netwire | be3dd3aea40216ce3f0a8427cef56e288bbbea5718983905adbc827dd79b3d80

General

Target

SPECIFICATION AND PURCHASE ORDER.exe
Size

812KB
MD5

d07de9673f83a9d2a8726902a324e9b6
SHA1

757006cbc6e8f1c0d51cb24de633ead08585482f
SHA256

be3dd3aea40216ce3f0a8427cef56e288bbbea5718983905adbc827dd79b3d80
SHA512

b56c6062d9817cfe783839a256f713a56be1968974f82ab25062d4bb0cbf2ab8201058bd96c4c66fc26def7b702d4d82b882154412e13dfd78c6c818d6b067da

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

37.0.14.203:3083

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Elibee88
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 11 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/520-70-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/520-71-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/520-72-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/520-74-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/520-76-0x000000000040242D-mapping.dmp	netwire
behavioral1/memory/520-75-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/520-79-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/520-83-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1712-104-0x000000000040242D-mapping.dmp	netwire
behavioral1/memory/1712-108-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1712-110-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

Host.exeHost.exe

pid process

1932 Host.exe
1712 Host.exe
Loads dropped DLL 1 IoCs

Processes:

SPECIFICATION AND PURCHASE ORDER.exe

pid process

520 SPECIFICATION AND PURCHASE ORDER.exe

pid	process
1932	Host.exe
1712	Host.exe

pid	process
520	SPECIFICATION AND PURCHASE ORDER.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

SPECIFICATION AND PURCHASE ORDER.exeHost.exe

description	pid	process	target process
PID 2016 set thread context of 520	2016	SPECIFICATION AND PURCHASE ORDER.exe	SPECIFICATION AND PURCHASE ORDER.exe
PID 1932 set thread context of 1712	1932	Host.exe	Host.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2032 schtasks.exe
1544 schtasks.exe

pid	process
2032	schtasks.exe
1544	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

SPECIFICATION AND PURCHASE ORDER.exepowershell.exeHost.exepowershell.exe

pid	process
2016	SPECIFICATION AND PURCHASE ORDER.exe
2016	SPECIFICATION AND PURCHASE ORDER.exe
2016	SPECIFICATION AND PURCHASE ORDER.exe
2016	SPECIFICATION AND PURCHASE ORDER.exe
2016	SPECIFICATION AND PURCHASE ORDER.exe
2016	SPECIFICATION AND PURCHASE ORDER.exe
2016	SPECIFICATION AND PURCHASE ORDER.exe
2016	SPECIFICATION AND PURCHASE ORDER.exe
2016	SPECIFICATION AND PURCHASE ORDER.exe
2016	SPECIFICATION AND PURCHASE ORDER.exe
2016	SPECIFICATION AND PURCHASE ORDER.exe
1320	powershell.exe
1932	Host.exe
580	powershell.exe
1932	Host.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

SPECIFICATION AND PURCHASE ORDER.exepowershell.exeHost.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2016	SPECIFICATION AND PURCHASE ORDER.exe
Token: SeDebugPrivilege	1320	powershell.exe
Token: SeDebugPrivilege	1932	Host.exe
Token: SeDebugPrivilege	580	powershell.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

SPECIFICATION AND PURCHASE ORDER.exeSPECIFICATION AND PURCHASE ORDER.exeHost.exe

description	pid	process	target process
PID 2016 wrote to memory of 1320	2016	SPECIFICATION AND PURCHASE ORDER.exe	powershell.exe
PID 2016 wrote to memory of 1320	2016	SPECIFICATION AND PURCHASE ORDER.exe	powershell.exe
PID 2016 wrote to memory of 1320	2016	SPECIFICATION AND PURCHASE ORDER.exe	powershell.exe
PID 2016 wrote to memory of 1320	2016	SPECIFICATION AND PURCHASE ORDER.exe	powershell.exe
PID 2016 wrote to memory of 2032	2016	SPECIFICATION AND PURCHASE ORDER.exe	schtasks.exe
PID 2016 wrote to memory of 2032	2016	SPECIFICATION AND PURCHASE ORDER.exe	schtasks.exe
PID 2016 wrote to memory of 2032	2016	SPECIFICATION AND PURCHASE ORDER.exe	schtasks.exe
PID 2016 wrote to memory of 2032	2016	SPECIFICATION AND PURCHASE ORDER.exe	schtasks.exe
PID 2016 wrote to memory of 520	2016	SPECIFICATION AND PURCHASE ORDER.exe	SPECIFICATION AND PURCHASE ORDER.exe
PID 2016 wrote to memory of 520	2016	SPECIFICATION AND PURCHASE ORDER.exe	SPECIFICATION AND PURCHASE ORDER.exe
PID 2016 wrote to memory of 520	2016	SPECIFICATION AND PURCHASE ORDER.exe	SPECIFICATION AND PURCHASE ORDER.exe
PID 2016 wrote to memory of 520	2016	SPECIFICATION AND PURCHASE ORDER.exe	SPECIFICATION AND PURCHASE ORDER.exe
PID 2016 wrote to memory of 520	2016	SPECIFICATION AND PURCHASE ORDER.exe	SPECIFICATION AND PURCHASE ORDER.exe
PID 2016 wrote to memory of 520	2016	SPECIFICATION AND PURCHASE ORDER.exe	SPECIFICATION AND PURCHASE ORDER.exe
PID 2016 wrote to memory of 520	2016	SPECIFICATION AND PURCHASE ORDER.exe	SPECIFICATION AND PURCHASE ORDER.exe
PID 2016 wrote to memory of 520	2016	SPECIFICATION AND PURCHASE ORDER.exe	SPECIFICATION AND PURCHASE ORDER.exe
PID 2016 wrote to memory of 520	2016	SPECIFICATION AND PURCHASE ORDER.exe	SPECIFICATION AND PURCHASE ORDER.exe
PID 2016 wrote to memory of 520	2016	SPECIFICATION AND PURCHASE ORDER.exe	SPECIFICATION AND PURCHASE ORDER.exe
PID 2016 wrote to memory of 520	2016	SPECIFICATION AND PURCHASE ORDER.exe	SPECIFICATION AND PURCHASE ORDER.exe
PID 2016 wrote to memory of 520	2016	SPECIFICATION AND PURCHASE ORDER.exe	SPECIFICATION AND PURCHASE ORDER.exe
PID 520 wrote to memory of 1932	520	SPECIFICATION AND PURCHASE ORDER.exe	Host.exe
PID 520 wrote to memory of 1932	520	SPECIFICATION AND PURCHASE ORDER.exe	Host.exe
PID 520 wrote to memory of 1932	520	SPECIFICATION AND PURCHASE ORDER.exe	Host.exe
PID 520 wrote to memory of 1932	520	SPECIFICATION AND PURCHASE ORDER.exe	Host.exe
PID 1932 wrote to memory of 580	1932	Host.exe	powershell.exe
PID 1932 wrote to memory of 580	1932	Host.exe	powershell.exe
PID 1932 wrote to memory of 580	1932	Host.exe	powershell.exe
PID 1932 wrote to memory of 580	1932	Host.exe	powershell.exe
PID 1932 wrote to memory of 1544	1932	Host.exe	schtasks.exe
PID 1932 wrote to memory of 1544	1932	Host.exe	schtasks.exe
PID 1932 wrote to memory of 1544	1932	Host.exe	schtasks.exe
PID 1932 wrote to memory of 1544	1932	Host.exe	schtasks.exe
PID 1932 wrote to memory of 1712	1932	Host.exe	Host.exe
PID 1932 wrote to memory of 1712	1932	Host.exe	Host.exe
PID 1932 wrote to memory of 1712	1932	Host.exe	Host.exe
PID 1932 wrote to memory of 1712	1932	Host.exe	Host.exe
PID 1932 wrote to memory of 1712	1932	Host.exe	Host.exe
PID 1932 wrote to memory of 1712	1932	Host.exe	Host.exe
PID 1932 wrote to memory of 1712	1932	Host.exe	Host.exe
PID 1932 wrote to memory of 1712	1932	Host.exe	Host.exe
PID 1932 wrote to memory of 1712	1932	Host.exe	Host.exe
PID 1932 wrote to memory of 1712	1932	Host.exe	Host.exe
PID 1932 wrote to memory of 1712	1932	Host.exe	Host.exe
PID 1932 wrote to memory of 1712	1932	Host.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\SPECIFICATION AND PURCHASE ORDER.exe
"C:\Users\Admin\AppData\Local\Temp\SPECIFICATION AND PURCHASE ORDER.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\NdlZTRlnfGWAx.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NdlZTRlnfGWAx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp652A.tmp"
2⤵
- Creates scheduled task(s)
PID:2032

C:\Users\Admin\AppData\Local\Temp\SPECIFICATION AND PURCHASE ORDER.exe
"C:\Users\Admin\AppData\Local\Temp\SPECIFICATION AND PURCHASE ORDER.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:520

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\NdlZTRlnfGWAx.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:580

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NdlZTRlnfGWAx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp92FD.tmp"
4⤵
- Creates scheduled task(s)
PID:1544

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
4⤵
- Executes dropped EXE
PID:1712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp652A.tmp

Filesize
1KB

MD5
9fc5dae4a483adc7c4849c6b6d5f655c

SHA1
5449293f3e3bd8b5bfb5eb777024ee187639a0a6

SHA256
160ca4de76d2394a607a21c305c1f2cc5c5780d7933aac83eaf7148dc48243e9

SHA512
bcb2e8fd26c86a77984f8005246459d937daabf8bc412c3288e57e13b3319f1a7d3f196021294d785d3ad3161015abcb5f5384c54814fbca57bbade5c2f920fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp92FD.tmp

Filesize
1KB

MD5
9fc5dae4a483adc7c4849c6b6d5f655c

SHA1
5449293f3e3bd8b5bfb5eb777024ee187639a0a6

SHA256
160ca4de76d2394a607a21c305c1f2cc5c5780d7933aac83eaf7148dc48243e9

SHA512
bcb2e8fd26c86a77984f8005246459d937daabf8bc412c3288e57e13b3319f1a7d3f196021294d785d3ad3161015abcb5f5384c54814fbca57bbade5c2f920fa

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
812KB

MD5
d07de9673f83a9d2a8726902a324e9b6

SHA1
757006cbc6e8f1c0d51cb24de633ead08585482f

SHA256
be3dd3aea40216ce3f0a8427cef56e288bbbea5718983905adbc827dd79b3d80

SHA512
b56c6062d9817cfe783839a256f713a56be1968974f82ab25062d4bb0cbf2ab8201058bd96c4c66fc26def7b702d4d82b882154412e13dfd78c6c818d6b067da

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
812KB

MD5
d07de9673f83a9d2a8726902a324e9b6

SHA1
757006cbc6e8f1c0d51cb24de633ead08585482f

SHA256
be3dd3aea40216ce3f0a8427cef56e288bbbea5718983905adbc827dd79b3d80

SHA512
b56c6062d9817cfe783839a256f713a56be1968974f82ab25062d4bb0cbf2ab8201058bd96c4c66fc26def7b702d4d82b882154412e13dfd78c6c818d6b067da

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
812KB

MD5
d07de9673f83a9d2a8726902a324e9b6

SHA1
757006cbc6e8f1c0d51cb24de633ead08585482f

SHA256
be3dd3aea40216ce3f0a8427cef56e288bbbea5718983905adbc827dd79b3d80

SHA512
b56c6062d9817cfe783839a256f713a56be1968974f82ab25062d4bb0cbf2ab8201058bd96c4c66fc26def7b702d4d82b882154412e13dfd78c6c818d6b067da

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
bed9b7e0d40d62f0e09e5100403a98ed

SHA1
c86c62b3162b396f9a19a6436a9da283b60b7322

SHA256
d90d0bb191fca6155e904c1c4c5a110bfda5496dc4e6fb4d4eccb8cd92b73f42

SHA512
3255da023e7a95b35a1a011872b97399fa336ee3bef92e820896991db872b5285d7a2372cb05bb30dde609730e783b2140e0325dcfcdebd01feab313de78b22b

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
812KB

MD5
d07de9673f83a9d2a8726902a324e9b6

SHA1
757006cbc6e8f1c0d51cb24de633ead08585482f

SHA256
be3dd3aea40216ce3f0a8427cef56e288bbbea5718983905adbc827dd79b3d80

SHA512
b56c6062d9817cfe783839a256f713a56be1968974f82ab25062d4bb0cbf2ab8201058bd96c4c66fc26def7b702d4d82b882154412e13dfd78c6c818d6b067da

Download Submit
memory/520-83-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/520-75-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/520-79-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/520-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/520-66-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/520-68-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/520-70-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/520-71-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/520-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/520-74-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/520-76-0x000000000040242D-mapping.dmp

Download
memory/580-88-0x0000000000000000-mapping.dmp

Download
memory/580-109-0x000000006FB30000-0x00000000700DB000-memory.dmp

Filesize
5.7MB

Download
memory/1320-87-0x000000006F040000-0x000000006F5EB000-memory.dmp

Filesize
5.7MB

Download
memory/1320-63-0x000000006F040000-0x000000006F5EB000-memory.dmp

Filesize
5.7MB

Download
memory/1320-59-0x0000000000000000-mapping.dmp

Download
memory/1544-89-0x0000000000000000-mapping.dmp

Download
memory/1712-104-0x000000000040242D-mapping.dmp

Download
memory/1712-108-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1712-110-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1932-85-0x00000000008F0000-0x00000000009C2000-memory.dmp

Filesize
840KB

Download
memory/1932-81-0x0000000000000000-mapping.dmp

Download
memory/2016-58-0x0000000005290000-0x0000000005306000-memory.dmp

Filesize
472KB

Download
memory/2016-54-0x0000000001250000-0x0000000001322000-memory.dmp

Filesize
840KB

Download
memory/2016-57-0x0000000000710000-0x000000000071E000-memory.dmp

Filesize
56KB

Download
memory/2016-56-0x0000000000410000-0x000000000042A000-memory.dmp

Filesize
104KB

Download
memory/2016-64-0x0000000000920000-0x000000000094E000-memory.dmp

Filesize
184KB

Download
memory/2016-55-0x0000000075BF1000-0x0000000075BF3000-memory.dmp

Filesize
8KB

Download
memory/2032-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads