netwire | 4704de87ef010ac7a8d04e2e650e53527d4b924c4e3900f98edbc16dbd0f75c2

General

Target

4704de87ef010ac7a8d04e2e650e53527d4b924c4e3900f98edbc16dbd0f75c2.exe
Size

619KB
MD5

664ecb6af2af6469eb9b244db34449ff
SHA1

f950ee4efd8919142d1ac3af81e18cba1db9add6
SHA256

4704de87ef010ac7a8d04e2e650e53527d4b924c4e3900f98edbc16dbd0f75c2
SHA512

ed4a8dc0913bb9b3983c76ae87b7670016dd0e54f00f12ca4e77e90aaf7c5704877132a46a912521f1243e0a6f3cf83e541032874e1a449de6a5a331bec784a9

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1760-87-0x0000000000400000-0x0000000000425000-memory.dmp	netwire
behavioral1/memory/1760-86-0x0000000000400000-0x000000000047A000-memory.dmp	netwire
behavioral1/memory/1760-93-0x0000000000400000-0x000000000047A000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 3 IoCs

Processes:

PP_OUT~1.EXEasdgdf.exeasdgdf.exe

pid process

1500 PP_OUT~1.EXE
1624 asdgdf.exe
1760 asdgdf.exe
Loads dropped DLL 2 IoCs

Processes:

PP_OUT~1.EXE

pid process

1500 PP_OUT~1.EXE
1500 PP_OUT~1.EXE

pid	process
1500	PP_OUT~1.EXE
1624	asdgdf.exe
1760	asdgdf.exe

pid	process
1500	PP_OUT~1.EXE
1500	PP_OUT~1.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4704de87ef010ac7a8d04e2e650e53527d4b924c4e3900f98edbc16dbd0f75c2.exeWScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	4704de87ef010ac7a8d04e2e650e53527d4b924c4e3900f98edbc16dbd0f75c2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4704de87ef010ac7a8d04e2e650e53527d4b924c4e3900f98edbc16dbd0f75c2.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\asdgdf = "C:\\Users\\Admin\\asdgdf\\asdgdf.vbs -D"	WScript.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

asdgdf.exe

description pid process target process

PID 1624 set thread context of 1760 1624 asdgdf.exe asdgdf.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

PP_OUT~1.EXEasdgdf.exe

pid process

1500 PP_OUT~1.EXE
1624 asdgdf.exe

description	pid	process	target process
PID 1624 set thread context of 1760	1624	asdgdf.exe	asdgdf.exe

pid	process
1500	PP_OUT~1.EXE
1624	asdgdf.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

4704de87ef010ac7a8d04e2e650e53527d4b924c4e3900f98edbc16dbd0f75c2.exePP_OUT~1.EXEasdgdf.exe

description	pid	process	target process
PID 1892 wrote to memory of 1500	1892	4704de87ef010ac7a8d04e2e650e53527d4b924c4e3900f98edbc16dbd0f75c2.exe	PP_OUT~1.EXE
PID 1892 wrote to memory of 1500	1892	4704de87ef010ac7a8d04e2e650e53527d4b924c4e3900f98edbc16dbd0f75c2.exe	PP_OUT~1.EXE
PID 1892 wrote to memory of 1500	1892	4704de87ef010ac7a8d04e2e650e53527d4b924c4e3900f98edbc16dbd0f75c2.exe	PP_OUT~1.EXE
PID 1892 wrote to memory of 1500	1892	4704de87ef010ac7a8d04e2e650e53527d4b924c4e3900f98edbc16dbd0f75c2.exe	PP_OUT~1.EXE
PID 1500 wrote to memory of 1216	1500	PP_OUT~1.EXE	WScript.exe
PID 1500 wrote to memory of 1216	1500	PP_OUT~1.EXE	WScript.exe
PID 1500 wrote to memory of 1216	1500	PP_OUT~1.EXE	WScript.exe
PID 1500 wrote to memory of 1216	1500	PP_OUT~1.EXE	WScript.exe
PID 1500 wrote to memory of 1624	1500	PP_OUT~1.EXE	asdgdf.exe
PID 1500 wrote to memory of 1624	1500	PP_OUT~1.EXE	asdgdf.exe
PID 1500 wrote to memory of 1624	1500	PP_OUT~1.EXE	asdgdf.exe
PID 1500 wrote to memory of 1624	1500	PP_OUT~1.EXE	asdgdf.exe
PID 1624 wrote to memory of 1760	1624	asdgdf.exe	asdgdf.exe
PID 1624 wrote to memory of 1760	1624	asdgdf.exe	asdgdf.exe
PID 1624 wrote to memory of 1760	1624	asdgdf.exe	asdgdf.exe
PID 1624 wrote to memory of 1760	1624	asdgdf.exe	asdgdf.exe

C:\Users\Admin\AppData\Local\Temp\4704de87ef010ac7a8d04e2e650e53527d4b924c4e3900f98edbc16dbd0f75c2.exe
"C:\Users\Admin\AppData\Local\Temp\4704de87ef010ac7a8d04e2e650e53527d4b924c4e3900f98edbc16dbd0f75c2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1892

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PP_OUT~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PP_OUT~1.EXE
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\asdgdf\asdgdf.vbs"
3⤵
- Adds Run key to start application
PID:1216

C:\Users\Admin\asdgdf\asdgdf.exe
"C:\Users\Admin\asdgdf\asdgdf.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1624

C:\Users\Admin\asdgdf\asdgdf.exe
"C:\Users\Admin\asdgdf\asdgdf.exe"
4⤵
- Executes dropped EXE
PID:1760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PP_OUT~1.EXE

Filesize
203.5MB

MD5
a7e89f6bb73a1e94778627bf054567a9

SHA1
24c3be54e988b926dc9ad67ba69477ee539ab419

SHA256
871dac7cfdbd3e80563092f202a3db98da8b2256576ffc66734f8cd2702a16d9

SHA512
0a45c0b7d217adea318a7074e919ee22556ed60ac5415dc5475663fe32e329d68035f4df726c517499d73cd657cdb58ef79ee2c26c15fda10aef9e7a8c10ce7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PP_OUT~1.EXE

Filesize
203.5MB

MD5
a7e89f6bb73a1e94778627bf054567a9

SHA1
24c3be54e988b926dc9ad67ba69477ee539ab419

SHA256
871dac7cfdbd3e80563092f202a3db98da8b2256576ffc66734f8cd2702a16d9

SHA512
0a45c0b7d217adea318a7074e919ee22556ed60ac5415dc5475663fe32e329d68035f4df726c517499d73cd657cdb58ef79ee2c26c15fda10aef9e7a8c10ce7d

Download Submit
C:\Users\Admin\asdgdf\asdgdf.exe

Filesize
203.5MB

MD5
a7e89f6bb73a1e94778627bf054567a9

SHA1
24c3be54e988b926dc9ad67ba69477ee539ab419

SHA256
871dac7cfdbd3e80563092f202a3db98da8b2256576ffc66734f8cd2702a16d9

SHA512
0a45c0b7d217adea318a7074e919ee22556ed60ac5415dc5475663fe32e329d68035f4df726c517499d73cd657cdb58ef79ee2c26c15fda10aef9e7a8c10ce7d

Download Submit
C:\Users\Admin\asdgdf\asdgdf.exe

Filesize
203.5MB

MD5
a7e89f6bb73a1e94778627bf054567a9

SHA1
24c3be54e988b926dc9ad67ba69477ee539ab419

SHA256
871dac7cfdbd3e80563092f202a3db98da8b2256576ffc66734f8cd2702a16d9

SHA512
0a45c0b7d217adea318a7074e919ee22556ed60ac5415dc5475663fe32e329d68035f4df726c517499d73cd657cdb58ef79ee2c26c15fda10aef9e7a8c10ce7d

Download Submit
C:\Users\Admin\asdgdf\asdgdf.exe

Filesize
203.5MB

MD5
a7e89f6bb73a1e94778627bf054567a9

SHA1
24c3be54e988b926dc9ad67ba69477ee539ab419

SHA256
871dac7cfdbd3e80563092f202a3db98da8b2256576ffc66734f8cd2702a16d9

SHA512
0a45c0b7d217adea318a7074e919ee22556ed60ac5415dc5475663fe32e329d68035f4df726c517499d73cd657cdb58ef79ee2c26c15fda10aef9e7a8c10ce7d

Download Submit
C:\Users\Admin\asdgdf\asdgdf.vbs

Filesize
1024B

MD5
47fcaab96ee870143027072cee1d63df

SHA1
2cca1e686e902dbd1ee8c7750bcdc7c730d73cc9

SHA256
c114a88f11bdb645f5742e620f86c2dfca048ccff10a0ad892d0935f1bd1cc8b

SHA512
1e4b67e755d285fdf0eb7f37c97d1b15923c3f7e5f253dc23c7eb97136aadad42abcf8d201119b02971388b3f7881037fb7b41bee0eca68fd706b66842d923da

Download Submit
\Users\Admin\asdgdf\asdgdf.exe

Filesize
203.5MB

MD5
a7e89f6bb73a1e94778627bf054567a9

SHA1
24c3be54e988b926dc9ad67ba69477ee539ab419

SHA256
871dac7cfdbd3e80563092f202a3db98da8b2256576ffc66734f8cd2702a16d9

SHA512
0a45c0b7d217adea318a7074e919ee22556ed60ac5415dc5475663fe32e329d68035f4df726c517499d73cd657cdb58ef79ee2c26c15fda10aef9e7a8c10ce7d

Download Submit
\Users\Admin\asdgdf\asdgdf.exe

Filesize
203.5MB

MD5
a7e89f6bb73a1e94778627bf054567a9

SHA1
24c3be54e988b926dc9ad67ba69477ee539ab419

SHA256
871dac7cfdbd3e80563092f202a3db98da8b2256576ffc66734f8cd2702a16d9

SHA512
0a45c0b7d217adea318a7074e919ee22556ed60ac5415dc5475663fe32e329d68035f4df726c517499d73cd657cdb58ef79ee2c26c15fda10aef9e7a8c10ce7d

Download Submit
memory/1216-64-0x0000000000000000-mapping.dmp

Download
memory/1500-63-0x0000000077890000-0x0000000077A10000-memory.dmp

Filesize
1.5MB

Download
memory/1500-59-0x0000000000240000-0x0000000000248000-memory.dmp

Filesize
32KB

Download
memory/1500-55-0x0000000000000000-mapping.dmp

Download
memory/1500-62-0x00000000776B0000-0x0000000077859000-memory.dmp

Filesize
1.7MB

Download
memory/1500-69-0x0000000000240000-0x0000000000248000-memory.dmp

Filesize
32KB

Download
memory/1500-60-0x00000000756A1000-0x00000000756A3000-memory.dmp

Filesize
8KB

Download
memory/1500-73-0x0000000077890000-0x0000000077A10000-memory.dmp

Filesize
1.5MB

Download
memory/1624-81-0x0000000077890000-0x0000000077A10000-memory.dmp

Filesize
1.5MB

Download
memory/1624-80-0x0000000000280000-0x0000000000288000-memory.dmp

Filesize
32KB

Download
memory/1624-68-0x0000000000000000-mapping.dmp

Download
memory/1624-79-0x00000000776B0000-0x0000000077859000-memory.dmp

Filesize
1.7MB

Download
memory/1624-82-0x0000000077890000-0x0000000077A10000-memory.dmp

Filesize
1.5MB

Download
memory/1760-86-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1760-84-0x00000000776B0000-0x0000000077859000-memory.dmp

Filesize
1.7MB

Download
memory/1760-85-0x0000000077890000-0x0000000077A10000-memory.dmp

Filesize
1.5MB

Download
memory/1760-87-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1760-77-0x000000000046EDFB-mapping.dmp

Download
memory/1760-93-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1760-94-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/1760-95-0x0000000077890000-0x0000000077A10000-memory.dmp

Filesize
1.5MB

Download
memory/1892-54-0x000007FEFBF31000-0x000007FEFBF33000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads