netwire | 4abbdb512ff25db431e9bca0ad5d65a823087139f2a33078d7bcb1282880d979

Analysis

max time kernel
149s
max time network
47s
platform
windows7_x64
resource
win7-20220414-en
submitted
12-07-2022 12:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ORDER AND SPECIFICATION.exe
Size

837KB
MD5

794c05af4df48c2a3342479fdc4315f8
SHA1

8e4ede8625df7a8df66a25f1db9dab4322c1132e
SHA256

4abbdb512ff25db431e9bca0ad5d65a823087139f2a33078d7bcb1282880d979
SHA512

75bffee8ab66b2bc55dedbbb9d8f9dde9749736dc31f75bb80aa1709613e3a9463c4c2a233a2157f158f1aed3ec7ec740f497b8b8bc69850517214084753f5e0

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

37.0.14.203:3083

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Elibee88
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 8 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1760-70-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1760-71-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1760-72-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1760-74-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1760-75-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1760-76-0x000000000040242D-mapping.dmp	netwire
behavioral1/memory/1760-79-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1760-82-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 1 IoCs

Processes:

Host.exe

pid process

1648 Host.exe
Loads dropped DLL 6 IoCs

Processes:

ORDER AND SPECIFICATION.exeWerFault.exe

pid process

1760 ORDER AND SPECIFICATION.exe
380 WerFault.exe
380 WerFault.exe
380 WerFault.exe
380 WerFault.exe
380 WerFault.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

ORDER AND SPECIFICATION.exe

description pid process target process

PID 2020 set thread context of 1760 2020 ORDER AND SPECIFICATION.exe ORDER AND SPECIFICATION.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1108 2020 WerFault.exe ORDER AND SPECIFICATION.exe
380 1648 WerFault.exe Host.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1164 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

ORDER AND SPECIFICATION.exepowershell.exe

pid process

2020 ORDER AND SPECIFICATION.exe
2020 ORDER AND SPECIFICATION.exe
1496 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ORDER AND SPECIFICATION.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2020 ORDER AND SPECIFICATION.exe
Token: SeDebugPrivilege 1496 powershell.exe

pid	process
1648	Host.exe

pid	process
1760	ORDER AND SPECIFICATION.exe
380	WerFault.exe
380	WerFault.exe
380	WerFault.exe
380	WerFault.exe
380	WerFault.exe

description	pid	process	target process
PID 2020 set thread context of 1760	2020	ORDER AND SPECIFICATION.exe	ORDER AND SPECIFICATION.exe

pid	pid_target	process	target process
1108	2020	WerFault.exe	ORDER AND SPECIFICATION.exe
380	1648	WerFault.exe	Host.exe

pid	process
1164	schtasks.exe

pid	process
2020	ORDER AND SPECIFICATION.exe
2020	ORDER AND SPECIFICATION.exe
1496	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2020	ORDER AND SPECIFICATION.exe
Token: SeDebugPrivilege	1496	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

ORDER AND SPECIFICATION.exeORDER AND SPECIFICATION.exeHost.exe

description	pid	process	target process
PID 2020 wrote to memory of 1496	2020	ORDER AND SPECIFICATION.exe	powershell.exe
PID 2020 wrote to memory of 1496	2020	ORDER AND SPECIFICATION.exe	powershell.exe
PID 2020 wrote to memory of 1496	2020	ORDER AND SPECIFICATION.exe	powershell.exe
PID 2020 wrote to memory of 1496	2020	ORDER AND SPECIFICATION.exe	powershell.exe
PID 2020 wrote to memory of 1164	2020	ORDER AND SPECIFICATION.exe	schtasks.exe
PID 2020 wrote to memory of 1164	2020	ORDER AND SPECIFICATION.exe	schtasks.exe
PID 2020 wrote to memory of 1164	2020	ORDER AND SPECIFICATION.exe	schtasks.exe
PID 2020 wrote to memory of 1164	2020	ORDER AND SPECIFICATION.exe	schtasks.exe
PID 2020 wrote to memory of 1760	2020	ORDER AND SPECIFICATION.exe	ORDER AND SPECIFICATION.exe
PID 2020 wrote to memory of 1760	2020	ORDER AND SPECIFICATION.exe	ORDER AND SPECIFICATION.exe
PID 2020 wrote to memory of 1760	2020	ORDER AND SPECIFICATION.exe	ORDER AND SPECIFICATION.exe
PID 2020 wrote to memory of 1760	2020	ORDER AND SPECIFICATION.exe	ORDER AND SPECIFICATION.exe
PID 2020 wrote to memory of 1760	2020	ORDER AND SPECIFICATION.exe	ORDER AND SPECIFICATION.exe
PID 2020 wrote to memory of 1760	2020	ORDER AND SPECIFICATION.exe	ORDER AND SPECIFICATION.exe
PID 2020 wrote to memory of 1760	2020	ORDER AND SPECIFICATION.exe	ORDER AND SPECIFICATION.exe
PID 2020 wrote to memory of 1760	2020	ORDER AND SPECIFICATION.exe	ORDER AND SPECIFICATION.exe
PID 2020 wrote to memory of 1760	2020	ORDER AND SPECIFICATION.exe	ORDER AND SPECIFICATION.exe
PID 2020 wrote to memory of 1760	2020	ORDER AND SPECIFICATION.exe	ORDER AND SPECIFICATION.exe
PID 2020 wrote to memory of 1760	2020	ORDER AND SPECIFICATION.exe	ORDER AND SPECIFICATION.exe
PID 2020 wrote to memory of 1760	2020	ORDER AND SPECIFICATION.exe	ORDER AND SPECIFICATION.exe
PID 1760 wrote to memory of 1648	1760	ORDER AND SPECIFICATION.exe	Host.exe
PID 1760 wrote to memory of 1648	1760	ORDER AND SPECIFICATION.exe	Host.exe
PID 1760 wrote to memory of 1648	1760	ORDER AND SPECIFICATION.exe	Host.exe
PID 1760 wrote to memory of 1648	1760	ORDER AND SPECIFICATION.exe	Host.exe
PID 2020 wrote to memory of 1108	2020	ORDER AND SPECIFICATION.exe	WerFault.exe
PID 2020 wrote to memory of 1108	2020	ORDER AND SPECIFICATION.exe	WerFault.exe
PID 2020 wrote to memory of 1108	2020	ORDER AND SPECIFICATION.exe	WerFault.exe
PID 2020 wrote to memory of 1108	2020	ORDER AND SPECIFICATION.exe	WerFault.exe
PID 1648 wrote to memory of 380	1648	Host.exe	WerFault.exe
PID 1648 wrote to memory of 380	1648	Host.exe	WerFault.exe
PID 1648 wrote to memory of 380	1648	Host.exe	WerFault.exe
PID 1648 wrote to memory of 380	1648	Host.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\ORDER AND SPECIFICATION.exe
"C:\Users\Admin\AppData\Local\Temp\ORDER AND SPECIFICATION.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DOKnTYKItugWOC.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DOKnTYKItugWOC" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7E35.tmp"
2⤵
- Creates scheduled task(s)
PID:1164

C:\Users\Admin\AppData\Local\Temp\ORDER AND SPECIFICATION.exe
"C:\Users\Admin\AppData\Local\Temp\ORDER AND SPECIFICATION.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1760

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 896
4⤵
- Loads dropped DLL
- Program crash
PID:380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 1100
2⤵
- Program crash
PID:1108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7E35.tmp

Filesize
1KB

MD5
5b266aa538dbf478c113d6ba8d8a6ea5

SHA1
68ba368804e0beb63d16b0633fa3cef329eb2bd2

SHA256
53c6d73c041c3994a755153690b6f002aafae47bb69226f96cff45dc0341ad00

SHA512
b5d802febfb13469d9c352f4d6d5f35d40047a07e6cf2d4fde2d26ddd3711e035f265af26154b06119f86be1fd7f84cef8983fe460a1aa27d4704a1f4b698522

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
837KB

MD5
794c05af4df48c2a3342479fdc4315f8

SHA1
8e4ede8625df7a8df66a25f1db9dab4322c1132e

SHA256
4abbdb512ff25db431e9bca0ad5d65a823087139f2a33078d7bcb1282880d979

SHA512
75bffee8ab66b2bc55dedbbb9d8f9dde9749736dc31f75bb80aa1709613e3a9463c4c2a233a2157f158f1aed3ec7ec740f497b8b8bc69850517214084753f5e0

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
837KB

MD5
794c05af4df48c2a3342479fdc4315f8

SHA1
8e4ede8625df7a8df66a25f1db9dab4322c1132e

SHA256
4abbdb512ff25db431e9bca0ad5d65a823087139f2a33078d7bcb1282880d979

SHA512
75bffee8ab66b2bc55dedbbb9d8f9dde9749736dc31f75bb80aa1709613e3a9463c4c2a233a2157f158f1aed3ec7ec740f497b8b8bc69850517214084753f5e0

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
837KB

MD5
794c05af4df48c2a3342479fdc4315f8

SHA1
8e4ede8625df7a8df66a25f1db9dab4322c1132e

SHA256
4abbdb512ff25db431e9bca0ad5d65a823087139f2a33078d7bcb1282880d979

SHA512
75bffee8ab66b2bc55dedbbb9d8f9dde9749736dc31f75bb80aa1709613e3a9463c4c2a233a2157f158f1aed3ec7ec740f497b8b8bc69850517214084753f5e0

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
837KB

MD5
794c05af4df48c2a3342479fdc4315f8

SHA1
8e4ede8625df7a8df66a25f1db9dab4322c1132e

SHA256
4abbdb512ff25db431e9bca0ad5d65a823087139f2a33078d7bcb1282880d979

SHA512
75bffee8ab66b2bc55dedbbb9d8f9dde9749736dc31f75bb80aa1709613e3a9463c4c2a233a2157f158f1aed3ec7ec740f497b8b8bc69850517214084753f5e0

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
837KB

MD5
794c05af4df48c2a3342479fdc4315f8

SHA1
8e4ede8625df7a8df66a25f1db9dab4322c1132e

SHA256
4abbdb512ff25db431e9bca0ad5d65a823087139f2a33078d7bcb1282880d979

SHA512
75bffee8ab66b2bc55dedbbb9d8f9dde9749736dc31f75bb80aa1709613e3a9463c4c2a233a2157f158f1aed3ec7ec740f497b8b8bc69850517214084753f5e0

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
837KB

MD5
794c05af4df48c2a3342479fdc4315f8

SHA1
8e4ede8625df7a8df66a25f1db9dab4322c1132e

SHA256
4abbdb512ff25db431e9bca0ad5d65a823087139f2a33078d7bcb1282880d979

SHA512
75bffee8ab66b2bc55dedbbb9d8f9dde9749736dc31f75bb80aa1709613e3a9463c4c2a233a2157f158f1aed3ec7ec740f497b8b8bc69850517214084753f5e0

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
837KB

MD5
794c05af4df48c2a3342479fdc4315f8

SHA1
8e4ede8625df7a8df66a25f1db9dab4322c1132e

SHA256
4abbdb512ff25db431e9bca0ad5d65a823087139f2a33078d7bcb1282880d979

SHA512
75bffee8ab66b2bc55dedbbb9d8f9dde9749736dc31f75bb80aa1709613e3a9463c4c2a233a2157f158f1aed3ec7ec740f497b8b8bc69850517214084753f5e0

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
837KB

MD5
794c05af4df48c2a3342479fdc4315f8

SHA1
8e4ede8625df7a8df66a25f1db9dab4322c1132e

SHA256
4abbdb512ff25db431e9bca0ad5d65a823087139f2a33078d7bcb1282880d979

SHA512
75bffee8ab66b2bc55dedbbb9d8f9dde9749736dc31f75bb80aa1709613e3a9463c4c2a233a2157f158f1aed3ec7ec740f497b8b8bc69850517214084753f5e0

Download Submit
memory/380-91-0x0000000000000000-mapping.dmp

Download
memory/1108-88-0x0000000000000000-mapping.dmp

Download
memory/1164-61-0x0000000000000000-mapping.dmp

Download
memory/1496-60-0x0000000000000000-mapping.dmp

Download
memory/1496-89-0x000000006EE30000-0x000000006F3DB000-memory.dmp

Filesize
5.7MB

Download
memory/1496-87-0x000000006EE30000-0x000000006F3DB000-memory.dmp

Filesize
5.7MB

Download
memory/1648-85-0x0000000000B20000-0x0000000000BF6000-memory.dmp

Filesize
856KB

Download
memory/1648-97-0x0000000004D85000-0x0000000004D96000-memory.dmp

Filesize
68KB

Download
memory/1648-81-0x0000000000000000-mapping.dmp

Download
memory/1760-76-0x000000000040242D-mapping.dmp

Download
memory/1760-68-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1760-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1760-75-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1760-82-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1760-74-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1760-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1760-71-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1760-70-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1760-79-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1760-66-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2020-90-0x0000000004D15000-0x0000000004D26000-memory.dmp

Filesize
68KB

Download
memory/2020-54-0x0000000000880000-0x0000000000956000-memory.dmp

Filesize
856KB

Download
memory/2020-64-0x0000000004820000-0x000000000484E000-memory.dmp

Filesize
184KB

Download
memory/2020-59-0x0000000004D15000-0x0000000004D26000-memory.dmp

Filesize
68KB

Download
memory/2020-58-0x0000000005EE0000-0x0000000005F56000-memory.dmp

Filesize
472KB

Download
memory/2020-57-0x00000000006C0000-0x00000000006CE000-memory.dmp

Filesize
56KB

Download
memory/2020-56-0x0000000000590000-0x00000000005AA000-memory.dmp

Filesize
104KB

Download
memory/2020-55-0x0000000076261000-0x0000000076263000-memory.dmp

Filesize
8KB

Download