netwire | 49e1a16ee8c68203aeb1870e7f73a1ad83434ef95afafe654e08dde6e687cc8e

Analysis

max time kernel
142s
max time network
150s
platform
windows7_x64
resource
win7-20220414-en
submitted
12-07-2022 15:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49e1a16ee8c68203aeb1870e7f73a1ad83434ef95afafe654e08dde6e687cc8e.exe
Size

143KB
MD5

4181762593fe73ba01f1797126a857ee
SHA1

d7e2fd23ebbcd151a56de54ea8b47c47b419b07e
SHA256

49e1a16ee8c68203aeb1870e7f73a1ad83434ef95afafe654e08dde6e687cc8e
SHA512

b66a0fc4fe35c624b09ba17e79c64ac2ca603dae270ea1c70a13e59d865ed3f4e535f27ea40653a9fe12a20ff9e86a270994d597f7cdb4460547b224c820017d

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 8 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2024-63-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/2024-65-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/2024-66-0x00000000004021DA-mapping.dmp	netwire
behavioral1/memory/2024-69-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/2024-71-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/776-91-0x00000000004021DA-mapping.dmp	netwire
behavioral1/memory/776-96-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/776-97-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

Notepad.exeNotepad.exe

pid process

2032 Notepad.exe
776 Notepad.exe

pid	process
2032	Notepad.exe
776	Notepad.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Notepad.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{IGXB136N-WP56-42I3-3EN8-85A00571YU01}	Notepad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{IGXB136N-WP56-42I3-3EN8-85A00571YU01}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Install\\Notepad.exe\""	Notepad.exe

Loads dropped DLL 5 IoCs

Processes:

49e1a16ee8c68203aeb1870e7f73a1ad83434ef95afafe654e08dde6e687cc8e.exe49e1a16ee8c68203aeb1870e7f73a1ad83434ef95afafe654e08dde6e687cc8e.exeNotepad.exe

pid	process
924	49e1a16ee8c68203aeb1870e7f73a1ad83434ef95afafe654e08dde6e687cc8e.exe
924	49e1a16ee8c68203aeb1870e7f73a1ad83434ef95afafe654e08dde6e687cc8e.exe
2024	49e1a16ee8c68203aeb1870e7f73a1ad83434ef95afafe654e08dde6e687cc8e.exe
2032	Notepad.exe
2032	Notepad.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Notepad.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Notepad = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Notepad.exe"	Notepad.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

49e1a16ee8c68203aeb1870e7f73a1ad83434ef95afafe654e08dde6e687cc8e.exeNotepad.exe

description	pid	process	target process
PID 924 set thread context of 2024	924	49e1a16ee8c68203aeb1870e7f73a1ad83434ef95afafe654e08dde6e687cc8e.exe	49e1a16ee8c68203aeb1870e7f73a1ad83434ef95afafe654e08dde6e687cc8e.exe
PID 2032 set thread context of 776	2032	Notepad.exe	Notepad.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 8 IoCs

installer

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Install\Notepad.exe	nsis_installer_1
\Users\Admin\AppData\Roaming\Install\Notepad.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\Install\Notepad.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\Install\Notepad.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\Install\Notepad.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\Install\Notepad.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\Install\Notepad.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\Install\Notepad.exe	nsis_installer_2

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

49e1a16ee8c68203aeb1870e7f73a1ad83434ef95afafe654e08dde6e687cc8e.exe49e1a16ee8c68203aeb1870e7f73a1ad83434ef95afafe654e08dde6e687cc8e.exeNotepad.exe

description	pid	process	target process
PID 924 wrote to memory of 2024	924	49e1a16ee8c68203aeb1870e7f73a1ad83434ef95afafe654e08dde6e687cc8e.exe	49e1a16ee8c68203aeb1870e7f73a1ad83434ef95afafe654e08dde6e687cc8e.exe
PID 924 wrote to memory of 2024	924	49e1a16ee8c68203aeb1870e7f73a1ad83434ef95afafe654e08dde6e687cc8e.exe	49e1a16ee8c68203aeb1870e7f73a1ad83434ef95afafe654e08dde6e687cc8e.exe
PID 924 wrote to memory of 2024	924	49e1a16ee8c68203aeb1870e7f73a1ad83434ef95afafe654e08dde6e687cc8e.exe	49e1a16ee8c68203aeb1870e7f73a1ad83434ef95afafe654e08dde6e687cc8e.exe
PID 924 wrote to memory of 2024	924	49e1a16ee8c68203aeb1870e7f73a1ad83434ef95afafe654e08dde6e687cc8e.exe	49e1a16ee8c68203aeb1870e7f73a1ad83434ef95afafe654e08dde6e687cc8e.exe
PID 924 wrote to memory of 2024	924	49e1a16ee8c68203aeb1870e7f73a1ad83434ef95afafe654e08dde6e687cc8e.exe	49e1a16ee8c68203aeb1870e7f73a1ad83434ef95afafe654e08dde6e687cc8e.exe
PID 924 wrote to memory of 2024	924	49e1a16ee8c68203aeb1870e7f73a1ad83434ef95afafe654e08dde6e687cc8e.exe	49e1a16ee8c68203aeb1870e7f73a1ad83434ef95afafe654e08dde6e687cc8e.exe
PID 924 wrote to memory of 2024	924	49e1a16ee8c68203aeb1870e7f73a1ad83434ef95afafe654e08dde6e687cc8e.exe	49e1a16ee8c68203aeb1870e7f73a1ad83434ef95afafe654e08dde6e687cc8e.exe
PID 924 wrote to memory of 2024	924	49e1a16ee8c68203aeb1870e7f73a1ad83434ef95afafe654e08dde6e687cc8e.exe	49e1a16ee8c68203aeb1870e7f73a1ad83434ef95afafe654e08dde6e687cc8e.exe
PID 924 wrote to memory of 2024	924	49e1a16ee8c68203aeb1870e7f73a1ad83434ef95afafe654e08dde6e687cc8e.exe	49e1a16ee8c68203aeb1870e7f73a1ad83434ef95afafe654e08dde6e687cc8e.exe
PID 2024 wrote to memory of 2032	2024	49e1a16ee8c68203aeb1870e7f73a1ad83434ef95afafe654e08dde6e687cc8e.exe	Notepad.exe
PID 2024 wrote to memory of 2032	2024	49e1a16ee8c68203aeb1870e7f73a1ad83434ef95afafe654e08dde6e687cc8e.exe	Notepad.exe
PID 2024 wrote to memory of 2032	2024	49e1a16ee8c68203aeb1870e7f73a1ad83434ef95afafe654e08dde6e687cc8e.exe	Notepad.exe
PID 2024 wrote to memory of 2032	2024	49e1a16ee8c68203aeb1870e7f73a1ad83434ef95afafe654e08dde6e687cc8e.exe	Notepad.exe
PID 2032 wrote to memory of 776	2032	Notepad.exe	Notepad.exe
PID 2032 wrote to memory of 776	2032	Notepad.exe	Notepad.exe
PID 2032 wrote to memory of 776	2032	Notepad.exe	Notepad.exe
PID 2032 wrote to memory of 776	2032	Notepad.exe	Notepad.exe
PID 2032 wrote to memory of 776	2032	Notepad.exe	Notepad.exe
PID 2032 wrote to memory of 776	2032	Notepad.exe	Notepad.exe
PID 2032 wrote to memory of 776	2032	Notepad.exe	Notepad.exe
PID 2032 wrote to memory of 776	2032	Notepad.exe	Notepad.exe
PID 2032 wrote to memory of 776	2032	Notepad.exe	Notepad.exe

C:\Users\Admin\AppData\Local\Temp\49e1a16ee8c68203aeb1870e7f73a1ad83434ef95afafe654e08dde6e687cc8e.exe
"C:\Users\Admin\AppData\Local\Temp\49e1a16ee8c68203aeb1870e7f73a1ad83434ef95afafe654e08dde6e687cc8e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:924

C:\Users\Admin\AppData\Local\Temp\49e1a16ee8c68203aeb1870e7f73a1ad83434ef95afafe654e08dde6e687cc8e.exe
C:\Users\Admin\AppData\Local\Temp\49e1a16ee8c68203aeb1870e7f73a1ad83434ef95afafe654e08dde6e687cc8e.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024

C:\Users\Admin\AppData\Roaming\Install\Notepad.exe
"C:\Users\Admin\AppData\Roaming\Install\Notepad.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2032

C:\Users\Admin\AppData\Roaming\Install\Notepad.exe
C:\Users\Admin\AppData\Roaming\Install\Notepad.exe
4⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\System.dll

Filesize
11KB

MD5
883eff06ac96966270731e4e22817e11

SHA1
523c87c98236cbc04430e87ec19b977595092ac8

SHA256
44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82

SHA512
60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390

Download Submit
C:\Users\Admin\AppData\Local\Temp\TopshellPhylogeny

Filesize
1KB

MD5
570b337f0d023cd422cf43d857208733

SHA1
1bfd6b156ba5d4cfea6d99230722add68c237ec0

SHA256
94c17eb9ad43f6ba026f307745c1d16c2eefee302c09184d8428f3b56f5001f0

SHA512
633a6287c7d6370f2268cd681a484507adcee2ab8079f3549d98906065d6076b54ebaa876732ca3371517d4e10d41ba615724128d3bc7608a7967c57c7552dc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\freezers.dll

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\htmlhelp.button.jump2.url.xml

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Notepad.exe

Filesize
143KB

MD5
4181762593fe73ba01f1797126a857ee

SHA1
d7e2fd23ebbcd151a56de54ea8b47c47b419b07e

SHA256
49e1a16ee8c68203aeb1870e7f73a1ad83434ef95afafe654e08dde6e687cc8e

SHA512
b66a0fc4fe35c624b09ba17e79c64ac2ca603dae270ea1c70a13e59d865ed3f4e535f27ea40653a9fe12a20ff9e86a270994d597f7cdb4460547b224c820017d

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Notepad.exe

Filesize
143KB

MD5
4181762593fe73ba01f1797126a857ee

SHA1
d7e2fd23ebbcd151a56de54ea8b47c47b419b07e

SHA256
49e1a16ee8c68203aeb1870e7f73a1ad83434ef95afafe654e08dde6e687cc8e

SHA512
b66a0fc4fe35c624b09ba17e79c64ac2ca603dae270ea1c70a13e59d865ed3f4e535f27ea40653a9fe12a20ff9e86a270994d597f7cdb4460547b224c820017d

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Notepad.exe

Filesize
143KB

MD5
4181762593fe73ba01f1797126a857ee

SHA1
d7e2fd23ebbcd151a56de54ea8b47c47b419b07e

SHA256
49e1a16ee8c68203aeb1870e7f73a1ad83434ef95afafe654e08dde6e687cc8e

SHA512
b66a0fc4fe35c624b09ba17e79c64ac2ca603dae270ea1c70a13e59d865ed3f4e535f27ea40653a9fe12a20ff9e86a270994d597f7cdb4460547b224c820017d

Download Submit
\Users\Admin\AppData\Local\Temp\System.dll

Filesize
11KB

MD5
883eff06ac96966270731e4e22817e11

SHA1
523c87c98236cbc04430e87ec19b977595092ac8

SHA256
44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82

SHA512
60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390

Download Submit
\Users\Admin\AppData\Local\Temp\System.dll

Filesize
11KB

MD5
883eff06ac96966270731e4e22817e11

SHA1
523c87c98236cbc04430e87ec19b977595092ac8

SHA256
44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82

SHA512
60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390

Download Submit
\Users\Admin\AppData\Local\Temp\freezers.dll

Filesize
72KB

MD5
c752300c1fc342b351fc6a2f7d0983ff

SHA1
0c2aee8f87d64c6e33b08c7a8a1b9067e6105d97

SHA256
e0cd14e8dbc426db7878669b017b632bc1e276af2c6536a84bb8ccfbf690c3fb

SHA512
a0ea8e43810a7f759dd52dfca6b4a73fa3fb4d136e32917b2d992fdad26016056f9e945755ead3e028d12dbee677ac6c831d76de7b84a2176fd30c0634a909b9

Download Submit
\Users\Admin\AppData\Local\Temp\freezers.dll

Filesize
72KB

MD5
c752300c1fc342b351fc6a2f7d0983ff

SHA1
0c2aee8f87d64c6e33b08c7a8a1b9067e6105d97

SHA256
e0cd14e8dbc426db7878669b017b632bc1e276af2c6536a84bb8ccfbf690c3fb

SHA512
a0ea8e43810a7f759dd52dfca6b4a73fa3fb4d136e32917b2d992fdad26016056f9e945755ead3e028d12dbee677ac6c831d76de7b84a2176fd30c0634a909b9

Download Submit
\Users\Admin\AppData\Roaming\Install\Notepad.exe

Filesize
143KB

MD5
4181762593fe73ba01f1797126a857ee

SHA1
d7e2fd23ebbcd151a56de54ea8b47c47b419b07e

SHA256
49e1a16ee8c68203aeb1870e7f73a1ad83434ef95afafe654e08dde6e687cc8e

SHA512
b66a0fc4fe35c624b09ba17e79c64ac2ca603dae270ea1c70a13e59d865ed3f4e535f27ea40653a9fe12a20ff9e86a270994d597f7cdb4460547b224c820017d

Download Submit
memory/776-97-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/776-96-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/776-91-0x00000000004021DA-mapping.dmp

Download
memory/924-54-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download
memory/2024-61-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2024-59-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2024-63-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2024-71-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2024-69-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2024-66-0x00000000004021DA-mapping.dmp

Download
memory/2024-65-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2024-58-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2032-72-0x0000000000000000-mapping.dmp

Download
memory/2032-82-0x0000000000480000-0x0000000000492000-memory.dmp

Filesize
72KB

Download