netwire | 3f8fe3bfb24bf880c9aadbcf2c3c9c800f87026d0cdc5ef133ba039a7dc5d3c1

Analysis

max time kernel
92s
max time network
97s
platform
windows7_x64
resource
win7-20220414-en
submitted
21-05-2022 18:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Proof of payment.exe
Size

980KB
MD5

4bc9ed4383e90e5e4d2c38deae0d58e4
SHA1

b9a519e8b70886ee003132e3cdda2006f5b1be9c
SHA256

e8ac69b242f87152457399a019803c892209200c3951f6a0efc05cde5dd5edf5
SHA512

29722a913cb2f2fd45268ff6c56d98b4419b996a7fb633dda11bb31a05a9b43eb0b5f14df92868c7ee08045de07a3e9ece815d331acdc3c6080482bcfcad73a7

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1456-67-0x0000000000350000-0x0000000000A44000-memory.dmp	netwire
behavioral1/memory/1456-68-0x0000000000352BCB-mapping.dmp	netwire
behavioral1/memory/1456-72-0x0000000000350000-0x0000000000A44000-memory.dmp	netwire
behavioral1/memory/1456-73-0x0000000000350000-0x0000000000A44000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

sxfqonaid.pifRegSvcs.exe

pid process

1152 sxfqonaid.pif
1456 RegSvcs.exe
Loads dropped DLL 5 IoCs

Processes:

Proof of payment.exesxfqonaid.pif

pid process

1000 Proof of payment.exe
1000 Proof of payment.exe
1000 Proof of payment.exe
1000 Proof of payment.exe
1152 sxfqonaid.pif

pid	process
1152	sxfqonaid.pif
1456	RegSvcs.exe

pid	process
1000	Proof of payment.exe
1000	Proof of payment.exe
1000	Proof of payment.exe
1000	Proof of payment.exe
1152	sxfqonaid.pif

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

sxfqonaid.pif

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	sxfqonaid.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\85695789\\SXFQON~1.PIF c:\\85695789\\iqlpc.qlm"	sxfqonaid.pif

Suspicious use of SetThreadContext 1 IoCs

Processes:

sxfqonaid.pif

description pid process target process

PID 1152 set thread context of 1456 1152 sxfqonaid.pif RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1152 set thread context of 1456	1152	sxfqonaid.pif	RegSvcs.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

Proof of payment.exesxfqonaid.pif

description	pid	process	target process
PID 1000 wrote to memory of 1152	1000	Proof of payment.exe	sxfqonaid.pif
PID 1000 wrote to memory of 1152	1000	Proof of payment.exe	sxfqonaid.pif
PID 1000 wrote to memory of 1152	1000	Proof of payment.exe	sxfqonaid.pif
PID 1000 wrote to memory of 1152	1000	Proof of payment.exe	sxfqonaid.pif
PID 1152 wrote to memory of 1456	1152	sxfqonaid.pif	RegSvcs.exe
PID 1152 wrote to memory of 1456	1152	sxfqonaid.pif	RegSvcs.exe
PID 1152 wrote to memory of 1456	1152	sxfqonaid.pif	RegSvcs.exe
PID 1152 wrote to memory of 1456	1152	sxfqonaid.pif	RegSvcs.exe
PID 1152 wrote to memory of 1456	1152	sxfqonaid.pif	RegSvcs.exe
PID 1152 wrote to memory of 1456	1152	sxfqonaid.pif	RegSvcs.exe
PID 1152 wrote to memory of 1456	1152	sxfqonaid.pif	RegSvcs.exe
PID 1152 wrote to memory of 1456	1152	sxfqonaid.pif	RegSvcs.exe
PID 1152 wrote to memory of 1456	1152	sxfqonaid.pif	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\Proof of payment.exe
"C:\Users\Admin\AppData\Local\Temp\Proof of payment.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1000

C:\85695789\sxfqonaid.pif
"C:\85695789\sxfqonaid.pif" iqlpc.qlm
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1152

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
3⤵
- Executes dropped EXE
PID:1456

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\85695789\iqlpc.qlm
Filesize
167.7MB

MD5
dfd73cc48aa9e426c42db96b81593a34

SHA1
ee33bc31493718e482f51c90a1720e284f19cd0c

SHA256
67333b0d13f34e62787765d8cbbdfde15c754865edebf9ed600c0b590cc3e4ac

SHA512
d5bb0e12c17a9a78ca364312861ebe4d5e1f925fbc056407c1f2fd7ac43d8411f0cf0a53f038a1c7b86dc27fccdc41e62853a229633acd80f1d2f98da9b44e43

Download Submit
C:\85695789\qdjdjgobx.bmp
Filesize
312KB

MD5
161601794c6283ab24988659fd79202c

SHA1
9db71f209a524731d8edf694fe53b36304122b01

SHA256
f6d47b1c614ab3c398e86140cab65918018bcc43ebd0a6438c096e3c885b50c2

SHA512
3ec39f6f688eb7658628f1e590d434b859003f800dedbe47d276e4ba628f5cb68f8523871e603198c124371448db030f246cc59ee9935e34900cd4c24f4a9f0e

Download Submit
C:\85695789\sxfqonaid.pif
Filesize
655KB

MD5
a75bc752c50fb74f7597c2bb59b93d43

SHA1
d2dcd3d104b6b04f0828844aeda188798669b41f

SHA256
877365dfcbe9d4896e9ca544c7d19e106ab78339edbc1bd410f2e11bd32cd2ee

SHA512
e856238e3cb519786365faf17d0d590692fa991d9ca81e2fb8ce094cd090583f4ed1823b7ca9c0f702320398054ba682644a02f8d99d4e0f53733564611d3f97

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
\85695789\sxfqonaid.pif
Filesize
655KB

MD5
a75bc752c50fb74f7597c2bb59b93d43

SHA1
d2dcd3d104b6b04f0828844aeda188798669b41f

SHA256
877365dfcbe9d4896e9ca544c7d19e106ab78339edbc1bd410f2e11bd32cd2ee

SHA512
e856238e3cb519786365faf17d0d590692fa991d9ca81e2fb8ce094cd090583f4ed1823b7ca9c0f702320398054ba682644a02f8d99d4e0f53733564611d3f97

Download Submit
\85695789\sxfqonaid.pif
Filesize
655KB

MD5
a75bc752c50fb74f7597c2bb59b93d43

SHA1
d2dcd3d104b6b04f0828844aeda188798669b41f

SHA256
877365dfcbe9d4896e9ca544c7d19e106ab78339edbc1bd410f2e11bd32cd2ee

SHA512
e856238e3cb519786365faf17d0d590692fa991d9ca81e2fb8ce094cd090583f4ed1823b7ca9c0f702320398054ba682644a02f8d99d4e0f53733564611d3f97

Download Submit
\85695789\sxfqonaid.pif
Filesize
655KB

MD5
a75bc752c50fb74f7597c2bb59b93d43

SHA1
d2dcd3d104b6b04f0828844aeda188798669b41f

SHA256
877365dfcbe9d4896e9ca544c7d19e106ab78339edbc1bd410f2e11bd32cd2ee

SHA512
e856238e3cb519786365faf17d0d590692fa991d9ca81e2fb8ce094cd090583f4ed1823b7ca9c0f702320398054ba682644a02f8d99d4e0f53733564611d3f97

Download Submit
\85695789\sxfqonaid.pif
Filesize
655KB

MD5
a75bc752c50fb74f7597c2bb59b93d43

SHA1
d2dcd3d104b6b04f0828844aeda188798669b41f

SHA256
877365dfcbe9d4896e9ca544c7d19e106ab78339edbc1bd410f2e11bd32cd2ee

SHA512
e856238e3cb519786365faf17d0d590692fa991d9ca81e2fb8ce094cd090583f4ed1823b7ca9c0f702320398054ba682644a02f8d99d4e0f53733564611d3f97

Download Submit
\Users\Admin\AppData\Local\Temp\RegSvcs.exe
Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
memory/1000-54-0x0000000075F21000-0x0000000075F23000-memory.dmp

Filesize
8KB

Download
memory/1152-59-0x0000000000000000-mapping.dmp

Download
memory/1456-65-0x0000000000350000-0x0000000000A44000-memory.dmp

Filesize
7.0MB

Download
memory/1456-67-0x0000000000350000-0x0000000000A44000-memory.dmp

Filesize
7.0MB

Download
memory/1456-68-0x0000000000352BCB-mapping.dmp

Download
memory/1456-72-0x0000000000350000-0x0000000000A44000-memory.dmp

Filesize
7.0MB

Download
memory/1456-73-0x0000000000350000-0x0000000000A44000-memory.dmp

Filesize
7.0MB

Download