netwire | d8a894ca9c345df1256919aea2edf37ad3f85abb0438583edbbb80e1d607a011

Resubmissions

11-07-2022 14:58

220711-sck4nsabfm 10

04-07-2022 07:43

220704-jj8zmsfdcj 10

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
11-07-2022 14:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

INV00683.xll
Size

3.4MB
MD5

ff550b5bce8ec18d844cc314b74b5b1f
SHA1

df4915ca11e7ab294c81497180f3a761bde4ceda
SHA256

d8a894ca9c345df1256919aea2edf37ad3f85abb0438583edbbb80e1d607a011
SHA512

25b42bf8eaf69c1de25c8ab90cbbf0566cddb57751a81b10d1b6196ce7ebcf1de7f6b4742eefceab70957ceea3163287ea50c7b0c0774138a023c2a2feaed87b

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Language

xlm4.0

Source

Extracted

Family

netwire

194.5.98.126:3378

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Pass@2023
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3308-167-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/3308-170-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/3308-173-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/3308-185-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.execmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4464	4676	cmd.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1176	4676	cmd.exe	EXCEL.EXE

Executes dropped EXE 2 IoCs

Processes:

appVNBAFMYOUN.txt.exeappVNBAFMYOUN.txt.exe

pid process

1072 appVNBAFMYOUN.txt.exe
3308 appVNBAFMYOUN.txt.exe

pid	process
1072	appVNBAFMYOUN.txt.exe
3308	appVNBAFMYOUN.txt.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

appVNBAFMYOUN.txt.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	appVNBAFMYOUN.txt.exe

Loads dropped DLL 2 IoCs

Processes:

EXCEL.EXE

pid process

4676 EXCEL.EXE
4676 EXCEL.EXE
Suspicious use of SetThreadContext 1 IoCs

Processes:

appVNBAFMYOUN.txt.exe

description pid process target process

PID 1072 set thread context of 3308 1072 appVNBAFMYOUN.txt.exe appVNBAFMYOUN.txt.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1072 set thread context of 3308	1072	appVNBAFMYOUN.txt.exe	appVNBAFMYOUN.txt.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4172 schtasks.exe

pid	process
4172	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4676 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

2616 powershell.exe
2616 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2616 powershell.exe

pid	process
2616	powershell.exe
2616	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2616	powershell.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
4676	EXCEL.EXE
4676	EXCEL.EXE
4676	EXCEL.EXE
4676	EXCEL.EXE
4676	EXCEL.EXE
4676	EXCEL.EXE
4676	EXCEL.EXE
4676	EXCEL.EXE
4676	EXCEL.EXE
4676	EXCEL.EXE
4676	EXCEL.EXE
4676	EXCEL.EXE

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

EXCEL.EXEcmd.execmd.exeappVNBAFMYOUN.txt.exe

description	pid	process	target process
PID 4676 wrote to memory of 4464	4676	EXCEL.EXE	cmd.exe
PID 4676 wrote to memory of 4464	4676	EXCEL.EXE	cmd.exe
PID 4464 wrote to memory of 3300	4464	cmd.exe	certutil.exe
PID 4464 wrote to memory of 3300	4464	cmd.exe	certutil.exe
PID 4676 wrote to memory of 1176	4676	EXCEL.EXE	cmd.exe
PID 4676 wrote to memory of 1176	4676	EXCEL.EXE	cmd.exe
PID 1176 wrote to memory of 3120	1176	cmd.exe	certutil.exe
PID 1176 wrote to memory of 3120	1176	cmd.exe	certutil.exe
PID 1176 wrote to memory of 1072	1176	cmd.exe	appVNBAFMYOUN.txt.exe
PID 1176 wrote to memory of 1072	1176	cmd.exe	appVNBAFMYOUN.txt.exe
PID 1176 wrote to memory of 1072	1176	cmd.exe	appVNBAFMYOUN.txt.exe
PID 1072 wrote to memory of 2616	1072	appVNBAFMYOUN.txt.exe	powershell.exe
PID 1072 wrote to memory of 2616	1072	appVNBAFMYOUN.txt.exe	powershell.exe
PID 1072 wrote to memory of 2616	1072	appVNBAFMYOUN.txt.exe	powershell.exe
PID 1072 wrote to memory of 4172	1072	appVNBAFMYOUN.txt.exe	schtasks.exe
PID 1072 wrote to memory of 4172	1072	appVNBAFMYOUN.txt.exe	schtasks.exe
PID 1072 wrote to memory of 4172	1072	appVNBAFMYOUN.txt.exe	schtasks.exe
PID 1072 wrote to memory of 3308	1072	appVNBAFMYOUN.txt.exe	appVNBAFMYOUN.txt.exe
PID 1072 wrote to memory of 3308	1072	appVNBAFMYOUN.txt.exe	appVNBAFMYOUN.txt.exe
PID 1072 wrote to memory of 3308	1072	appVNBAFMYOUN.txt.exe	appVNBAFMYOUN.txt.exe
PID 1072 wrote to memory of 3308	1072	appVNBAFMYOUN.txt.exe	appVNBAFMYOUN.txt.exe
PID 1072 wrote to memory of 3308	1072	appVNBAFMYOUN.txt.exe	appVNBAFMYOUN.txt.exe
PID 1072 wrote to memory of 3308	1072	appVNBAFMYOUN.txt.exe	appVNBAFMYOUN.txt.exe
PID 1072 wrote to memory of 3308	1072	appVNBAFMYOUN.txt.exe	appVNBAFMYOUN.txt.exe
PID 1072 wrote to memory of 3308	1072	appVNBAFMYOUN.txt.exe	appVNBAFMYOUN.txt.exe
PID 1072 wrote to memory of 3308	1072	appVNBAFMYOUN.txt.exe	appVNBAFMYOUN.txt.exe
PID 1072 wrote to memory of 3308	1072	appVNBAFMYOUN.txt.exe	appVNBAFMYOUN.txt.exe
PID 1072 wrote to memory of 3308	1072	appVNBAFMYOUN.txt.exe	appVNBAFMYOUN.txt.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\INV00683.xll"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4676

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C certutil -decode C:\Users\Admin\Downloads\appVNBAFMYOUN.txt C:\Users\Admin\Downloads\appVNBAFMYOUN.txt.xlsx
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4464

C:\Windows\system32\certutil.exe
certutil -decode C:\Users\Admin\Downloads\appVNBAFMYOUN.txt C:\Users\Admin\Downloads\appVNBAFMYOUN.txt.xlsx
3⤵
PID:3300

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C certutil -decode C:\Users\Admin\Downloads\appVNBAFMYOUN.txt C:\Users\Admin\Downloads\appVNBAFMYOUN.txt.exe & C:\Users\Admin\Downloads\appVNBAFMYOUN.txt.exe
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1176

C:\Windows\system32\certutil.exe
certutil -decode C:\Users\Admin\Downloads\appVNBAFMYOUN.txt C:\Users\Admin\Downloads\appVNBAFMYOUN.txt.exe
3⤵
PID:3120

C:\Users\Admin\Downloads\appVNBAFMYOUN.txt.exe
C:\Users\Admin\Downloads\appVNBAFMYOUN.txt.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sHxWxu.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2616

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sHxWxu" /XML "C:\Users\Admin\AppData\Local\Temp\tmp472B.tmp"
4⤵
- Creates scheduled task(s)
PID:4172

C:\Users\Admin\Downloads\appVNBAFMYOUN.txt.exe
"C:\Users\Admin\Downloads\appVNBAFMYOUN.txt.exe"
4⤵
- Executes dropped EXE
PID:3308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\INV00683.xll

Filesize
3.4MB

MD5
ff550b5bce8ec18d844cc314b74b5b1f

SHA1
df4915ca11e7ab294c81497180f3a761bde4ceda

SHA256
d8a894ca9c345df1256919aea2edf37ad3f85abb0438583edbbb80e1d607a011

SHA512
25b42bf8eaf69c1de25c8ab90cbbf0566cddb57751a81b10d1b6196ce7ebcf1de7f6b4742eefceab70957ceea3163287ea50c7b0c0774138a023c2a2feaed87b

Download Submit
C:\Users\Admin\AppData\Local\Temp\INV00683.xll

Filesize
3.4MB

MD5
ff550b5bce8ec18d844cc314b74b5b1f

SHA1
df4915ca11e7ab294c81497180f3a761bde4ceda

SHA256
d8a894ca9c345df1256919aea2edf37ad3f85abb0438583edbbb80e1d607a011

SHA512
25b42bf8eaf69c1de25c8ab90cbbf0566cddb57751a81b10d1b6196ce7ebcf1de7f6b4742eefceab70957ceea3163287ea50c7b0c0774138a023c2a2feaed87b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp472B.tmp

Filesize
1KB

MD5
3f9640df2c49831b0039daec9b560254

SHA1
587f6ffed579f0cc05381afb51c052fd4ea92f01

SHA256
93b48037d45e83e8da3e632766eac758acad9acbfc86933b0d498e892da007b9

SHA512
678d650b214f9590c1b913b2c9fd9e3d03b79d33880cf6786a3c98baef2eff06bcf570d8e6ec8e74112de00734bcc7e01db914bde2f4862d8fcb20fba9081df9

Download Submit
C:\Users\Admin\Downloads\appVNBAFMYOUN.txt

Filesize
57KB

MD5
3bf777b958059b015e552c1fb0a153c1

SHA1
dcc21ff8bb10a2cccca322d04db740f6bc5f411d

SHA256
7a59d3b1d56a7776f0534f84497162965c24d3423fbe4d19569ae20debeccbf5

SHA512
91a5f31ada101554e6f4e55cbd661cae31b92775978d7db048319ed21b1300243b092e0df23758642bf35a383a284cc34b52901bd58c5e8bc8c022b54dbb1a78

Download Submit
C:\Users\Admin\Downloads\appVNBAFMYOUN.txt

Filesize
1.6MB

MD5
1223bfd95ce9b01f30801dcf47364088

SHA1
ba219ae0117187ad4a901bde649419bfeea5302d

SHA256
8076dc55bd7381db44125636b33592763cca8e278ff133f239330b062aadb270

SHA512
38f161e3ff19f1eee44ea0c13f3dc11e08f40b9df19fb4547d5f890947c3585d54fca4bc8061efe664d95e5f5e599f6423f9253df2eb458c706de49512e601c5

Download Submit
C:\Users\Admin\Downloads\appVNBAFMYOUN.txt.exe

Filesize
618KB

MD5
048029701f16462b0eed045a8f03d847

SHA1
7107d79efde6f6781b5f8aef4cb8948c9d843c97

SHA256
02f321bc1e2a341811b45f78fac061a72cba9b777331a794d39bde2d21a1fe6e

SHA512
f0ca7317dd2f15806874cad798c376bdc21d1ff441898158739a4659985d827e3e959a8a9f244339a56a21b79b9a01496fa16e4e738fd719f71aeaa5f7b9b79c

Download Submit
C:\Users\Admin\Downloads\appVNBAFMYOUN.txt.exe

Filesize
618KB

MD5
048029701f16462b0eed045a8f03d847

SHA1
7107d79efde6f6781b5f8aef4cb8948c9d843c97

SHA256
02f321bc1e2a341811b45f78fac061a72cba9b777331a794d39bde2d21a1fe6e

SHA512
f0ca7317dd2f15806874cad798c376bdc21d1ff441898158739a4659985d827e3e959a8a9f244339a56a21b79b9a01496fa16e4e738fd719f71aeaa5f7b9b79c

Download Submit
C:\Users\Admin\Downloads\appVNBAFMYOUN.txt.exe

Filesize
618KB

MD5
048029701f16462b0eed045a8f03d847

SHA1
7107d79efde6f6781b5f8aef4cb8948c9d843c97

SHA256
02f321bc1e2a341811b45f78fac061a72cba9b777331a794d39bde2d21a1fe6e

SHA512
f0ca7317dd2f15806874cad798c376bdc21d1ff441898158739a4659985d827e3e959a8a9f244339a56a21b79b9a01496fa16e4e738fd719f71aeaa5f7b9b79c

Download Submit
C:\Users\Admin\Downloads\appVNBAFMYOUN.txt.xlsx

Filesize
43KB

MD5
287e0b1bd13fbdca2aa0baf624e04901

SHA1
20f0976f0882d61f77c78cf27b1124e16946040c

SHA256
c1ea924fc0fa2f07be75b263c5d624740e8f0a59e7fd24d1c90b620b97f02432

SHA512
4cbf9faa72ccbbeca9995c4970a49cb762f44a659e46169a5418bff1e883a63d84713dc1fe016ac139e64347f8f7e48796c92801b3da359fe10702e13850b5cb

Download Submit
memory/1072-160-0x0000000009A60000-0x0000000009AC6000-memory.dmp

Filesize
408KB

Download
memory/1072-150-0x0000000000000000-mapping.dmp

Download
memory/1072-159-0x0000000009850000-0x00000000098EC000-memory.dmp

Filesize
624KB

Download
memory/1072-156-0x00000000058C0000-0x00000000058CA000-memory.dmp

Filesize
40KB

Download
memory/1072-155-0x00000000058D0000-0x0000000005962000-memory.dmp

Filesize
584KB

Download
memory/1072-154-0x0000000005DE0000-0x0000000006384000-memory.dmp

Filesize
5.6MB

Download
memory/1072-153-0x0000000000E80000-0x0000000000F20000-memory.dmp

Filesize
640KB

Download
memory/1176-147-0x0000000000000000-mapping.dmp

Download
memory/2616-166-0x00000000054A0000-0x0000000005AC8000-memory.dmp

Filesize
6.2MB

Download
memory/2616-180-0x00000000076A0000-0x00000000076AA000-memory.dmp

Filesize
40KB

Download
memory/2616-184-0x0000000007940000-0x0000000007948000-memory.dmp

Filesize
32KB

Download
memory/2616-183-0x0000000007960000-0x000000000797A000-memory.dmp

Filesize
104KB

Download
memory/2616-182-0x0000000007850000-0x000000000785E000-memory.dmp

Filesize
56KB

Download
memory/2616-181-0x00000000078A0000-0x0000000007936000-memory.dmp

Filesize
600KB

Download
memory/2616-179-0x0000000007620000-0x000000000763A000-memory.dmp

Filesize
104KB

Download
memory/2616-178-0x0000000007C70000-0x00000000082EA000-memory.dmp

Filesize
6.5MB

Download
memory/2616-177-0x00000000068C0000-0x00000000068DE000-memory.dmp

Filesize
120KB

Download
memory/2616-176-0x00000000713B0000-0x00000000713FC000-memory.dmp

Filesize
304KB

Download
memory/2616-175-0x00000000068E0000-0x0000000006912000-memory.dmp

Filesize
200KB

Download
memory/2616-174-0x0000000006320000-0x000000000633E000-memory.dmp

Filesize
120KB

Download
memory/2616-172-0x0000000005C40000-0x0000000005CA6000-memory.dmp

Filesize
408KB

Download
memory/2616-161-0x0000000000000000-mapping.dmp

Download
memory/2616-171-0x0000000005370000-0x0000000005392000-memory.dmp

Filesize
136KB

Download
memory/2616-163-0x0000000002A20000-0x0000000002A56000-memory.dmp

Filesize
216KB

Download
memory/3120-148-0x0000000000000000-mapping.dmp

Download
memory/3300-144-0x0000000000000000-mapping.dmp

Download
memory/3308-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3308-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3308-167-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3308-165-0x0000000000000000-mapping.dmp

Download
memory/3308-170-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4172-162-0x0000000000000000-mapping.dmp

Download
memory/4464-143-0x0000000000000000-mapping.dmp

Download
memory/4676-133-0x00007FFD89370000-0x00007FFD89380000-memory.dmp

Filesize
64KB

Download
memory/4676-130-0x00007FFD89370000-0x00007FFD89380000-memory.dmp

Filesize
64KB

Download
memory/4676-142-0x0000027B164CC000-0x0000027B164CF000-memory.dmp

Filesize
12KB

Download
memory/4676-132-0x00007FFD89370000-0x00007FFD89380000-memory.dmp

Filesize
64KB

Download
memory/4676-134-0x00007FFD89370000-0x00007FFD89380000-memory.dmp

Filesize
64KB

Download
memory/4676-138-0x0000027B159F0000-0x0000027B15D78000-memory.dmp

Filesize
3.5MB

Download
memory/4676-135-0x00007FFD86CE0000-0x00007FFD86CF0000-memory.dmp

Filesize
64KB

Download
memory/4676-131-0x00007FFD89370000-0x00007FFD89380000-memory.dmp

Filesize
64KB

Download
memory/4676-157-0x00007FFDA0920000-0x00007FFDA13E1000-memory.dmp

Filesize
10.8MB

Download
memory/4676-158-0x0000027B164CC000-0x0000027B164CF000-memory.dmp

Filesize
12KB

Download
memory/4676-136-0x00007FFD86CE0000-0x00007FFD86CF0000-memory.dmp

Filesize
64KB

Download
memory/4676-141-0x00007FFDA0920000-0x00007FFDA13E1000-memory.dmp

Filesize
10.8MB

Download
memory/4676-187-0x00007FFD89370000-0x00007FFD89380000-memory.dmp

Filesize
64KB

Download
memory/4676-188-0x00007FFD89370000-0x00007FFD89380000-memory.dmp

Filesize
64KB

Download
memory/4676-189-0x00007FFD89370000-0x00007FFD89380000-memory.dmp

Filesize
64KB

Download
memory/4676-190-0x00007FFD89370000-0x00007FFD89380000-memory.dmp

Filesize
64KB

Download
memory/4676-191-0x00007FFDA0920000-0x00007FFDA13E1000-memory.dmp

Filesize
10.8MB

Download