netwire | 3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574

General

Target

3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exe
Size

626KB
MD5

d2b8bfc68681f6e58838eff7a2cb33c0
SHA1

1c365788f6d248efea2a1a7f574efd610866deff
SHA256

3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574
SHA512

6eeb7aa28dd1a038d8cf87b50c7bc46496cbb6e0b2181ea01bf9b0c0b3601229f84845a6025a21357b2fede93ac34ead37fd96809b0f914f89cae7ca4f43a6dc

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

185.101.93.198:8681

185.101.93.198:9691

89.46.223.154:8585

89.46.223.154:1194

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3952-147-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

plesk.exeplesk.exe

pid process

4564 plesk.exe
3952 plesk.exe

pid	process
4564	plesk.exe
3952	plesk.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AHDSKD87372930473JNDKSKSNSBG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\plesk\\plesk.vbs -FF"	WScript.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

plesk.exe

description pid process target process

PID 4564 set thread context of 3952 4564 plesk.exe plesk.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 4564 set thread context of 3952	4564	plesk.exe	plesk.exe

Modifies registry class 1 IoCs

Processes:

3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings	3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exeplesk.exe

pid process

4468 3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exe
4564 plesk.exe

pid	process
4468	3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exe
4564	plesk.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exeplesk.exe

description	pid	process	target process
PID 4468 wrote to memory of 4712	4468	3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exe	WScript.exe
PID 4468 wrote to memory of 4712	4468	3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exe	WScript.exe
PID 4468 wrote to memory of 4712	4468	3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exe	WScript.exe
PID 4468 wrote to memory of 4564	4468	3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exe	plesk.exe
PID 4468 wrote to memory of 4564	4468	3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exe	plesk.exe
PID 4468 wrote to memory of 4564	4468	3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exe	plesk.exe
PID 4564 wrote to memory of 3952	4564	plesk.exe	plesk.exe
PID 4564 wrote to memory of 3952	4564	plesk.exe	plesk.exe
PID 4564 wrote to memory of 3952	4564	plesk.exe	plesk.exe

C:\Users\Admin\AppData\Local\Temp\3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exe
"C:\Users\Admin\AppData\Local\Temp\3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4468

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\plesk\plesk.vbs"
2⤵
- Adds Run key to start application
PID:4712

C:\Users\Admin\AppData\Local\Temp\plesk\plesk.exe
"C:\Users\Admin\AppData\Local\Temp\plesk\plesk.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4564

C:\Users\Admin\AppData\Local\Temp\plesk\plesk.exe
C:\Users\Admin\AppData\Local\Temp\plesk\plesk.exe"
3⤵
- Executes dropped EXE
PID:3952

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\plesk\plesk.exe
Filesize
626KB

MD5
d2b8bfc68681f6e58838eff7a2cb33c0

SHA1
1c365788f6d248efea2a1a7f574efd610866deff

SHA256
3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574

SHA512
6eeb7aa28dd1a038d8cf87b50c7bc46496cbb6e0b2181ea01bf9b0c0b3601229f84845a6025a21357b2fede93ac34ead37fd96809b0f914f89cae7ca4f43a6dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\plesk\plesk.exe
Filesize
626KB

MD5
d2b8bfc68681f6e58838eff7a2cb33c0

SHA1
1c365788f6d248efea2a1a7f574efd610866deff

SHA256
3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574

SHA512
6eeb7aa28dd1a038d8cf87b50c7bc46496cbb6e0b2181ea01bf9b0c0b3601229f84845a6025a21357b2fede93ac34ead37fd96809b0f914f89cae7ca4f43a6dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\plesk\plesk.exe
Filesize
626KB

MD5
d2b8bfc68681f6e58838eff7a2cb33c0

SHA1
1c365788f6d248efea2a1a7f574efd610866deff

SHA256
3e44e780a76526026a6ddbcea40043e5fd098bf107b0b68f7d9d232eb72ae574

SHA512
6eeb7aa28dd1a038d8cf87b50c7bc46496cbb6e0b2181ea01bf9b0c0b3601229f84845a6025a21357b2fede93ac34ead37fd96809b0f914f89cae7ca4f43a6dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\plesk\plesk.vbs
Filesize
1024B

MD5
f964ef1908684af0edaffac5e9be4e20

SHA1
65b65b4a3398ab4cdd0c4ab1db6eb25f6172cb2c

SHA256
bba4125f2fabc793609bec64ec8e26c920a2e4213b4eeab3fac338bb716e9143

SHA512
26cfd088e96766041ace82a7483cc620eb8ccf7765b6b9f7e987c2eb18561ee895c7f6e66d90712e8d50a88c87a35a3266a1db5829bb1ff0b749af9791a5eda1

Download Submit
memory/3952-143-0x0000000000000000-mapping.dmp

Download
memory/3952-147-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3952-153-0x00000000770E0000-0x0000000077283000-memory.dmp

Filesize
1.6MB

Download
memory/4468-138-0x00000000770E0000-0x0000000077283000-memory.dmp

Filesize
1.6MB

Download
memory/4468-132-0x0000000002390000-0x0000000002396000-memory.dmp

Filesize
24KB

Download
memory/4468-133-0x00000000770E0000-0x0000000077283000-memory.dmp

Filesize
1.6MB

Download
memory/4564-135-0x0000000000000000-mapping.dmp

Download
memory/4564-142-0x00000000770E0000-0x0000000077283000-memory.dmp

Filesize
1.6MB

Download
memory/4564-145-0x00000000770E0000-0x0000000077283000-memory.dmp

Filesize
1.6MB

Download
memory/4712-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads