Behavioral Report

General

Target

e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe
Size

496KB
MD5

2e949fbd641fbb0b7a2faa128ddd3540
SHA1

eac22a028a62c18391a452850d9c42fbb19b7fb8
SHA256

e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145
SHA512

93d326fc1f0bdace236773275b0969dc191e98979e6f353567bf8ca5479773bf8c811dd9b292136a6a1f2aa0999988c79567ef41f75dde5243ebd628582c1d78

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload ⋅ 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1132-136-0x0000000000400000-0x000000000047E000-memory.dmp	netwire
behavioral2/memory/1132-137-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Modifies Installed Components in the registry ⋅ 2 TTPs
persistence

TTPs:

Registry Run Keys / Startup Folder Modify Registry

Adds Run key to start application ⋅ 2 TTPs 2 IoCs

persistence

TTPs:

Registry Run Keys / Startup Folder Modify Registry

Processes:

e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe"	e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe

Suspicious use of SetThreadContext ⋅ 1 IoCs

Processes:

e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe

description	pid	process	target process
PID 1292 set thread context of 1132	1292	e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe	e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe

Suspicious use of SetWindowsHookEx ⋅ 1 IoCs

Processes:

e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe

pid process

1292 e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe

pid	process
1292	e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe

Suspicious use of WriteProcessMemory ⋅ 3 IoCs

Processes:

e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe

description	pid	process	target process
PID 1292 wrote to memory of 1132	1292	e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe	e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe
PID 1292 wrote to memory of 1132	1292	e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe	e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe
PID 1292 wrote to memory of 1132	1292	e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe	e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe

C:\Users\Admin\AppData\Local\Temp\e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe

"C:\Users\Admin\AppData\Local\Temp\e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe"

Suspicious use of SetThreadContext
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory

PID:1292

C:\Users\Admin\AppData\Local\Temp\e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe

C:\Users\Admin\AppData\Local\Temp\e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe"

Adds Run key to start application

PID:1132

Network

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Replay Monitor

00:00 00:00

Downloads

memory/1132-133-0x0000000000000000-mapping.dmp

Download
memory/1132-136-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1132-137-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1132-143-0x00007FFAFF090000-0x00007FFAFF285000-memory.dmp

Filesize
1MB

Download
memory/1132-144-0x00000000773E0000-0x0000000077583000-memory.dmp

Filesize
1MB

Download
memory/1292-132-0x0000000002220000-0x0000000002227000-memory.dmp

Filesize
28KB

Download
memory/1292-134-0x00007FFAFF090000-0x00007FFAFF285000-memory.dmp

Filesize
1MB

Download
memory/1292-135-0x00000000773E0000-0x0000000077583000-memory.dmp

Filesize
1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Downloads