612	INQUIRY.exe
4188	Host.exe
4188	Host.exe

description	pid	process
Token: SeDebugPrivilege	2612	INQUIRY.exe
Token: SeDebugPrivilege	4188	Host.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

INQUIRY.exeINQUIRY.exeHost.exe

description	pid	process	target process
PID 2612 wrote to memory of 4716	2612	INQUIRY.exe	schtasks.exe
PID 2612 wrote to memory of 4716	2612	INQUIRY.exe	schtasks.exe
PID 2612 wrote to memory of 4716	2612	INQUIRY.exe	schtasks.exe
PID 2612 wrote to memory of 2460	2612	INQUIRY.exe	INQUIRY.exe
PID 2612 wrote to memory of 2460	2612	INQUIRY.exe	INQUIRY.exe
PID 2612 wrote to memory of 2460	2612	INQUIRY.exe	INQUIRY.exe
PID 2612 wrote to memory of 2628	2612	INQUIRY.exe	INQUIRY.exe
PID 2612 wrote to memory of 2628	2612	INQUIRY.exe	INQUIRY.exe
PID 2612 wrote to memory of 2628	2612	INQUIRY.exe	INQUIRY.exe
PID 2612 wrote to memory of 3036	2612	INQUIRY.exe	INQUIRY.exe
PID 2612 wrote to memory of 3036	2612	INQUIRY.exe	INQUIRY.exe
PID 2612 wrote to memory of 3036	2612	INQUIRY.exe	INQUIRY.exe
PID 2612 wrote to memory of 3036	2612	INQUIRY.exe	INQUIRY.exe
PID 2612 wrote to memory of 3036	2612	INQUIRY.exe	INQUIRY.exe
PID 2612 wrote to memory of 3036	2612	INQUIRY.exe	INQUIRY.exe
PID 2612 wrote to memory of 3036	2612	INQUIRY.exe	INQUIRY.exe
PID 2612 wrote to memory of 3036	2612	INQUIRY.exe	INQUIRY.exe
PID 2612 wrote to memory of 3036	2612	INQUIRY.exe	INQUIRY.exe
PID 2612 wrote to memory of 3036	2612	INQUIRY.exe	INQUIRY.exe
PID 2612 wrote to memory of 3036	2612	INQUIRY.exe	INQUIRY.exe
PID 3036 wrote to memory of 4188	3036	INQUIRY.exe	Host.exe
PID 3036 wrote to memory of 4188	3036	INQUIRY.exe	Host.exe
PID 3036 wrote to memory of 4188	3036	INQUIRY.exe	Host.exe
PID 4188 wrote to memory of 648	4188	Host.exe	schtasks.exe
PID 4188 wrote to memory of 648	4188	Host.exe	schtasks.exe
PID 4188 wrote to memory of 648	4188	Host.exe	schtasks.exe
PID 4188 wrote to memory of 2052	4188	Host.exe	Host.exe
PID 4188 wrote to memory of 2052	4188	Host.exe	Host.exe
PID 4188 wrote to memory of 2052	4188	Host.exe	Host.exe
PID 4188 wrote to memory of 1612	4188	Host.exe	Host.exe
PID 4188 wrote to memory of 1612	4188	Host.exe	Host.exe
PID 4188 wrote to memory of 1612	4188	Host.exe	Host.exe
PID 4188 wrote to memory of 1612	4188	Host.exe	Host.exe
PID 4188 wrote to memory of 1612	4188	Host.exe	Host.exe
PID 4188 wrote to memory of 1612	4188	Host.exe	Host.exe
PID 4188 wrote to memory of 1612	4188	Host.exe	Host.exe
PID 4188 wrote to memory of 1612	4188	Host.exe	Host.exe
PID 4188 wrote to memory of 1612	4188	Host.exe	Host.exe
PID 4188 wrote to memory of 1612	4188	Host.exe	Host.exe
PID 4188 wrote to memory of 1612	4188	Host.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\INQUIRY.exe
"C:\Users\Admin\AppData\Local\Temp\INQUIRY.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VSkCPulZoc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3FF7.tmp"
2⤵
- Creates scheduled task(s)
PID:4716

C:\Users\Admin\AppData\Local\Temp\INQUIRY.exe
"C:\Users\Admin\AppData\Local\Temp\INQUIRY.exe"
2⤵
PID:2460

C:\Users\Admin\AppData\Local\Temp\INQUIRY.exe
"C:\Users\Admin\AppData\Local\Temp\INQUIRY.exe"
2⤵
PID:2628

C:\Users\Admin\AppData\Local\Temp\INQUIRY.exe
"C:\Users\Admin\AppData\Local\Temp\INQUIRY.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3036

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe" -m "C:\Users\Admin\AppData\Local\Temp\INQUIRY.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4188

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VSkCPulZoc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5360.tmp"
4⤵
- Creates scheduled task(s)
PID:648

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
4⤵
- Executes dropped EXE
PID:2052

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
4⤵
- Executes dropped EXE
PID:1612

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3FF7.tmp
Filesize
1KB

MD5
7404c98425f58fd7bcd60bf50bb212a7

SHA1
2a5fcc2d861321bf57b5166007514e6a964fe9f6

SHA256
fc327e9ae35292a4eea5a45cea50e8db961b82c90c9fefa62472137f44710dfd

SHA512
6d69d01a9ed7838b160d7cac1eebe1fba1025eeb6780d7c7cbd8ad69e667bfe80c240aa17b317c461811c99339db428a2de0df7cfbe2dd4aa9301aab9e02dc64

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5360.tmp
Filesize
1KB

MD5
7404c98425f58fd7bcd60bf50bb212a7

SHA1
2a5fcc2d861321bf57b5166007514e6a964fe9f6

SHA256
fc327e9ae35292a4eea5a45cea50e8db961b82c90c9fefa62472137f44710dfd

SHA512
6d69d01a9ed7838b160d7cac1eebe1fba1025eeb6780d7c7cbd8ad69e667bfe80c240aa17b317c461811c99339db428a2de0df7cfbe2dd4aa9301aab9e02dc64

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
259KB

MD5
f652086d83ccc25c14bbcebb9229cbd4

SHA1
cadd3972915bd7ffee7442c8b60ff6acc156705e

SHA256
9a6951c6f3c33c217edd9a4e32f5422c4e125b909d0c88e190b76eb695f05b72

SHA512
1fb741fe778c749d465cea204739519bf2a4bad4121d472f3ada7bbd8c7d3f09fb43eb7a3e81c0de88105bc89d1ba32254ef41bc96d13b12920e796a6cee8d0c

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
259KB

MD5
f652086d83ccc25c14bbcebb9229cbd4

SHA1
cadd3972915bd7ffee7442c8b60ff6acc156705e

SHA256
9a6951c6f3c33c217edd9a4e32f5422c4e125b909d0c88e190b76eb695f05b72

SHA512
1fb741fe778c749d465cea204739519bf2a4bad4121d472f3ada7bbd8c7d3f09fb43eb7a3e81c0de88105bc89d1ba32254ef41bc96d13b12920e796a6cee8d0c

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
259KB

MD5
f652086d83ccc25c14bbcebb9229cbd4

SHA1
cadd3972915bd7ffee7442c8b60ff6acc156705e

SHA256
9a6951c6f3c33c217edd9a4e32f5422c4e125b909d0c88e190b76eb695f05b72

SHA512
1fb741fe778c749d465cea204739519bf2a4bad4121d472f3ada7bbd8c7d3f09fb43eb7a3e81c0de88105bc89d1ba32254ef41bc96d13b12920e796a6cee8d0c

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
259KB

MD5
f652086d83ccc25c14bbcebb9229cbd4

SHA1
cadd3972915bd7ffee7442c8b60ff6acc156705e

SHA256
9a6951c6f3c33c217edd9a4e32f5422c4e125b909d0c88e190b76eb695f05b72

SHA512
1fb741fe778c749d465cea204739519bf2a4bad4121d472f3ada7bbd8c7d3f09fb43eb7a3e81c0de88105bc89d1ba32254ef41bc96d13b12920e796a6cee8d0c

Download Submit
memory/648-144-0x0000000000000000-mapping.dmp

Download
memory/1612-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1612-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1612-148-0x0000000000000000-mapping.dmp

Download
memory/2052-146-0x0000000000000000-mapping.dmp

Download
memory/2460-133-0x0000000000000000-mapping.dmp

Download
memory/2612-130-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/2628-134-0x0000000000000000-mapping.dmp

Download
memory/3036-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3036-138-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3036-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3036-135-0x0000000000000000-mapping.dmp

Download
memory/4188-143-0x0000000073E30000-0x00000000743E1000-memory.dmp

Filesize
5.7MB

Download
memory/4188-139-0x0000000000000000-mapping.dmp

Download
memory/4716-131-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads