netwire | 620e3ddb7798b06de3a93b5df78a5838345f7a4e7ca0b9c9d21623d2010026b4

General

Target

620e3ddb7798b06de3a93b5df78a5838345f7a4e7ca0b9c9d21623d2010026b4.exe
Size

764KB
MD5

c8ad3f500f51ba6f32971496d3fd605e
SHA1

0677951661b11e2fc5f35e9f5e1ed8d964b8ab79
SHA256

620e3ddb7798b06de3a93b5df78a5838345f7a4e7ca0b9c9d21623d2010026b4
SHA512

c9a6bb7ca9162d7bdb61ffe332fc09388eb1f24d4bd203363aa35b308e0416d4328a228ef9a578ad2176385dc37668df0ed039104917dd0e7f9a9329626fe350

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/772-90-0x0000000000400000-0x0000000000489000-memory.dmp	netwire
behavioral1/memory/772-91-0x0000000000400000-0x0000000000425000-memory.dmp	netwire
behavioral1/memory/772-97-0x0000000000400000-0x0000000000489000-memory.dmp	netwire
behavioral1/memory/772-98-0x0000000000400000-0x0000000000489000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 3 IoCs

Processes:

PVDFGH~1.EXExcvxcvzzx.exexcvxcvzzx.exe

pid process

1720 PVDFGH~1.EXE
1588 xcvxcvzzx.exe
772 xcvxcvzzx.exe
Loads dropped DLL 2 IoCs

Processes:

PVDFGH~1.EXE

pid process

1720 PVDFGH~1.EXE
1720 PVDFGH~1.EXE

pid	process
1720	PVDFGH~1.EXE
1588	xcvxcvzzx.exe
772	xcvxcvzzx.exe

pid	process
1720	PVDFGH~1.EXE
1720	PVDFGH~1.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exe620e3ddb7798b06de3a93b5df78a5838345f7a4e7ca0b9c9d21623d2010026b4.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\xgfdsyhbv = "C:\\Users\\Admin\\ bxgfbxcx\\xcvxcvzzx.vbs -BN"	WScript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	620e3ddb7798b06de3a93b5df78a5838345f7a4e7ca0b9c9d21623d2010026b4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	620e3ddb7798b06de3a93b5df78a5838345f7a4e7ca0b9c9d21623d2010026b4.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

PVDFGH~1.EXExcvxcvzzx.exexcvxcvzzx.exe

pid process

1720 PVDFGH~1.EXE
1588 xcvxcvzzx.exe
772 xcvxcvzzx.exe
772 xcvxcvzzx.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

xcvxcvzzx.exe

description pid process target process

PID 1588 set thread context of 772 1588 xcvxcvzzx.exe xcvxcvzzx.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

PVDFGH~1.EXExcvxcvzzx.exe

pid process

1720 PVDFGH~1.EXE
1588 xcvxcvzzx.exe

pid	process
1720	PVDFGH~1.EXE
1588	xcvxcvzzx.exe
772	xcvxcvzzx.exe
772	xcvxcvzzx.exe

description	pid	process	target process
PID 1588 set thread context of 772	1588	xcvxcvzzx.exe	xcvxcvzzx.exe

pid	process
1720	PVDFGH~1.EXE
1588	xcvxcvzzx.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

620e3ddb7798b06de3a93b5df78a5838345f7a4e7ca0b9c9d21623d2010026b4.exePVDFGH~1.EXExcvxcvzzx.exe

description	pid	process	target process
PID 1348 wrote to memory of 1720	1348	620e3ddb7798b06de3a93b5df78a5838345f7a4e7ca0b9c9d21623d2010026b4.exe	PVDFGH~1.EXE
PID 1348 wrote to memory of 1720	1348	620e3ddb7798b06de3a93b5df78a5838345f7a4e7ca0b9c9d21623d2010026b4.exe	PVDFGH~1.EXE
PID 1348 wrote to memory of 1720	1348	620e3ddb7798b06de3a93b5df78a5838345f7a4e7ca0b9c9d21623d2010026b4.exe	PVDFGH~1.EXE
PID 1348 wrote to memory of 1720	1348	620e3ddb7798b06de3a93b5df78a5838345f7a4e7ca0b9c9d21623d2010026b4.exe	PVDFGH~1.EXE
PID 1720 wrote to memory of 1632	1720	PVDFGH~1.EXE	WScript.exe
PID 1720 wrote to memory of 1632	1720	PVDFGH~1.EXE	WScript.exe
PID 1720 wrote to memory of 1632	1720	PVDFGH~1.EXE	WScript.exe
PID 1720 wrote to memory of 1632	1720	PVDFGH~1.EXE	WScript.exe
PID 1720 wrote to memory of 1588	1720	PVDFGH~1.EXE	xcvxcvzzx.exe
PID 1720 wrote to memory of 1588	1720	PVDFGH~1.EXE	xcvxcvzzx.exe
PID 1720 wrote to memory of 1588	1720	PVDFGH~1.EXE	xcvxcvzzx.exe
PID 1720 wrote to memory of 1588	1720	PVDFGH~1.EXE	xcvxcvzzx.exe
PID 1588 wrote to memory of 772	1588	xcvxcvzzx.exe	xcvxcvzzx.exe
PID 1588 wrote to memory of 772	1588	xcvxcvzzx.exe	xcvxcvzzx.exe
PID 1588 wrote to memory of 772	1588	xcvxcvzzx.exe	xcvxcvzzx.exe
PID 1588 wrote to memory of 772	1588	xcvxcvzzx.exe	xcvxcvzzx.exe

C:\Users\Admin\AppData\Local\Temp\620e3ddb7798b06de3a93b5df78a5838345f7a4e7ca0b9c9d21623d2010026b4.exe
"C:\Users\Admin\AppData\Local\Temp\620e3ddb7798b06de3a93b5df78a5838345f7a4e7ca0b9c9d21623d2010026b4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1348

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PVDFGH~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PVDFGH~1.EXE
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\ bxgfbxcx\xcvxcvzzx.vbs"
3⤵
- Adds Run key to start application
PID:1632

C:\Users\Admin\ bxgfbxcx\xcvxcvzzx.exe
"C:\Users\Admin\ bxgfbxcx\xcvxcvzzx.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1588

C:\Users\Admin\ bxgfbxcx\xcvxcvzzx.exe
"C:\Users\Admin\ bxgfbxcx\xcvxcvzzx.exe"
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\ bxgfbxcx\xcvxcvzzx.exe

Filesize
174.4MB

MD5
c975427284fb4ef9797fe26d0edd6b13

SHA1
c69e20a7bb5f713e077a5db39abac5d524ca54c1

SHA256
3e6f90e273f3ac57be64a25026af51b6feaafbb6c6b116536dc309231ea391f9

SHA512
e3c2f3f102ef113667abc8997fe49b594a35f965d632fe19806e8234e0afe9d88efbfadfe47a81c6c744008dc28f48a2ece4589942fc33d967be0142eccef627

Download Submit
C:\Users\Admin\ bxgfbxcx\xcvxcvzzx.exe

Filesize
173.5MB

MD5
3cbf6c7a91b94a5cf248cfe2d685dbc3

SHA1
3e2ad0e1d8d51ba420c7afa05db59e755707f88e

SHA256
2e9c94904c34a618eb9e86f9541c9f5481cc7447ca28e5aacb2cb7608af51446

SHA512
41556eef1a158244f065970ff06622fdc902fd6aa044d62f7949b0bea51b9fd123b1e31d06beb8a30af3c95e49c9b50e3d9ad70e6a82519d320a5dae40f563c1

Download Submit
C:\Users\Admin\ bxgfbxcx\xcvxcvzzx.exe

Filesize
172.8MB

MD5
a7b75d953c924c27e057fbc83bd3a8d3

SHA1
2c236b4145f948f60a1e2a8d2c09e2d0ca82362c

SHA256
fe2acb80ed0e14a422a580fa847dccc696c9c50406dde1d2c9222498ab449c71

SHA512
dc4bacc5642a4cd94bff22af7db0f91165fce72cc62672e324c6cc9b1de6f66ffd6fc2635627130c537e1f921c7263e84c7557109040da247ce5fac581ed0173

Download Submit
C:\Users\Admin\ bxgfbxcx\xcvxcvzzx.vbs

Filesize
1020B

MD5
7e55ee0e84b1433f9a2ce0ad5c46f39f

SHA1
e8e41756ac7013c8b056739a0cdc8935a3f86495

SHA256
bb69ddb2d1f7de172d4081b14326b13b801017e8e1b8f273e2425db7ba8f316c

SHA512
13d33c377085ac7638ed7061c65a949bdb35b6856258a26ee0653456938e0f1b79f6a34de3b0dc3706cb2fe30e6a12de8edb8c6c81186c4a7f625ea22a26b2d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PVDFGH~1.EXE

Filesize
203.2MB

MD5
e6ff594bdab0f4a284f0144732c37c02

SHA1
c42edabe72090b00a76b8a88123fcf32b2946586

SHA256
1ca0c8d88526c031af6b5240a0957b46f72d58d0bdd2d73dd525feefc6616703

SHA512
ffa3f4b00b58f0dbb7f91a9296f8ae5b7e4e23548417065c514241388c5524670be1e372da81fb04579fce52a97ab4c758278905142d59d5ab584db83ae84d04

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PVDFGH~1.EXE

Filesize
176.6MB

MD5
c9455b322272bfd114ead9097deaff8d

SHA1
97a6e79585b7c49d22acd2d91da88c228077f4df

SHA256
d87c231f0c9b52ece27a1054a44883735636a83182e33ff387e10ed20941d004

SHA512
4941635a195cd73a5f4422e085c0b71fde7298e435e03e0993c4c4aaef5d04241380181c71ebc930a8ecbea25ec348ec07498f749d803743d17257cdbc47d9e9

Download Submit
\Users\Admin\ bxgfbxcx\xcvxcvzzx.exe

Filesize
176.2MB

MD5
2d0453105a4e84d335ceb9938e549f29

SHA1
d7b3e22b982767de25f068da1cb77490bef5908b

SHA256
43148b17b19a817aa70c1459354bc76e61aa3eb68bc401b68fc1dd1a7a9b17a3

SHA512
bbf8fb1cc099a789310ef88a28f249a2023e8da53f2468f96408ee4eb2e2fbac81f121cc0038380207d2c7e251fe5c0378fd2733007daebc7b595e2ddb89f31b

Download Submit
\Users\Admin\ bxgfbxcx\xcvxcvzzx.exe

Filesize
176.4MB

MD5
fe44c1105547cf820cbeb510e48257f2

SHA1
61b96bf119acf1ff008a66b459fd75879c27af29

SHA256
ceb5edfc650d104472753cf4339f2f2b6f79ca5748c7e57c4a400287c732019c

SHA512
7e58a9b46c38ba4241aa50198bcd704543c67d7f4de2d5a3365d13641a94c9714ec5a88ad7b53f29c0d6a2409d57f7213ad51a565e33347637246a1bb7283a51

Download Submit
memory/772-91-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/772-88-0x0000000000220000-0x000000000022D000-memory.dmp

Filesize
52KB

Download
memory/772-89-0x0000000077910000-0x0000000077A90000-memory.dmp

Filesize
1.5MB

Download
memory/772-86-0x0000000077730000-0x00000000778D9000-memory.dmp

Filesize
1.7MB

Download
memory/772-90-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/772-87-0x0000000077910000-0x0000000077A90000-memory.dmp

Filesize
1.5MB

Download
memory/772-80-0x00000000004765B7-mapping.dmp

Download
memory/772-97-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/772-98-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/1348-54-0x000007FEFBFB1000-0x000007FEFBFB3000-memory.dmp

Filesize
8KB

Download
memory/1588-83-0x0000000077910000-0x0000000077A90000-memory.dmp

Filesize
1.5MB

Download
memory/1588-82-0x00000000003F0000-0x00000000003FD000-memory.dmp

Filesize
52KB

Download
memory/1588-78-0x0000000077730000-0x00000000778D9000-memory.dmp

Filesize
1.7MB

Download
memory/1588-69-0x0000000000000000-mapping.dmp

Download
memory/1632-65-0x0000000000000000-mapping.dmp

Download
memory/1720-74-0x0000000077910000-0x0000000077A90000-memory.dmp

Filesize
1.5MB

Download
memory/1720-71-0x0000000000330000-0x000000000033D000-memory.dmp

Filesize
52KB

Download
memory/1720-64-0x0000000077910000-0x0000000077A90000-memory.dmp

Filesize
1.5MB

Download
memory/1720-63-0x0000000077730000-0x00000000778D9000-memory.dmp

Filesize
1.7MB

Download
memory/1720-60-0x0000000076531000-0x0000000076533000-memory.dmp

Filesize
8KB

Download
memory/1720-59-0x0000000000330000-0x000000000033D000-memory.dmp

Filesize
52KB

Download
memory/1720-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads