netwire | 76dda78693e017f2115b698b091a35c98a7c886144da10ec67468ffa9b0fa1f8

General

Target

76dda78693e017f2115b698b091a35c98a7c886144da10ec67468ffa9b0fa1f8.exe
Size

622KB
MD5

a0abf6f3d37b89d95d28f8b8dab955e6
SHA1

e70d71f9fd000fde5cbf030d75c4c8eae96cadbf
SHA256

76dda78693e017f2115b698b091a35c98a7c886144da10ec67468ffa9b0fa1f8
SHA512

bc781c56db8ad51904b2f2129c1070668611dc8de315c82298616021cb2d860d73d842b06b6f9a3e1d4633ff195acc24d05591bc24cfa5db9893226a5bb70c50

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

top.eaglee1.xyz:4376

Attributes

activex_autorun
true
activex_key
{S1A7F3VV-OW16-1770-3W1J-83E0NN856S32}
copy_executable
true
delete_original
true
host_id
USA
install_path
%AppData%\Install\Mswords.exe
keylogger_dir
%AppData%\Logs\
lock_executable
true
mutex
WRsslUuw
offline_keylogger
true
password
<(/82?TM{V
registry_autorun
true
startup_name
Mswords
use_mutex
true

Signatures

NetWire RAT payload 8 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/952-59-0x0000000000402BCB-mapping.dmp	netwire
behavioral1/memory/952-58-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/952-62-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/952-67-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1088-73-0x0000000000402BCB-mapping.dmp	netwire
behavioral1/memory/1088-77-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1088-78-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1088-79-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

Mswords.exeMswords.exe

pid process

1540 Mswords.exe
1088 Mswords.exe

pid	process
1540	Mswords.exe
1088	Mswords.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Mswords.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{S1A7F3VV-OW16-1770-3W1J-83E0NN856S32}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Install\\Mswords.exe\""	Mswords.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{S1A7F3VV-OW16-1770-3W1J-83E0NN856S32}	Mswords.exe

Deletes itself 1 IoCs

Processes:

Mswords.exe

pid process

1088 Mswords.exe

pid	process
1088	Mswords.exe

Loads dropped DLL 2 IoCs

Processes:

76dda78693e017f2115b698b091a35c98a7c886144da10ec67468ffa9b0fa1f8.exe

pid	process
952	76dda78693e017f2115b698b091a35c98a7c886144da10ec67468ffa9b0fa1f8.exe
952	76dda78693e017f2115b698b091a35c98a7c886144da10ec67468ffa9b0fa1f8.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Mswords.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Mswords.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mswords = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Mswords.exe"	Mswords.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

76dda78693e017f2115b698b091a35c98a7c886144da10ec67468ffa9b0fa1f8.exeMswords.exe

description	pid	process	target process
PID 684 set thread context of 952	684	76dda78693e017f2115b698b091a35c98a7c886144da10ec67468ffa9b0fa1f8.exe	76dda78693e017f2115b698b091a35c98a7c886144da10ec67468ffa9b0fa1f8.exe
PID 1540 set thread context of 1088	1540	Mswords.exe	Mswords.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

76dda78693e017f2115b698b091a35c98a7c886144da10ec67468ffa9b0fa1f8.exeMswords.exe

pid process

684 76dda78693e017f2115b698b091a35c98a7c886144da10ec67468ffa9b0fa1f8.exe
1540 Mswords.exe

pid	process
684	76dda78693e017f2115b698b091a35c98a7c886144da10ec67468ffa9b0fa1f8.exe
1540	Mswords.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

76dda78693e017f2115b698b091a35c98a7c886144da10ec67468ffa9b0fa1f8.exe76dda78693e017f2115b698b091a35c98a7c886144da10ec67468ffa9b0fa1f8.exeMswords.exe

description	pid	process	target process
PID 684 wrote to memory of 952	684	76dda78693e017f2115b698b091a35c98a7c886144da10ec67468ffa9b0fa1f8.exe	76dda78693e017f2115b698b091a35c98a7c886144da10ec67468ffa9b0fa1f8.exe
PID 684 wrote to memory of 952	684	76dda78693e017f2115b698b091a35c98a7c886144da10ec67468ffa9b0fa1f8.exe	76dda78693e017f2115b698b091a35c98a7c886144da10ec67468ffa9b0fa1f8.exe
PID 684 wrote to memory of 952	684	76dda78693e017f2115b698b091a35c98a7c886144da10ec67468ffa9b0fa1f8.exe	76dda78693e017f2115b698b091a35c98a7c886144da10ec67468ffa9b0fa1f8.exe
PID 684 wrote to memory of 952	684	76dda78693e017f2115b698b091a35c98a7c886144da10ec67468ffa9b0fa1f8.exe	76dda78693e017f2115b698b091a35c98a7c886144da10ec67468ffa9b0fa1f8.exe
PID 684 wrote to memory of 952	684	76dda78693e017f2115b698b091a35c98a7c886144da10ec67468ffa9b0fa1f8.exe	76dda78693e017f2115b698b091a35c98a7c886144da10ec67468ffa9b0fa1f8.exe
PID 684 wrote to memory of 952	684	76dda78693e017f2115b698b091a35c98a7c886144da10ec67468ffa9b0fa1f8.exe	76dda78693e017f2115b698b091a35c98a7c886144da10ec67468ffa9b0fa1f8.exe
PID 684 wrote to memory of 952	684	76dda78693e017f2115b698b091a35c98a7c886144da10ec67468ffa9b0fa1f8.exe	76dda78693e017f2115b698b091a35c98a7c886144da10ec67468ffa9b0fa1f8.exe
PID 684 wrote to memory of 952	684	76dda78693e017f2115b698b091a35c98a7c886144da10ec67468ffa9b0fa1f8.exe	76dda78693e017f2115b698b091a35c98a7c886144da10ec67468ffa9b0fa1f8.exe
PID 684 wrote to memory of 952	684	76dda78693e017f2115b698b091a35c98a7c886144da10ec67468ffa9b0fa1f8.exe	76dda78693e017f2115b698b091a35c98a7c886144da10ec67468ffa9b0fa1f8.exe
PID 684 wrote to memory of 952	684	76dda78693e017f2115b698b091a35c98a7c886144da10ec67468ffa9b0fa1f8.exe	76dda78693e017f2115b698b091a35c98a7c886144da10ec67468ffa9b0fa1f8.exe
PID 684 wrote to memory of 952	684	76dda78693e017f2115b698b091a35c98a7c886144da10ec67468ffa9b0fa1f8.exe	76dda78693e017f2115b698b091a35c98a7c886144da10ec67468ffa9b0fa1f8.exe
PID 684 wrote to memory of 952	684	76dda78693e017f2115b698b091a35c98a7c886144da10ec67468ffa9b0fa1f8.exe	76dda78693e017f2115b698b091a35c98a7c886144da10ec67468ffa9b0fa1f8.exe
PID 684 wrote to memory of 952	684	76dda78693e017f2115b698b091a35c98a7c886144da10ec67468ffa9b0fa1f8.exe	76dda78693e017f2115b698b091a35c98a7c886144da10ec67468ffa9b0fa1f8.exe
PID 952 wrote to memory of 1540	952	76dda78693e017f2115b698b091a35c98a7c886144da10ec67468ffa9b0fa1f8.exe	Mswords.exe
PID 952 wrote to memory of 1540	952	76dda78693e017f2115b698b091a35c98a7c886144da10ec67468ffa9b0fa1f8.exe	Mswords.exe
PID 952 wrote to memory of 1540	952	76dda78693e017f2115b698b091a35c98a7c886144da10ec67468ffa9b0fa1f8.exe	Mswords.exe
PID 952 wrote to memory of 1540	952	76dda78693e017f2115b698b091a35c98a7c886144da10ec67468ffa9b0fa1f8.exe	Mswords.exe
PID 1540 wrote to memory of 1088	1540	Mswords.exe	Mswords.exe
PID 1540 wrote to memory of 1088	1540	Mswords.exe	Mswords.exe
PID 1540 wrote to memory of 1088	1540	Mswords.exe	Mswords.exe
PID 1540 wrote to memory of 1088	1540	Mswords.exe	Mswords.exe
PID 1540 wrote to memory of 1088	1540	Mswords.exe	Mswords.exe
PID 1540 wrote to memory of 1088	1540	Mswords.exe	Mswords.exe
PID 1540 wrote to memory of 1088	1540	Mswords.exe	Mswords.exe
PID 1540 wrote to memory of 1088	1540	Mswords.exe	Mswords.exe
PID 1540 wrote to memory of 1088	1540	Mswords.exe	Mswords.exe
PID 1540 wrote to memory of 1088	1540	Mswords.exe	Mswords.exe
PID 1540 wrote to memory of 1088	1540	Mswords.exe	Mswords.exe
PID 1540 wrote to memory of 1088	1540	Mswords.exe	Mswords.exe
PID 1540 wrote to memory of 1088	1540	Mswords.exe	Mswords.exe

C:\Users\Admin\AppData\Local\Temp\76dda78693e017f2115b698b091a35c98a7c886144da10ec67468ffa9b0fa1f8.exe
"C:\Users\Admin\AppData\Local\Temp\76dda78693e017f2115b698b091a35c98a7c886144da10ec67468ffa9b0fa1f8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:684

C:\Users\Admin\AppData\Local\Temp\76dda78693e017f2115b698b091a35c98a7c886144da10ec67468ffa9b0fa1f8.exe
"C:\Users\Admin\AppData\Local\Temp\76dda78693e017f2115b698b091a35c98a7c886144da10ec67468ffa9b0fa1f8.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:952

C:\Users\Admin\AppData\Roaming\Install\Mswords.exe
-m "C:\Users\Admin\AppData\Local\Temp\76dda78693e017f2115b698b091a35c98a7c886144da10ec67468ffa9b0fa1f8.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1540

C:\Users\Admin\AppData\Roaming\Install\Mswords.exe
-m "C:\Users\Admin\AppData\Local\Temp\76dda78693e017f2115b698b091a35c98a7c886144da10ec67468ffa9b0fa1f8.exe"
4⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Deletes itself
- Adds Run key to start application
PID:1088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Install\Mswords.exe

Filesize
622KB

MD5
a0abf6f3d37b89d95d28f8b8dab955e6

SHA1
e70d71f9fd000fde5cbf030d75c4c8eae96cadbf

SHA256
76dda78693e017f2115b698b091a35c98a7c886144da10ec67468ffa9b0fa1f8

SHA512
bc781c56db8ad51904b2f2129c1070668611dc8de315c82298616021cb2d860d73d842b06b6f9a3e1d4633ff195acc24d05591bc24cfa5db9893226a5bb70c50

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Mswords.exe

Filesize
622KB

MD5
a0abf6f3d37b89d95d28f8b8dab955e6

SHA1
e70d71f9fd000fde5cbf030d75c4c8eae96cadbf

SHA256
76dda78693e017f2115b698b091a35c98a7c886144da10ec67468ffa9b0fa1f8

SHA512
bc781c56db8ad51904b2f2129c1070668611dc8de315c82298616021cb2d860d73d842b06b6f9a3e1d4633ff195acc24d05591bc24cfa5db9893226a5bb70c50

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Mswords.exe

Filesize
622KB

MD5
a0abf6f3d37b89d95d28f8b8dab955e6

SHA1
e70d71f9fd000fde5cbf030d75c4c8eae96cadbf

SHA256
76dda78693e017f2115b698b091a35c98a7c886144da10ec67468ffa9b0fa1f8

SHA512
bc781c56db8ad51904b2f2129c1070668611dc8de315c82298616021cb2d860d73d842b06b6f9a3e1d4633ff195acc24d05591bc24cfa5db9893226a5bb70c50

Download Submit
\Users\Admin\AppData\Roaming\Install\Mswords.exe

Filesize
622KB

MD5
a0abf6f3d37b89d95d28f8b8dab955e6

SHA1
e70d71f9fd000fde5cbf030d75c4c8eae96cadbf

SHA256
76dda78693e017f2115b698b091a35c98a7c886144da10ec67468ffa9b0fa1f8

SHA512
bc781c56db8ad51904b2f2129c1070668611dc8de315c82298616021cb2d860d73d842b06b6f9a3e1d4633ff195acc24d05591bc24cfa5db9893226a5bb70c50

Download Submit
\Users\Admin\AppData\Roaming\Install\Mswords.exe

Filesize
622KB

MD5
a0abf6f3d37b89d95d28f8b8dab955e6

SHA1
e70d71f9fd000fde5cbf030d75c4c8eae96cadbf

SHA256
76dda78693e017f2115b698b091a35c98a7c886144da10ec67468ffa9b0fa1f8

SHA512
bc781c56db8ad51904b2f2129c1070668611dc8de315c82298616021cb2d860d73d842b06b6f9a3e1d4633ff195acc24d05591bc24cfa5db9893226a5bb70c50

Download Submit
memory/684-57-0x00000000753B1000-0x00000000753B3000-memory.dmp

Filesize
8KB

Download
memory/684-56-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/952-62-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/952-67-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/952-58-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/952-59-0x0000000000402BCB-mapping.dmp

Download
memory/1088-73-0x0000000000402BCB-mapping.dmp

Download
memory/1088-77-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1088-78-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1088-79-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1540-65-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads