netwire | 41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577

General

Target

41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577.exe
Size

656KB
MD5

714bcb747c559e227f47ea71a05fb52e
SHA1

f8b07712e284cd4c00c555ee07482be321749a0a
SHA256

41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577
SHA512

ae5eb450917afc8b2cf71c5db8d59e8b0e557cd1b7b80c19384f74678f61b03bed61ef6d6ccf60f36b89091cee5425dd4d43b16650a51788ac5a2b1852bd7569

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4104-139-0x0000000000400000-0x00000000004A4000-memory.dmp	netwire
behavioral2/memory/4104-140-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral2/memory/4104-146-0x0000000000400000-0x00000000004A4000-memory.dmp	netwire
behavioral2/memory/4392-171-0x0000000000400000-0x00000000004A4000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

Host.exeHost.exe

pid process

3220 Host.exe
4392 Host.exe

pid	process
3220	Host.exe
4392	Host.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Host.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Host.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe"	Host.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577.exe41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577.exeHost.exeHost.exe

pid	process
4240	41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577.exe
4104	41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577.exe
4104	41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577.exe
3220	Host.exe
4392	Host.exe
4392	Host.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577.exeHost.exe

description	pid	process	target process
PID 4240 set thread context of 4104	4240	41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577.exe	41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577.exe
PID 3220 set thread context of 4392	3220	Host.exe	Host.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577.exeHost.exe

pid process

4240 41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577.exe
3220 Host.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577.exe41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577.exeHost.exe

description	pid	process	target process
PID 4240 wrote to memory of 4104	4240	41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577.exe	41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577.exe
PID 4240 wrote to memory of 4104	4240	41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577.exe	41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577.exe
PID 4240 wrote to memory of 4104	4240	41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577.exe	41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577.exe
PID 4104 wrote to memory of 3220	4104	41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577.exe	Host.exe
PID 4104 wrote to memory of 3220	4104	41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577.exe	Host.exe
PID 4104 wrote to memory of 3220	4104	41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577.exe	Host.exe
PID 3220 wrote to memory of 4392	3220	Host.exe	Host.exe
PID 3220 wrote to memory of 4392	3220	Host.exe	Host.exe
PID 3220 wrote to memory of 4392	3220	Host.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577.exe
"C:\Users\Admin\AppData\Local\Temp\41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4240

C:\Users\Admin\AppData\Local\Temp\41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577.exe
"C:\Users\Admin\AppData\Local\Temp\41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577.exe"
2⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:4104

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3220

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
656KB

MD5
714bcb747c559e227f47ea71a05fb52e

SHA1
f8b07712e284cd4c00c555ee07482be321749a0a

SHA256
41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577

SHA512
ae5eb450917afc8b2cf71c5db8d59e8b0e557cd1b7b80c19384f74678f61b03bed61ef6d6ccf60f36b89091cee5425dd4d43b16650a51788ac5a2b1852bd7569

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
656KB

MD5
714bcb747c559e227f47ea71a05fb52e

SHA1
f8b07712e284cd4c00c555ee07482be321749a0a

SHA256
41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577

SHA512
ae5eb450917afc8b2cf71c5db8d59e8b0e557cd1b7b80c19384f74678f61b03bed61ef6d6ccf60f36b89091cee5425dd4d43b16650a51788ac5a2b1852bd7569

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
656KB

MD5
714bcb747c559e227f47ea71a05fb52e

SHA1
f8b07712e284cd4c00c555ee07482be321749a0a

SHA256
41e24008114e3824dedccf90a28e47a85602b14f6890dd5d61a947073b7d4577

SHA512
ae5eb450917afc8b2cf71c5db8d59e8b0e557cd1b7b80c19384f74678f61b03bed61ef6d6ccf60f36b89091cee5425dd4d43b16650a51788ac5a2b1852bd7569

Download Submit
memory/3220-160-0x00007FFB6DEF0000-0x00007FFB6E0E5000-memory.dmp

Filesize
2.0MB

Download
memory/3220-150-0x0000000000000000-mapping.dmp

Download
memory/3220-161-0x00000000772D0000-0x0000000077473000-memory.dmp

Filesize
1.6MB

Download
memory/3220-159-0x00000000020C0000-0x00000000020CE000-memory.dmp

Filesize
56KB

Download
memory/4104-147-0x0000000000610000-0x000000000061E000-memory.dmp

Filesize
56KB

Download
memory/4104-155-0x00000000772D0000-0x0000000077473000-memory.dmp

Filesize
1.6MB

Download
memory/4104-146-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/4104-138-0x00000000772D0000-0x0000000077473000-memory.dmp

Filesize
1.6MB

Download
memory/4104-148-0x00007FFB6DEF0000-0x00007FFB6E0E5000-memory.dmp

Filesize
2.0MB

Download
memory/4104-149-0x00000000772D0000-0x0000000077473000-memory.dmp

Filesize
1.6MB

Download
memory/4104-139-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/4104-133-0x0000000000000000-mapping.dmp

Download
memory/4104-140-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4104-153-0x00007FFB6DEF0000-0x00007FFB6E0E5000-memory.dmp

Filesize
2.0MB

Download
memory/4104-137-0x00007FFB6DEF0000-0x00007FFB6E0E5000-memory.dmp

Filesize
2.0MB

Download
memory/4240-134-0x0000000000720000-0x000000000072E000-memory.dmp

Filesize
56KB

Download
memory/4240-136-0x00000000772D0000-0x0000000077473000-memory.dmp

Filesize
1.6MB

Download
memory/4240-135-0x00007FFB6DEF0000-0x00007FFB6E0E5000-memory.dmp

Filesize
2.0MB

Download
memory/4240-132-0x0000000000720000-0x000000000072E000-memory.dmp

Filesize
56KB

Download
memory/4392-157-0x0000000000000000-mapping.dmp

Download
memory/4392-163-0x00007FFB6DEF0000-0x00007FFB6E0E5000-memory.dmp

Filesize
2.0MB

Download
memory/4392-166-0x00000000772D0000-0x0000000077473000-memory.dmp

Filesize
1.6MB

Download
memory/4392-171-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/4392-172-0x0000000000600000-0x000000000060E000-memory.dmp

Filesize
56KB

Download
memory/4392-173-0x00007FFB6DEF0000-0x00007FFB6E0E5000-memory.dmp

Filesize
2.0MB

Download
memory/4392-174-0x00000000772D0000-0x0000000077473000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads