netwire | 101e53d25bfa7afdaa3fc2eabcba839f5afde1ab53cb585a036948ef0c1817b0

General

Target

101e53d25bfa7afdaa3fc2eabcba839f5afde1ab53cb585a036948ef0c1817b0.exe
Size

137KB
MD5

65d209ca2059c2246557a4e01e018ba8
SHA1

b7bf68ef1f74e33b530025cca086fa503c1c9e15
SHA256

101e53d25bfa7afdaa3fc2eabcba839f5afde1ab53cb585a036948ef0c1817b0
SHA512

6bcd1f5cd9c009e5c23614a8d5f470e34d7f825a8322402e935b58018c8aae3ecc8d229f98ecc8b73606c4216e30866ed5362e48442ffd844f378a27dbc09529

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3248-138-0x0000000000400000-0x0000000000418000-memory.dmp	netwire
behavioral2/memory/4196-150-0x0000000000400000-0x0000000000418000-memory.dmp	netwire
behavioral2/memory/4196-152-0x0000000000400000-0x0000000000418000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

system.exesystem.exe

pid process

444 system.exe
4196 system.exe

pid	process
444	system.exe
4196	system.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

system.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{SA8500OJ-3T4J-65P5-K3AS-I8L75JD0EUEO}	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{SA8500OJ-3T4J-65P5-K3AS-I8L75JD0EUEO}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Install\\system.exe\""	system.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

101e53d25bfa7afdaa3fc2eabcba839f5afde1ab53cb585a036948ef0c1817b0.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	101e53d25bfa7afdaa3fc2eabcba839f5afde1ab53cb585a036948ef0c1817b0.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

system.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\system.exe"	system.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

101e53d25bfa7afdaa3fc2eabcba839f5afde1ab53cb585a036948ef0c1817b0.exesystem.exe

description	pid	process	target process
PID 4976 set thread context of 3248	4976	101e53d25bfa7afdaa3fc2eabcba839f5afde1ab53cb585a036948ef0c1817b0.exe	101e53d25bfa7afdaa3fc2eabcba839f5afde1ab53cb585a036948ef0c1817b0.exe
PID 444 set thread context of 4196	444	system.exe	system.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

101e53d25bfa7afdaa3fc2eabcba839f5afde1ab53cb585a036948ef0c1817b0.exe101e53d25bfa7afdaa3fc2eabcba839f5afde1ab53cb585a036948ef0c1817b0.exesystem.exe

description	pid	process	target process
PID 4976 wrote to memory of 3248	4976	101e53d25bfa7afdaa3fc2eabcba839f5afde1ab53cb585a036948ef0c1817b0.exe	101e53d25bfa7afdaa3fc2eabcba839f5afde1ab53cb585a036948ef0c1817b0.exe
PID 4976 wrote to memory of 3248	4976	101e53d25bfa7afdaa3fc2eabcba839f5afde1ab53cb585a036948ef0c1817b0.exe	101e53d25bfa7afdaa3fc2eabcba839f5afde1ab53cb585a036948ef0c1817b0.exe
PID 4976 wrote to memory of 3248	4976	101e53d25bfa7afdaa3fc2eabcba839f5afde1ab53cb585a036948ef0c1817b0.exe	101e53d25bfa7afdaa3fc2eabcba839f5afde1ab53cb585a036948ef0c1817b0.exe
PID 4976 wrote to memory of 3248	4976	101e53d25bfa7afdaa3fc2eabcba839f5afde1ab53cb585a036948ef0c1817b0.exe	101e53d25bfa7afdaa3fc2eabcba839f5afde1ab53cb585a036948ef0c1817b0.exe
PID 4976 wrote to memory of 3248	4976	101e53d25bfa7afdaa3fc2eabcba839f5afde1ab53cb585a036948ef0c1817b0.exe	101e53d25bfa7afdaa3fc2eabcba839f5afde1ab53cb585a036948ef0c1817b0.exe
PID 4976 wrote to memory of 3248	4976	101e53d25bfa7afdaa3fc2eabcba839f5afde1ab53cb585a036948ef0c1817b0.exe	101e53d25bfa7afdaa3fc2eabcba839f5afde1ab53cb585a036948ef0c1817b0.exe
PID 4976 wrote to memory of 3248	4976	101e53d25bfa7afdaa3fc2eabcba839f5afde1ab53cb585a036948ef0c1817b0.exe	101e53d25bfa7afdaa3fc2eabcba839f5afde1ab53cb585a036948ef0c1817b0.exe
PID 4976 wrote to memory of 3248	4976	101e53d25bfa7afdaa3fc2eabcba839f5afde1ab53cb585a036948ef0c1817b0.exe	101e53d25bfa7afdaa3fc2eabcba839f5afde1ab53cb585a036948ef0c1817b0.exe
PID 4976 wrote to memory of 3248	4976	101e53d25bfa7afdaa3fc2eabcba839f5afde1ab53cb585a036948ef0c1817b0.exe	101e53d25bfa7afdaa3fc2eabcba839f5afde1ab53cb585a036948ef0c1817b0.exe
PID 3248 wrote to memory of 444	3248	101e53d25bfa7afdaa3fc2eabcba839f5afde1ab53cb585a036948ef0c1817b0.exe	system.exe
PID 3248 wrote to memory of 444	3248	101e53d25bfa7afdaa3fc2eabcba839f5afde1ab53cb585a036948ef0c1817b0.exe	system.exe
PID 3248 wrote to memory of 444	3248	101e53d25bfa7afdaa3fc2eabcba839f5afde1ab53cb585a036948ef0c1817b0.exe	system.exe
PID 444 wrote to memory of 4196	444	system.exe	system.exe
PID 444 wrote to memory of 4196	444	system.exe	system.exe
PID 444 wrote to memory of 4196	444	system.exe	system.exe
PID 444 wrote to memory of 4196	444	system.exe	system.exe
PID 444 wrote to memory of 4196	444	system.exe	system.exe
PID 444 wrote to memory of 4196	444	system.exe	system.exe
PID 444 wrote to memory of 4196	444	system.exe	system.exe
PID 444 wrote to memory of 4196	444	system.exe	system.exe
PID 444 wrote to memory of 4196	444	system.exe	system.exe

C:\Users\Admin\AppData\Local\Temp\101e53d25bfa7afdaa3fc2eabcba839f5afde1ab53cb585a036948ef0c1817b0.exe
"C:\Users\Admin\AppData\Local\Temp\101e53d25bfa7afdaa3fc2eabcba839f5afde1ab53cb585a036948ef0c1817b0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4976

C:\Users\Admin\AppData\Local\Temp\101e53d25bfa7afdaa3fc2eabcba839f5afde1ab53cb585a036948ef0c1817b0.exe
"C:\Users\Admin\AppData\Local\Temp\101e53d25bfa7afdaa3fc2eabcba839f5afde1ab53cb585a036948ef0c1817b0.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3248

C:\Users\Admin\AppData\Roaming\Install\system.exe
"C:\Users\Admin\AppData\Roaming\Install\system.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:444

C:\Users\Admin\AppData\Roaming\Install\system.exe
"C:\Users\Admin\AppData\Roaming\Install\system.exe"
4⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:4196

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Install\system.exe
Filesize
137KB

MD5
65d209ca2059c2246557a4e01e018ba8

SHA1
b7bf68ef1f74e33b530025cca086fa503c1c9e15

SHA256
101e53d25bfa7afdaa3fc2eabcba839f5afde1ab53cb585a036948ef0c1817b0

SHA512
6bcd1f5cd9c009e5c23614a8d5f470e34d7f825a8322402e935b58018c8aae3ecc8d229f98ecc8b73606c4216e30866ed5362e48442ffd844f378a27dbc09529

Download Submit
C:\Users\Admin\AppData\Roaming\Install\system.exe
Filesize
137KB

MD5
65d209ca2059c2246557a4e01e018ba8

SHA1
b7bf68ef1f74e33b530025cca086fa503c1c9e15

SHA256
101e53d25bfa7afdaa3fc2eabcba839f5afde1ab53cb585a036948ef0c1817b0

SHA512
6bcd1f5cd9c009e5c23614a8d5f470e34d7f825a8322402e935b58018c8aae3ecc8d229f98ecc8b73606c4216e30866ed5362e48442ffd844f378a27dbc09529

Download Submit
C:\Users\Admin\AppData\Roaming\Install\system.exe
Filesize
137KB

MD5
65d209ca2059c2246557a4e01e018ba8

SHA1
b7bf68ef1f74e33b530025cca086fa503c1c9e15

SHA256
101e53d25bfa7afdaa3fc2eabcba839f5afde1ab53cb585a036948ef0c1817b0

SHA512
6bcd1f5cd9c009e5c23614a8d5f470e34d7f825a8322402e935b58018c8aae3ecc8d229f98ecc8b73606c4216e30866ed5362e48442ffd844f378a27dbc09529

Download Submit
memory/444-142-0x00000000738C0000-0x0000000073E71000-memory.dmp

Filesize
5.7MB

Download
memory/444-139-0x0000000000000000-mapping.dmp

Download
memory/444-149-0x00000000738C0000-0x0000000073E71000-memory.dmp

Filesize
5.7MB

Download
memory/444-143-0x0000000072BF0000-0x00000000736F0000-memory.dmp

Filesize
11.0MB

Download
memory/444-151-0x0000000072BF0000-0x00000000736F0000-memory.dmp

Filesize
11.0MB

Download
memory/3248-138-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3248-134-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3248-132-0x0000000000000000-mapping.dmp

Download
memory/3248-135-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3248-133-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4196-152-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4196-144-0x0000000000000000-mapping.dmp

Download
memory/4196-150-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4196-148-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4976-131-0x0000000073900000-0x0000000074400000-memory.dmp

Filesize
11.0MB

Download
memory/4976-130-0x0000000074B00000-0x00000000750B1000-memory.dmp

Filesize
5.7MB

Download
memory/4976-137-0x0000000073900000-0x0000000074400000-memory.dmp

Filesize
11.0MB

Download
memory/4976-136-0x0000000074B00000-0x00000000750B1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads