netwire | 620e3ddb7798b06de3a93b5df78a5838345f7a4e7ca0b9c9d21623d2010026b4

General

Target

620e3ddb7798b06de3a93b5df78a5838345f7a4e7ca0b9c9d21623d2010026b4.exe
Size

764KB
MD5

c8ad3f500f51ba6f32971496d3fd605e
SHA1

0677951661b11e2fc5f35e9f5e1ed8d964b8ab79
SHA256

620e3ddb7798b06de3a93b5df78a5838345f7a4e7ca0b9c9d21623d2010026b4
SHA512

c9a6bb7ca9162d7bdb61ffe332fc09388eb1f24d4bd203363aa35b308e0416d4328a228ef9a578ad2176385dc37668df0ed039104917dd0e7f9a9329626fe350

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1768-154-0x0000000000400000-0x0000000000425000-memory.dmp	netwire
behavioral2/memory/1768-153-0x0000000000400000-0x0000000000489000-memory.dmp	netwire
behavioral2/memory/1768-162-0x0000000000400000-0x0000000000489000-memory.dmp	netwire
behavioral2/memory/1768-165-0x0000000000400000-0x0000000000489000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 3 IoCs

Processes:

PVDFGH~1.EXExcvxcvzzx.exexcvxcvzzx.exe

pid process

4720 PVDFGH~1.EXE
1636 xcvxcvzzx.exe
1768 xcvxcvzzx.exe

pid	process
4720	PVDFGH~1.EXE
1636	xcvxcvzzx.exe
1768	xcvxcvzzx.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

PVDFGH~1.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	PVDFGH~1.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

620e3ddb7798b06de3a93b5df78a5838345f7a4e7ca0b9c9d21623d2010026b4.exeWScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	620e3ddb7798b06de3a93b5df78a5838345f7a4e7ca0b9c9d21623d2010026b4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	620e3ddb7798b06de3a93b5df78a5838345f7a4e7ca0b9c9d21623d2010026b4.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xgfdsyhbv = "C:\\Users\\Admin\\ bxgfbxcx\\xcvxcvzzx.vbs -BN"	WScript.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

PVDFGH~1.EXExcvxcvzzx.exexcvxcvzzx.exe

pid process

4720 PVDFGH~1.EXE
1636 xcvxcvzzx.exe
1768 xcvxcvzzx.exe
1768 xcvxcvzzx.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

xcvxcvzzx.exe

description pid process target process

PID 1636 set thread context of 1768 1636 xcvxcvzzx.exe xcvxcvzzx.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

PVDFGH~1.EXE

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings PVDFGH~1.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

PVDFGH~1.EXExcvxcvzzx.exe

pid process

4720 PVDFGH~1.EXE
1636 xcvxcvzzx.exe

pid	process
4720	PVDFGH~1.EXE
1636	xcvxcvzzx.exe
1768	xcvxcvzzx.exe
1768	xcvxcvzzx.exe

description	pid	process	target process
PID 1636 set thread context of 1768	1636	xcvxcvzzx.exe	xcvxcvzzx.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	PVDFGH~1.EXE

pid	process
4720	PVDFGH~1.EXE
1636	xcvxcvzzx.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

620e3ddb7798b06de3a93b5df78a5838345f7a4e7ca0b9c9d21623d2010026b4.exePVDFGH~1.EXExcvxcvzzx.exe

description	pid	process	target process
PID 4684 wrote to memory of 4720	4684	620e3ddb7798b06de3a93b5df78a5838345f7a4e7ca0b9c9d21623d2010026b4.exe	PVDFGH~1.EXE
PID 4684 wrote to memory of 4720	4684	620e3ddb7798b06de3a93b5df78a5838345f7a4e7ca0b9c9d21623d2010026b4.exe	PVDFGH~1.EXE
PID 4684 wrote to memory of 4720	4684	620e3ddb7798b06de3a93b5df78a5838345f7a4e7ca0b9c9d21623d2010026b4.exe	PVDFGH~1.EXE
PID 4720 wrote to memory of 4000	4720	PVDFGH~1.EXE	WScript.exe
PID 4720 wrote to memory of 4000	4720	PVDFGH~1.EXE	WScript.exe
PID 4720 wrote to memory of 4000	4720	PVDFGH~1.EXE	WScript.exe
PID 4720 wrote to memory of 1636	4720	PVDFGH~1.EXE	xcvxcvzzx.exe
PID 4720 wrote to memory of 1636	4720	PVDFGH~1.EXE	xcvxcvzzx.exe
PID 4720 wrote to memory of 1636	4720	PVDFGH~1.EXE	xcvxcvzzx.exe
PID 1636 wrote to memory of 1768	1636	xcvxcvzzx.exe	xcvxcvzzx.exe
PID 1636 wrote to memory of 1768	1636	xcvxcvzzx.exe	xcvxcvzzx.exe
PID 1636 wrote to memory of 1768	1636	xcvxcvzzx.exe	xcvxcvzzx.exe

C:\Users\Admin\AppData\Local\Temp\620e3ddb7798b06de3a93b5df78a5838345f7a4e7ca0b9c9d21623d2010026b4.exe
"C:\Users\Admin\AppData\Local\Temp\620e3ddb7798b06de3a93b5df78a5838345f7a4e7ca0b9c9d21623d2010026b4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4684

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PVDFGH~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PVDFGH~1.EXE
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4720

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\ bxgfbxcx\xcvxcvzzx.vbs"
3⤵
- Adds Run key to start application
PID:4000

C:\Users\Admin\ bxgfbxcx\xcvxcvzzx.exe
"C:\Users\Admin\ bxgfbxcx\xcvxcvzzx.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1636

C:\Users\Admin\ bxgfbxcx\xcvxcvzzx.exe
"C:\Users\Admin\ bxgfbxcx\xcvxcvzzx.exe"
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1768

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\ bxgfbxcx\xcvxcvzzx.exe
Filesize
177.1MB

MD5
9cf85cd3e84b57cce03195c7096d70a3

SHA1
77a8b4a828111dbb1602c39ed6ab70d8ae63dd14

SHA256
7fea2674f1c0d1b939015a5b86276a4b49b33f08dd72b361fdbae426bcbec42f

SHA512
008cef1d67bdcc34c4b6f874cf39b9e2bb957695ee72be26b9ca23380dc1ec025a449ce5df68510126f33db2c111408543bee6406dfdd3fd1eb466473a266ab8

Download Submit
C:\Users\Admin\ bxgfbxcx\xcvxcvzzx.exe
Filesize
180.2MB

MD5
1d1d3ed43549d50c4833413f66614dbd

SHA1
db13252e7e5f4720d5297496cc54a79e95450d19

SHA256
7c763a3d488280945ce6cf03b926cbc0fffc67c425da55bb316802a16167eff9

SHA512
c56cb798d3b388541243ae7bb0ae2190d4b19f52e463d01c0b21e030e65bab69d805c83a737769fd413c648f0083102b91ed23cb4d950fa946dbb2a88efbc512

Download Submit
C:\Users\Admin\ bxgfbxcx\xcvxcvzzx.exe
Filesize
173.9MB

MD5
3b56913547778154030a14c8a722541f

SHA1
370ca733943ca0a728abe78e26bf272aea4d1b77

SHA256
534cc39caeb712047a198e870b81bc39502da2669cb5110846fa87fe2d32f44c

SHA512
8365048e9b0fd65a6f1c8b8b392c9e48a614e1e93aeb0d3407cb32b5295064244a9b1051daad251f7e49bc869708f7ba55d6149dca9096c7fc583f985a62230e

Download Submit
C:\Users\Admin\ bxgfbxcx\xcvxcvzzx.vbs
Filesize
1020B

MD5
7e55ee0e84b1433f9a2ce0ad5c46f39f

SHA1
e8e41756ac7013c8b056739a0cdc8935a3f86495

SHA256
bb69ddb2d1f7de172d4081b14326b13b801017e8e1b8f273e2425db7ba8f316c

SHA512
13d33c377085ac7638ed7061c65a949bdb35b6856258a26ee0653456938e0f1b79f6a34de3b0dc3706cb2fe30e6a12de8edb8c6c81186c4a7f625ea22a26b2d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PVDFGH~1.EXE
Filesize
203.5MB

MD5
d77543c919adaaa77349de1ee0b15382

SHA1
a64c486a340b01f6afffd1c09b4e932e768780a1

SHA256
feaac437ebfbe82c33f37d008ec6ba1b6c4ae6e4b30c2b56c11ecad7d112e8d7

SHA512
6f610ed52611aed88a481ad411003c108c8cccdee6def06006228e85273d95feeab4eb06ff977e826f71cb1dc2e6504e11b5428d513258a74934a5d15978a4c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PVDFGH~1.EXE
Filesize
203.5MB

MD5
d77543c919adaaa77349de1ee0b15382

SHA1
a64c486a340b01f6afffd1c09b4e932e768780a1

SHA256
feaac437ebfbe82c33f37d008ec6ba1b6c4ae6e4b30c2b56c11ecad7d112e8d7

SHA512
6f610ed52611aed88a481ad411003c108c8cccdee6def06006228e85273d95feeab4eb06ff977e826f71cb1dc2e6504e11b5428d513258a74934a5d15978a4c1

Download Submit
memory/1636-140-0x0000000000000000-mapping.dmp

Download
memory/1636-150-0x0000000002780000-0x000000000278D000-memory.dmp

Filesize
52KB

Download
memory/1636-152-0x00000000772D0000-0x0000000077473000-memory.dmp

Filesize
1.6MB

Download
memory/1636-151-0x00007FFB6DEF0000-0x00007FFB6E0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1768-161-0x00000000772D0000-0x0000000077473000-memory.dmp

Filesize
1.6MB

Download
memory/1768-162-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/1768-153-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/1768-154-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1768-160-0x00007FFB6DEF0000-0x00007FFB6E0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1768-148-0x0000000000000000-mapping.dmp

Download
memory/1768-163-0x00000000005B0000-0x00000000005BD000-memory.dmp

Filesize
52KB

Download
memory/1768-165-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/1768-164-0x00000000772D0000-0x0000000077473000-memory.dmp

Filesize
1.6MB

Download
memory/4000-138-0x0000000000000000-mapping.dmp

Download
memory/4720-147-0x00000000772D0000-0x0000000077473000-memory.dmp

Filesize
1.6MB

Download
memory/4720-145-0x00007FFB6DEF0000-0x00007FFB6E0E5000-memory.dmp

Filesize
2.0MB

Download
memory/4720-143-0x00000000021A0000-0x00000000021AD000-memory.dmp

Filesize
52KB

Download
memory/4720-130-0x0000000000000000-mapping.dmp

Download
memory/4720-137-0x00000000772D0000-0x0000000077473000-memory.dmp

Filesize
1.6MB

Download
memory/4720-136-0x00007FFB6DEF0000-0x00007FFB6E0E5000-memory.dmp

Filesize
2.0MB

Download
memory/4720-135-0x00000000021A0000-0x00000000021AD000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads