netwire | 3e66b276204a34135abfd32954a8d81cd068b5661c6f5ac12141dde45fd773ba

General

Target

3e66b276204a34135abfd32954a8d81cd068b5661c6f5ac12141dde45fd773ba.exe
Size

508KB
MD5

70774c09cd557ec674d9ef20cafae2e8
SHA1

92db9ee475f9c2cb8bb4f0db21bdc903372600c3
SHA256

3e66b276204a34135abfd32954a8d81cd068b5661c6f5ac12141dde45fd773ba
SHA512

281a6a04e8097c4106d576fd6888da3919132ce9c0a080f0a4666f95b0ca6d37f27f39d214a2b5187a2d6ccaac8455545f2f800397bd53312d3d8b47afbc7020

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

mlhdns.phatbois.me:4772

mlhdns.pandabearsunited.xyz:4772

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
C:\Users\Admin\AppData\Roaming\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1212-76-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 1 IoCs

Processes:

llwinsc.exe

pid process

1756 llwinsc.exe

pid	process
1756	llwinsc.exe

Drops startup file 2 IoCs

Processes:

3e66b276204a34135abfd32954a8d81cd068b5661c6f5ac12141dde45fd773ba.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\llwinsc.exe	3e66b276204a34135abfd32954a8d81cd068b5661c6f5ac12141dde45fd773ba.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\llwinsc.exe	3e66b276204a34135abfd32954a8d81cd068b5661c6f5ac12141dde45fd773ba.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

llwinsc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Default Settings = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\llwinsc.exe -boot"	llwinsc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

llwinsc.exe

description pid process target process

PID 1756 set thread context of 1212 1756 llwinsc.exe AppLaunch.exe

description	pid	process	target process
PID 1756 set thread context of 1212	1756	llwinsc.exe	AppLaunch.exe

Drops file in Windows directory 4 IoCs

Processes:

3e66b276204a34135abfd32954a8d81cd068b5661c6f5ac12141dde45fd773ba.exellwinsc.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	3e66b276204a34135abfd32954a8d81cd068b5661c6f5ac12141dde45fd773ba.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	3e66b276204a34135abfd32954a8d81cd068b5661c6f5ac12141dde45fd773ba.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	llwinsc.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	llwinsc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

3e66b276204a34135abfd32954a8d81cd068b5661c6f5ac12141dde45fd773ba.exellwinsc.exe

description	pid	process
Token: SeDebugPrivilege	2044	3e66b276204a34135abfd32954a8d81cd068b5661c6f5ac12141dde45fd773ba.exe
Token: SeDebugPrivilege	1756	llwinsc.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

3e66b276204a34135abfd32954a8d81cd068b5661c6f5ac12141dde45fd773ba.exeexplorer.exellwinsc.exe

description	pid	process	target process
PID 2044 wrote to memory of 1620	2044	3e66b276204a34135abfd32954a8d81cd068b5661c6f5ac12141dde45fd773ba.exe	explorer.exe
PID 2044 wrote to memory of 1620	2044	3e66b276204a34135abfd32954a8d81cd068b5661c6f5ac12141dde45fd773ba.exe	explorer.exe
PID 2044 wrote to memory of 1620	2044	3e66b276204a34135abfd32954a8d81cd068b5661c6f5ac12141dde45fd773ba.exe	explorer.exe
PID 2044 wrote to memory of 1620	2044	3e66b276204a34135abfd32954a8d81cd068b5661c6f5ac12141dde45fd773ba.exe	explorer.exe
PID 1716 wrote to memory of 1756	1716	explorer.exe	llwinsc.exe
PID 1716 wrote to memory of 1756	1716	explorer.exe	llwinsc.exe
PID 1716 wrote to memory of 1756	1716	explorer.exe	llwinsc.exe
PID 1716 wrote to memory of 1756	1716	explorer.exe	llwinsc.exe
PID 1756 wrote to memory of 1212	1756	llwinsc.exe	AppLaunch.exe
PID 1756 wrote to memory of 1212	1756	llwinsc.exe	AppLaunch.exe
PID 1756 wrote to memory of 1212	1756	llwinsc.exe	AppLaunch.exe
PID 1756 wrote to memory of 1212	1756	llwinsc.exe	AppLaunch.exe
PID 1756 wrote to memory of 1212	1756	llwinsc.exe	AppLaunch.exe
PID 1756 wrote to memory of 1212	1756	llwinsc.exe	AppLaunch.exe
PID 1756 wrote to memory of 1212	1756	llwinsc.exe	AppLaunch.exe
PID 1756 wrote to memory of 1212	1756	llwinsc.exe	AppLaunch.exe
PID 1756 wrote to memory of 1212	1756	llwinsc.exe	AppLaunch.exe
PID 1756 wrote to memory of 1212	1756	llwinsc.exe	AppLaunch.exe
PID 1756 wrote to memory of 1212	1756	llwinsc.exe	AppLaunch.exe
PID 1756 wrote to memory of 1212	1756	llwinsc.exe	AppLaunch.exe
PID 1756 wrote to memory of 1212	1756	llwinsc.exe	AppLaunch.exe
PID 1756 wrote to memory of 1212	1756	llwinsc.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\3e66b276204a34135abfd32954a8d81cd068b5661c6f5ac12141dde45fd773ba.exe
"C:\Users\Admin\AppData\Local\Temp\3e66b276204a34135abfd32954a8d81cd068b5661c6f5ac12141dde45fd773ba.exe"
1⤵
- Drops startup file
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe" /c select, C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\llwinsc.exe
2⤵
PID:1620

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:1716

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\llwinsc.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\llwinsc.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
3⤵
PID:1212

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\llwinsc.exe
Filesize
508KB

MD5
70774c09cd557ec674d9ef20cafae2e8

SHA1
92db9ee475f9c2cb8bb4f0db21bdc903372600c3

SHA256
3e66b276204a34135abfd32954a8d81cd068b5661c6f5ac12141dde45fd773ba

SHA512
281a6a04e8097c4106d576fd6888da3919132ce9c0a080f0a4666f95b0ca6d37f27f39d214a2b5187a2d6ccaac8455545f2f800397bd53312d3d8b47afbc7020

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\llwinsc.exe
Filesize
508KB

MD5
70774c09cd557ec674d9ef20cafae2e8

SHA1
92db9ee475f9c2cb8bb4f0db21bdc903372600c3

SHA256
3e66b276204a34135abfd32954a8d81cd068b5661c6f5ac12141dde45fd773ba

SHA512
281a6a04e8097c4106d576fd6888da3919132ce9c0a080f0a4666f95b0ca6d37f27f39d214a2b5187a2d6ccaac8455545f2f800397bd53312d3d8b47afbc7020

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch
Filesize
514B

MD5
ab0132018bdef8f7233f491f0aecc699

SHA1
be5b112968435687e3b453695ea2e231fe6652a7

SHA256
d5eff5f78997673e794c532fdc5fbc483bcf7e0e7265e5af34117943b9247f61

SHA512
2090b648cf7456d1eb3388ec703b4d468d5ca0a5507098ccb02c6b4e08c2e5fe4b52cc76061f2021376028bdd179ba3e232309ad4ea5dbcc26cd5a774cd06e0b

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch
Filesize
514B

MD5
ab0132018bdef8f7233f491f0aecc699

SHA1
be5b112968435687e3b453695ea2e231fe6652a7

SHA256
d5eff5f78997673e794c532fdc5fbc483bcf7e0e7265e5af34117943b9247f61

SHA512
2090b648cf7456d1eb3388ec703b4d468d5ca0a5507098ccb02c6b4e08c2e5fe4b52cc76061f2021376028bdd179ba3e232309ad4ea5dbcc26cd5a774cd06e0b

Download Submit
memory/1212-76-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1212-72-0x0000000000429000-0x000000000042A200-memory.dmp

Filesize
4KB

Download
memory/1212-70-0x0000000000429000-0x000000000042A200-memory.dmp

Filesize
4KB

Download
memory/1212-69-0x0000000000401000-0x000000000041D200-memory.dmp

Filesize
112KB

Download
memory/1620-59-0x0000000071891000-0x0000000071893000-memory.dmp

Filesize
8KB

Download
memory/1620-57-0x0000000000000000-mapping.dmp

Download
memory/1716-60-0x000007FEFBB11000-0x000007FEFBB13000-memory.dmp

Filesize
8KB

Download
memory/1756-62-0x0000000000000000-mapping.dmp

Download
memory/1756-66-0x00000000744D0000-0x0000000074A7B000-memory.dmp

Filesize
5.7MB

Download
memory/1756-68-0x00000000744D0000-0x0000000074A7B000-memory.dmp

Filesize
5.7MB

Download
memory/1756-75-0x00000000744D0000-0x0000000074A7B000-memory.dmp

Filesize
5.7MB

Download
memory/2044-67-0x00000000744D0000-0x0000000074A7B000-memory.dmp

Filesize
5.7MB

Download
memory/2044-54-0x0000000075441000-0x0000000075443000-memory.dmp

Filesize
8KB

Download
memory/2044-56-0x00000000744D0000-0x0000000074A7B000-memory.dmp

Filesize
5.7MB

Download
memory/2044-55-0x00000000744D0000-0x0000000074A7B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads