netwire | 86c71d494cab5c45481d958dc3c2a5c98739ca6b26d76fad33eeda5821b54b3d

General

Target

86c71d494cab5c45481d958dc3c2a5c98739ca6b26d76fad33eeda5821b54b3d.exe
Size

3.2MB
MD5

b8a9c7e281ca8201f517148ddd307437
SHA1

d4d48ecfa192607d86812a66d3190185cde3693f
SHA256

86c71d494cab5c45481d958dc3c2a5c98739ca6b26d76fad33eeda5821b54b3d
SHA512

1a33b353bd8437b025aee9d73f6ac05bfe8fb96105908c317396de827013ee52b7e9796f8ad745b11d512062196f948aa0bc584742da68645c69839fb93fcefe

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4880-131-0x00000000024A0000-0x00000000024BB000-memory.dmp	netwire
behavioral2/memory/4880-132-0x00000000024C0000-0x00000000024E5000-memory.dmp	netwire
behavioral2/memory/3596-138-0x0000000000BE0000-0x0000000000C05000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 1 IoCs

Processes:

PSE.exe

pid process

3596 PSE.exe

pid	process
3596	PSE.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

86c71d494cab5c45481d958dc3c2a5c98739ca6b26d76fad33eeda5821b54b3d.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	86c71d494cab5c45481d958dc3c2a5c98739ca6b26d76fad33eeda5821b54b3d.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

PSE.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	PSE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Shark32 = "C:\\Users\\Admin\\AppData\\Roaming\\Photoshops\\PSE.exe"	PSE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

86c71d494cab5c45481d958dc3c2a5c98739ca6b26d76fad33eeda5821b54b3d.exe

description	pid	process	target process
PID 4880 wrote to memory of 3596	4880	86c71d494cab5c45481d958dc3c2a5c98739ca6b26d76fad33eeda5821b54b3d.exe	PSE.exe
PID 4880 wrote to memory of 3596	4880	86c71d494cab5c45481d958dc3c2a5c98739ca6b26d76fad33eeda5821b54b3d.exe	PSE.exe
PID 4880 wrote to memory of 3596	4880	86c71d494cab5c45481d958dc3c2a5c98739ca6b26d76fad33eeda5821b54b3d.exe	PSE.exe

C:\Users\Admin\AppData\Local\Temp\86c71d494cab5c45481d958dc3c2a5c98739ca6b26d76fad33eeda5821b54b3d.exe
"C:\Users\Admin\AppData\Local\Temp\86c71d494cab5c45481d958dc3c2a5c98739ca6b26d76fad33eeda5821b54b3d.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4880

C:\Users\Admin\AppData\Roaming\Photoshops\PSE.exe
"C:\Users\Admin\AppData\Roaming\Photoshops\PSE.exe" -m "C:\Users\Admin\AppData\Local\Temp\86c71d494cab5c45481d958dc3c2a5c98739ca6b26d76fad33eeda5821b54b3d.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Photoshops\PSE.exe

Filesize
3.2MB

MD5
b8a9c7e281ca8201f517148ddd307437

SHA1
d4d48ecfa192607d86812a66d3190185cde3693f

SHA256
86c71d494cab5c45481d958dc3c2a5c98739ca6b26d76fad33eeda5821b54b3d

SHA512
1a33b353bd8437b025aee9d73f6ac05bfe8fb96105908c317396de827013ee52b7e9796f8ad745b11d512062196f948aa0bc584742da68645c69839fb93fcefe

Download Submit
C:\Users\Admin\AppData\Roaming\Photoshops\PSE.exe

Filesize
3.2MB

MD5
b8a9c7e281ca8201f517148ddd307437

SHA1
d4d48ecfa192607d86812a66d3190185cde3693f

SHA256
86c71d494cab5c45481d958dc3c2a5c98739ca6b26d76fad33eeda5821b54b3d

SHA512
1a33b353bd8437b025aee9d73f6ac05bfe8fb96105908c317396de827013ee52b7e9796f8ad745b11d512062196f948aa0bc584742da68645c69839fb93fcefe

Download Submit
memory/3596-133-0x0000000000000000-mapping.dmp

Download
memory/3596-136-0x0000000000400000-0x000000000073F000-memory.dmp

Filesize
3.2MB

Download
memory/3596-138-0x0000000000BE0000-0x0000000000C05000-memory.dmp

Filesize
148KB

Download
memory/3596-139-0x0000000000400000-0x000000000073F000-memory.dmp

Filesize
3.2MB

Download
memory/4880-130-0x0000000000400000-0x000000000073F000-memory.dmp

Filesize
3.2MB

Download
memory/4880-131-0x00000000024A0000-0x00000000024BB000-memory.dmp

Filesize
108KB

Download
memory/4880-132-0x00000000024C0000-0x00000000024E5000-memory.dmp

Filesize
148KB

Download
memory/4880-137-0x0000000000400000-0x000000000073F000-memory.dmp

Filesize
3.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads