netwire | 3952a3de4723e972b996401510de66b006d2c19dcebb488b013a7c116277351b

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
25-06-2022 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3952a3de4723e972b996401510de66b006d2c19dcebb488b013a7c116277351b.exe
Size

620KB
MD5

6ca289e14496ed3f078ddcea8ecea4a4
SHA1

7929b23f4c6fe4de022483138e5316ddeb3bf98b
SHA256

3952a3de4723e972b996401510de66b006d2c19dcebb488b013a7c116277351b
SHA512

658bd95581cde3e558970dfdf43cbf63067bdb561b7b4756b374c293064e4c41c5e44a12f722eacc4154b094d8d67f4eb52740d2d00de1a05972239993bdb211

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

xmpphosts.ru:3366

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
lock_executable
false
mutex
ohviVvrC
offline_keylogger
false
password
456123xyz
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4804-140-0x0000000000000000-mapping.dmp	netwire
behavioral2/memory/4804-142-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/4804-145-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/4804-146-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

WinRAR.exeWinRAR.exe

pid process

4148 WinRAR.exe
4804 WinRAR.exe

pid	process
4148	WinRAR.exe
4804	WinRAR.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3952a3de4723e972b996401510de66b006d2c19dcebb488b013a7c116277351b.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3952a3de4723e972b996401510de66b006d2c19dcebb488b013a7c116277351b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\WinRAR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinRAR\\WinRAR.vbs"	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

3952a3de4723e972b996401510de66b006d2c19dcebb488b013a7c116277351b.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	3952a3de4723e972b996401510de66b006d2c19dcebb488b013a7c116277351b.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

3952a3de4723e972b996401510de66b006d2c19dcebb488b013a7c116277351b.exeWinRAR.exe

pid process

396 3952a3de4723e972b996401510de66b006d2c19dcebb488b013a7c116277351b.exe
4148 WinRAR.exe

pid	process
396	3952a3de4723e972b996401510de66b006d2c19dcebb488b013a7c116277351b.exe
4148	WinRAR.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

3952a3de4723e972b996401510de66b006d2c19dcebb488b013a7c116277351b.exeWScript.exeWinRAR.exe

description	pid	process	target process
PID 396 wrote to memory of 4772	396	3952a3de4723e972b996401510de66b006d2c19dcebb488b013a7c116277351b.exe	WScript.exe
PID 396 wrote to memory of 4772	396	3952a3de4723e972b996401510de66b006d2c19dcebb488b013a7c116277351b.exe	WScript.exe
PID 396 wrote to memory of 4772	396	3952a3de4723e972b996401510de66b006d2c19dcebb488b013a7c116277351b.exe	WScript.exe
PID 4772 wrote to memory of 4148	4772	WScript.exe	WinRAR.exe
PID 4772 wrote to memory of 4148	4772	WScript.exe	WinRAR.exe
PID 4772 wrote to memory of 4148	4772	WScript.exe	WinRAR.exe
PID 4148 wrote to memory of 4804	4148	WinRAR.exe	WinRAR.exe
PID 4148 wrote to memory of 4804	4148	WinRAR.exe	WinRAR.exe
PID 4148 wrote to memory of 4804	4148	WinRAR.exe	WinRAR.exe
PID 4148 wrote to memory of 4804	4148	WinRAR.exe	WinRAR.exe
PID 4148 wrote to memory of 4804	4148	WinRAR.exe	WinRAR.exe
PID 4148 wrote to memory of 4804	4148	WinRAR.exe	WinRAR.exe
PID 4148 wrote to memory of 4804	4148	WinRAR.exe	WinRAR.exe
PID 4148 wrote to memory of 4804	4148	WinRAR.exe	WinRAR.exe
PID 4148 wrote to memory of 4804	4148	WinRAR.exe	WinRAR.exe
PID 4148 wrote to memory of 4804	4148	WinRAR.exe	WinRAR.exe
PID 4148 wrote to memory of 4804	4148	WinRAR.exe	WinRAR.exe
PID 4148 wrote to memory of 4804	4148	WinRAR.exe	WinRAR.exe
PID 4148 wrote to memory of 4804	4148	WinRAR.exe	WinRAR.exe
PID 4148 wrote to memory of 4804	4148	WinRAR.exe	WinRAR.exe
PID 4148 wrote to memory of 4804	4148	WinRAR.exe	WinRAR.exe
PID 4148 wrote to memory of 4804	4148	WinRAR.exe	WinRAR.exe
PID 4148 wrote to memory of 4804	4148	WinRAR.exe	WinRAR.exe

C:\Users\Admin\AppData\Local\Temp\3952a3de4723e972b996401510de66b006d2c19dcebb488b013a7c116277351b.exe
"C:\Users\Admin\AppData\Local\Temp\3952a3de4723e972b996401510de66b006d2c19dcebb488b013a7c116277351b.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:396

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\WinRAR\WinRAR.vbs"
2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4772

C:\Users\Admin\AppData\Local\Temp\WinRAR\WinRAR.exe
"C:\Users\Admin\AppData\Local\Temp\WinRAR\WinRAR.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4148

C:\Users\Admin\AppData\Local\Temp\WinRAR\WinRAR.exe
"C:\Users\Admin\AppData\Local\Temp\WinRAR\WinRAR.exe"
4⤵
- Executes dropped EXE
PID:4804

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WinRAR\WinRAR.exe
Filesize
620KB

MD5
deb606acc84fc2818254dc07d1f6c2ac

SHA1
7638dfd79ba4fbd94a40f83f56f74ee2b6ae0e1a

SHA256
9d2c040053b8ecf9744b3f0bb9b06554985d3b6fe2ef354a8794b4c0885fed6c

SHA512
0cba279bbb65ac56a837fb4e179d19ffb78cc16068557bb194b9030cf95abdf514a782d7745313c4933557c9213c9949cf81ba0c40b09b6d885e1b97020943ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinRAR\WinRAR.exe
Filesize
620KB

MD5
deb606acc84fc2818254dc07d1f6c2ac

SHA1
7638dfd79ba4fbd94a40f83f56f74ee2b6ae0e1a

SHA256
9d2c040053b8ecf9744b3f0bb9b06554985d3b6fe2ef354a8794b4c0885fed6c

SHA512
0cba279bbb65ac56a837fb4e179d19ffb78cc16068557bb194b9030cf95abdf514a782d7745313c4933557c9213c9949cf81ba0c40b09b6d885e1b97020943ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinRAR\WinRAR.exe
Filesize
620KB

MD5
deb606acc84fc2818254dc07d1f6c2ac

SHA1
7638dfd79ba4fbd94a40f83f56f74ee2b6ae0e1a

SHA256
9d2c040053b8ecf9744b3f0bb9b06554985d3b6fe2ef354a8794b4c0885fed6c

SHA512
0cba279bbb65ac56a837fb4e179d19ffb78cc16068557bb194b9030cf95abdf514a782d7745313c4933557c9213c9949cf81ba0c40b09b6d885e1b97020943ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinRAR\WinRAR.vbs
Filesize
1024B

MD5
23f6a019b4c5a5d8d30284e029670ca1

SHA1
3750537e50d127d45e33cda44b726d002a93975b

SHA256
eb355d1019c118e38d8f319249c4e118a24d2e19d720587f49b1ee8d864d2d26

SHA512
fafb39e4426f97f3ac5817a76f10cfad8487d93618f737c4b359f1511d376076bc8d834e3df61c9c113243cfe60e1687d87559847a306e19e4406e1f5921eec0

Download Submit
memory/396-132-0x0000000002270000-0x0000000002276000-memory.dmp

Filesize
24KB

Download
memory/4148-136-0x0000000000000000-mapping.dmp

Download
memory/4148-148-0x0000000002160000-0x0000000002166000-memory.dmp

Filesize
24KB

Download
memory/4772-133-0x0000000000000000-mapping.dmp

Download
memory/4804-171-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-202-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-144-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-145-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-146-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-147-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-149-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-150-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-151-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-152-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-175-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-154-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-155-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-156-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-157-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-158-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-159-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-160-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-161-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-162-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-163-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-164-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-165-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-166-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-167-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-168-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-169-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-170-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-140-0x0000000000000000-mapping.dmp

Download
memory/4804-172-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-204-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-142-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-153-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-176-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-177-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-178-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-179-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-180-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-181-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-182-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-183-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-184-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-185-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-186-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-187-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-188-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-189-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-190-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-191-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-192-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-193-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-194-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-195-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-196-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-197-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-198-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-199-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-200-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-201-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-174-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-203-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-173-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-205-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4804-206-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download