netwire | 70441312a820a461c723a69b991befae918d74843c348aabd7a25899e0c31568

Analysis

max time kernel
109s
max time network
125s
platform
windows7_x64
resource
win7-20220414-en
submitted
01-07-2022 03:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70441312a820a461c723a69b991befae918d74843c348aabd7a25899e0c31568.exe
Size

156KB
MD5

3086fd608ff06991a94b3f7ed891f4ef
SHA1

69112497cd3a29c87a5d5a657aa51f63ef34ce2c
SHA256

70441312a820a461c723a69b991befae918d74843c348aabd7a25899e0c31568
SHA512

b810802141018bf4c970e6b747097f103ba6b7a7f4eaaa305d7d6c5f56e556fa18e8e3edbccfeb140f5250971dd7942b31a18c6ce06d7ead906d4fa2a4179521

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

79.172.242.85:1406

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
gqllpDVm
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 14 IoCs

rat

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\tmp.exe	netwire
\Users\Admin\AppData\Local\Temp\tmp.exe	netwire
C:\Users\Admin\AppData\Local\Temp\tmp.exe	netwire
C:\Users\Admin\AppData\Local\Temp\tmp.exe	netwire
\Users\Admin\AppData\Roaming\Install\Host.exe	netwire
C:\Users\Admin\AppData\Roaming\Install\Host.exe	netwire
\Users\Admin\AppData\Roaming\Install\Host.exe	netwire
behavioral1/memory/1396-74-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1396-75-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1396-77-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1396-78-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1396-79-0x0000000000402BCB-mapping.dmp	netwire
behavioral1/memory/1396-82-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
C:\Users\Admin\AppData\Roaming\Install\Host.exe	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

tmp.exeHost.exe

pid process

1632 tmp.exe
1472 Host.exe

pid	process
1632	tmp.exe
1472	Host.exe

Drops startup file 2 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\filename.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\filename.exe	cmd.exe

Loads dropped DLL 4 IoCs

Processes:

70441312a820a461c723a69b991befae918d74843c348aabd7a25899e0c31568.exetmp.exe

pid	process
1000	70441312a820a461c723a69b991befae918d74843c348aabd7a25899e0c31568.exe
1000	70441312a820a461c723a69b991befae918d74843c348aabd7a25899e0c31568.exe
1632	tmp.exe
1632	tmp.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

70441312a820a461c723a69b991befae918d74843c348aabd7a25899e0c31568.exe

description	pid	process	target process
PID 1000 set thread context of 1396	1000	70441312a820a461c723a69b991befae918d74843c348aabd7a25899e0c31568.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

70441312a820a461c723a69b991befae918d74843c348aabd7a25899e0c31568.exetmp.exe

description	pid	process	target process
PID 1000 wrote to memory of 896	1000	70441312a820a461c723a69b991befae918d74843c348aabd7a25899e0c31568.exe	cmd.exe
PID 1000 wrote to memory of 896	1000	70441312a820a461c723a69b991befae918d74843c348aabd7a25899e0c31568.exe	cmd.exe
PID 1000 wrote to memory of 896	1000	70441312a820a461c723a69b991befae918d74843c348aabd7a25899e0c31568.exe	cmd.exe
PID 1000 wrote to memory of 896	1000	70441312a820a461c723a69b991befae918d74843c348aabd7a25899e0c31568.exe	cmd.exe
PID 1000 wrote to memory of 1632	1000	70441312a820a461c723a69b991befae918d74843c348aabd7a25899e0c31568.exe	tmp.exe
PID 1000 wrote to memory of 1632	1000	70441312a820a461c723a69b991befae918d74843c348aabd7a25899e0c31568.exe	tmp.exe
PID 1000 wrote to memory of 1632	1000	70441312a820a461c723a69b991befae918d74843c348aabd7a25899e0c31568.exe	tmp.exe
PID 1000 wrote to memory of 1632	1000	70441312a820a461c723a69b991befae918d74843c348aabd7a25899e0c31568.exe	tmp.exe
PID 1000 wrote to memory of 1396	1000	70441312a820a461c723a69b991befae918d74843c348aabd7a25899e0c31568.exe	RegAsm.exe
PID 1000 wrote to memory of 1396	1000	70441312a820a461c723a69b991befae918d74843c348aabd7a25899e0c31568.exe	RegAsm.exe
PID 1000 wrote to memory of 1396	1000	70441312a820a461c723a69b991befae918d74843c348aabd7a25899e0c31568.exe	RegAsm.exe
PID 1000 wrote to memory of 1396	1000	70441312a820a461c723a69b991befae918d74843c348aabd7a25899e0c31568.exe	RegAsm.exe
PID 1000 wrote to memory of 1396	1000	70441312a820a461c723a69b991befae918d74843c348aabd7a25899e0c31568.exe	RegAsm.exe
PID 1000 wrote to memory of 1396	1000	70441312a820a461c723a69b991befae918d74843c348aabd7a25899e0c31568.exe	RegAsm.exe
PID 1000 wrote to memory of 1396	1000	70441312a820a461c723a69b991befae918d74843c348aabd7a25899e0c31568.exe	RegAsm.exe
PID 1632 wrote to memory of 1472	1632	tmp.exe	Host.exe
PID 1632 wrote to memory of 1472	1632	tmp.exe	Host.exe
PID 1632 wrote to memory of 1472	1632	tmp.exe	Host.exe
PID 1632 wrote to memory of 1472	1632	tmp.exe	Host.exe
PID 1000 wrote to memory of 1396	1000	70441312a820a461c723a69b991befae918d74843c348aabd7a25899e0c31568.exe	RegAsm.exe
PID 1000 wrote to memory of 1396	1000	70441312a820a461c723a69b991befae918d74843c348aabd7a25899e0c31568.exe	RegAsm.exe
PID 1000 wrote to memory of 1396	1000	70441312a820a461c723a69b991befae918d74843c348aabd7a25899e0c31568.exe	RegAsm.exe
PID 1000 wrote to memory of 1396	1000	70441312a820a461c723a69b991befae918d74843c348aabd7a25899e0c31568.exe	RegAsm.exe
PID 1000 wrote to memory of 1396	1000	70441312a820a461c723a69b991befae918d74843c348aabd7a25899e0c31568.exe	RegAsm.exe
PID 1000 wrote to memory of 1396	1000	70441312a820a461c723a69b991befae918d74843c348aabd7a25899e0c31568.exe	RegAsm.exe
PID 1000 wrote to memory of 1396	1000	70441312a820a461c723a69b991befae918d74843c348aabd7a25899e0c31568.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\70441312a820a461c723a69b991befae918d74843c348aabd7a25899e0c31568.exe
"C:\Users\Admin\AppData\Local\Temp\70441312a820a461c723a69b991befae918d74843c348aabd7a25899e0c31568.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1000

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\agdfdffhit.bat
2⤵
- Drops startup file
PID:896

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
PID:1472

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
2⤵
PID:1396

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\agdfdffhit.bat
Filesize
201B

MD5
3f4ffefff831f9b885a54b3638659236

SHA1
ec860ca0707fd091e75c7ada9f25593ffd33041d

SHA256
9a2feef00e6fbcd4cc7da0ebc2e5c635aafbff45c9d2e799b09e17276144cda8

SHA512
b20312cab57b9dd79b4b8a39cbdd2b74aadbdd7c42a7d4cbb8ceda943ffc4993515594a13be0797a0ceb7f51d6cda92c7324279c8bbee9fbe07f05196929726f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
132KB

MD5
f64f409c49101aed109813b4c155c333

SHA1
2794f7fac2c99b4ff14b36753eebc276ef89fa50

SHA256
fced6eb5ab80abf00c0bc80101ec5ba3b81941fe8022be0952ed6be0079db1c9

SHA512
dfd9047d26f34da89ddfef19adb2ef52bd8a58d6199df178fe401298f5d19807bc8e69bf943dfdc8fde20198d06c654507de91362a47a3e45c26855468018572

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
132KB

MD5
f64f409c49101aed109813b4c155c333

SHA1
2794f7fac2c99b4ff14b36753eebc276ef89fa50

SHA256
fced6eb5ab80abf00c0bc80101ec5ba3b81941fe8022be0952ed6be0079db1c9

SHA512
dfd9047d26f34da89ddfef19adb2ef52bd8a58d6199df178fe401298f5d19807bc8e69bf943dfdc8fde20198d06c654507de91362a47a3e45c26855468018572

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
132KB

MD5
f64f409c49101aed109813b4c155c333

SHA1
2794f7fac2c99b4ff14b36753eebc276ef89fa50

SHA256
fced6eb5ab80abf00c0bc80101ec5ba3b81941fe8022be0952ed6be0079db1c9

SHA512
dfd9047d26f34da89ddfef19adb2ef52bd8a58d6199df178fe401298f5d19807bc8e69bf943dfdc8fde20198d06c654507de91362a47a3e45c26855468018572

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
132KB

MD5
f64f409c49101aed109813b4c155c333

SHA1
2794f7fac2c99b4ff14b36753eebc276ef89fa50

SHA256
fced6eb5ab80abf00c0bc80101ec5ba3b81941fe8022be0952ed6be0079db1c9

SHA512
dfd9047d26f34da89ddfef19adb2ef52bd8a58d6199df178fe401298f5d19807bc8e69bf943dfdc8fde20198d06c654507de91362a47a3e45c26855468018572

Download Submit
\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
132KB

MD5
f64f409c49101aed109813b4c155c333

SHA1
2794f7fac2c99b4ff14b36753eebc276ef89fa50

SHA256
fced6eb5ab80abf00c0bc80101ec5ba3b81941fe8022be0952ed6be0079db1c9

SHA512
dfd9047d26f34da89ddfef19adb2ef52bd8a58d6199df178fe401298f5d19807bc8e69bf943dfdc8fde20198d06c654507de91362a47a3e45c26855468018572

Download Submit
\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
132KB

MD5
f64f409c49101aed109813b4c155c333

SHA1
2794f7fac2c99b4ff14b36753eebc276ef89fa50

SHA256
fced6eb5ab80abf00c0bc80101ec5ba3b81941fe8022be0952ed6be0079db1c9

SHA512
dfd9047d26f34da89ddfef19adb2ef52bd8a58d6199df178fe401298f5d19807bc8e69bf943dfdc8fde20198d06c654507de91362a47a3e45c26855468018572

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
132KB

MD5
f64f409c49101aed109813b4c155c333

SHA1
2794f7fac2c99b4ff14b36753eebc276ef89fa50

SHA256
fced6eb5ab80abf00c0bc80101ec5ba3b81941fe8022be0952ed6be0079db1c9

SHA512
dfd9047d26f34da89ddfef19adb2ef52bd8a58d6199df178fe401298f5d19807bc8e69bf943dfdc8fde20198d06c654507de91362a47a3e45c26855468018572

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
132KB

MD5
f64f409c49101aed109813b4c155c333

SHA1
2794f7fac2c99b4ff14b36753eebc276ef89fa50

SHA256
fced6eb5ab80abf00c0bc80101ec5ba3b81941fe8022be0952ed6be0079db1c9

SHA512
dfd9047d26f34da89ddfef19adb2ef52bd8a58d6199df178fe401298f5d19807bc8e69bf943dfdc8fde20198d06c654507de91362a47a3e45c26855468018572

Download Submit
memory/896-56-0x0000000000000000-mapping.dmp

Download
memory/1000-55-0x0000000074D60000-0x000000007530B000-memory.dmp

Filesize
5.7MB

Download
memory/1000-83-0x0000000074D60000-0x000000007530B000-memory.dmp

Filesize
5.7MB

Download
memory/1000-54-0x0000000075F21000-0x0000000075F23000-memory.dmp

Filesize
8KB

Download
memory/1396-72-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1396-65-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1396-70-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1396-74-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1396-75-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1396-77-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1396-78-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1396-79-0x0000000000402BCB-mapping.dmp

Download
memory/1396-82-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1396-86-0x0000000000401000-0x000000000041E000-memory.dmp

Filesize
116KB

Download
memory/1472-67-0x0000000000000000-mapping.dmp

Download
memory/1632-60-0x0000000000000000-mapping.dmp

Download