netwire | be3dd3aea40216ce3f0a8427cef56e288bbbea5718983905adbc827dd79b3d80

General

Target

SPECIFICATION AND PURCHASE ORDER.exe
Size

812KB
MD5

d07de9673f83a9d2a8726902a324e9b6
SHA1

757006cbc6e8f1c0d51cb24de633ead08585482f
SHA256

be3dd3aea40216ce3f0a8427cef56e288bbbea5718983905adbc827dd79b3d80
SHA512

b56c6062d9817cfe783839a256f713a56be1968974f82ab25062d4bb0cbf2ab8201058bd96c4c66fc26def7b702d4d82b882154412e13dfd78c6c818d6b067da

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

37.0.14.203:3083

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Elibee88
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2700-143-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/2700-146-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/2700-150-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/4828-170-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/4828-172-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

Host.exeHost.exe

pid process

2368 Host.exe
4828 Host.exe

pid	process
2368	Host.exe
4828	Host.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SPECIFICATION AND PURCHASE ORDER.exeSPECIFICATION AND PURCHASE ORDER.exeHost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	SPECIFICATION AND PURCHASE ORDER.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	SPECIFICATION AND PURCHASE ORDER.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	Host.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

SPECIFICATION AND PURCHASE ORDER.exeHost.exe

description	pid	process	target process
PID 2284 set thread context of 2700	2284	SPECIFICATION AND PURCHASE ORDER.exe	SPECIFICATION AND PURCHASE ORDER.exe
PID 2368 set thread context of 4828	2368	Host.exe	Host.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1144 schtasks.exe
1860 schtasks.exe

pid	process
1144	schtasks.exe
1860	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

SPECIFICATION AND PURCHASE ORDER.exepowershell.exeHost.exepowershell.exe

pid	process
2284	SPECIFICATION AND PURCHASE ORDER.exe
2284	SPECIFICATION AND PURCHASE ORDER.exe
2284	SPECIFICATION AND PURCHASE ORDER.exe
3156	powershell.exe
2284	SPECIFICATION AND PURCHASE ORDER.exe
3156	powershell.exe
2368	Host.exe
3988	powershell.exe
2368	Host.exe
3988	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

SPECIFICATION AND PURCHASE ORDER.exepowershell.exeHost.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2284	SPECIFICATION AND PURCHASE ORDER.exe
Token: SeDebugPrivilege	3156	powershell.exe
Token: SeDebugPrivilege	2368	Host.exe
Token: SeDebugPrivilege	3988	powershell.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

SPECIFICATION AND PURCHASE ORDER.exeSPECIFICATION AND PURCHASE ORDER.exeHost.exe

description	pid	process	target process
PID 2284 wrote to memory of 3156	2284	SPECIFICATION AND PURCHASE ORDER.exe	powershell.exe
PID 2284 wrote to memory of 3156	2284	SPECIFICATION AND PURCHASE ORDER.exe	powershell.exe
PID 2284 wrote to memory of 3156	2284	SPECIFICATION AND PURCHASE ORDER.exe	powershell.exe
PID 2284 wrote to memory of 1860	2284	SPECIFICATION AND PURCHASE ORDER.exe	schtasks.exe
PID 2284 wrote to memory of 1860	2284	SPECIFICATION AND PURCHASE ORDER.exe	schtasks.exe
PID 2284 wrote to memory of 1860	2284	SPECIFICATION AND PURCHASE ORDER.exe	schtasks.exe
PID 2284 wrote to memory of 2700	2284	SPECIFICATION AND PURCHASE ORDER.exe	SPECIFICATION AND PURCHASE ORDER.exe
PID 2284 wrote to memory of 2700	2284	SPECIFICATION AND PURCHASE ORDER.exe	SPECIFICATION AND PURCHASE ORDER.exe
PID 2284 wrote to memory of 2700	2284	SPECIFICATION AND PURCHASE ORDER.exe	SPECIFICATION AND PURCHASE ORDER.exe
PID 2284 wrote to memory of 2700	2284	SPECIFICATION AND PURCHASE ORDER.exe	SPECIFICATION AND PURCHASE ORDER.exe
PID 2284 wrote to memory of 2700	2284	SPECIFICATION AND PURCHASE ORDER.exe	SPECIFICATION AND PURCHASE ORDER.exe
PID 2284 wrote to memory of 2700	2284	SPECIFICATION AND PURCHASE ORDER.exe	SPECIFICATION AND PURCHASE ORDER.exe
PID 2284 wrote to memory of 2700	2284	SPECIFICATION AND PURCHASE ORDER.exe	SPECIFICATION AND PURCHASE ORDER.exe
PID 2284 wrote to memory of 2700	2284	SPECIFICATION AND PURCHASE ORDER.exe	SPECIFICATION AND PURCHASE ORDER.exe
PID 2284 wrote to memory of 2700	2284	SPECIFICATION AND PURCHASE ORDER.exe	SPECIFICATION AND PURCHASE ORDER.exe
PID 2284 wrote to memory of 2700	2284	SPECIFICATION AND PURCHASE ORDER.exe	SPECIFICATION AND PURCHASE ORDER.exe
PID 2284 wrote to memory of 2700	2284	SPECIFICATION AND PURCHASE ORDER.exe	SPECIFICATION AND PURCHASE ORDER.exe
PID 2700 wrote to memory of 2368	2700	SPECIFICATION AND PURCHASE ORDER.exe	Host.exe
PID 2700 wrote to memory of 2368	2700	SPECIFICATION AND PURCHASE ORDER.exe	Host.exe
PID 2700 wrote to memory of 2368	2700	SPECIFICATION AND PURCHASE ORDER.exe	Host.exe
PID 2368 wrote to memory of 3988	2368	Host.exe	powershell.exe
PID 2368 wrote to memory of 3988	2368	Host.exe	powershell.exe
PID 2368 wrote to memory of 3988	2368	Host.exe	powershell.exe
PID 2368 wrote to memory of 1144	2368	Host.exe	schtasks.exe
PID 2368 wrote to memory of 1144	2368	Host.exe	schtasks.exe
PID 2368 wrote to memory of 1144	2368	Host.exe	schtasks.exe
PID 2368 wrote to memory of 4828	2368	Host.exe	Host.exe
PID 2368 wrote to memory of 4828	2368	Host.exe	Host.exe
PID 2368 wrote to memory of 4828	2368	Host.exe	Host.exe
PID 2368 wrote to memory of 4828	2368	Host.exe	Host.exe
PID 2368 wrote to memory of 4828	2368	Host.exe	Host.exe
PID 2368 wrote to memory of 4828	2368	Host.exe	Host.exe
PID 2368 wrote to memory of 4828	2368	Host.exe	Host.exe
PID 2368 wrote to memory of 4828	2368	Host.exe	Host.exe
PID 2368 wrote to memory of 4828	2368	Host.exe	Host.exe
PID 2368 wrote to memory of 4828	2368	Host.exe	Host.exe
PID 2368 wrote to memory of 4828	2368	Host.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\SPECIFICATION AND PURCHASE ORDER.exe
"C:\Users\Admin\AppData\Local\Temp\SPECIFICATION AND PURCHASE ORDER.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2284

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\NdlZTRlnfGWAx.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3156

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NdlZTRlnfGWAx" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCCD5.tmp"
2⤵
- Creates scheduled task(s)
PID:1860

C:\Users\Admin\AppData\Local\Temp\SPECIFICATION AND PURCHASE ORDER.exe
"C:\Users\Admin\AppData\Local\Temp\SPECIFICATION AND PURCHASE ORDER.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2700

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\NdlZTRlnfGWAx.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3988

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NdlZTRlnfGWAx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9BDD.tmp"
4⤵
- Creates scheduled task(s)
PID:1144

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
4⤵
- Executes dropped EXE
PID:4828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
2e78d4469d81d67193bda790789bc661

SHA1
173ba6253abaddc0bb245a9cbdf4dc732b03ed41

SHA256
54c15d752e6ccec18ca3a7b01e61674134087e0a228580c7077e2cc7d7c4a5fe

SHA512
8f66efcb2c908db1167c1d5bcf5ca0dfdacf9b34f56e2aa488fda35ae1e80092dcf03fd0673f99c1c228aa8e48fbe75b819c9cf97cd28be57b945072c93920a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
5ed4999f4e1d37e3d9f9afb24040b144

SHA1
7653613df163ecf37186e8389d040326da73e8cb

SHA256
80031f7757b89c92a1a0ba282ff8673a2db77fd19bc4137d233175ccc18fd464

SHA512
82382698e0aea0d587e7b0fc6441dbc9a090188bb03e601c3dc970fb48ec62780f530be7e30d56f1b3d5c8b44134771b3d5be18c21f24ab5d267b891ac5d1741

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9BDD.tmp

Filesize
1KB

MD5
0c93ff3d7744bc8d7ba8f932e7be17d1

SHA1
972be0db6ff5bf752470c9975f1feb6d2f971b2b

SHA256
c0a54c6c3c5d2289f884777da734e9e6aa0139e4cf386bd9fee109c74dd26bf5

SHA512
73faca336b464a4f4bfbb402e59cc692288edb01d705433228e84dc1669c33812fb0644fbe4ca1440f3953996a83a886b8cb0fdd63162c7f9f880b3a4cdd8476

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCCD5.tmp

Filesize
1KB

MD5
0c93ff3d7744bc8d7ba8f932e7be17d1

SHA1
972be0db6ff5bf752470c9975f1feb6d2f971b2b

SHA256
c0a54c6c3c5d2289f884777da734e9e6aa0139e4cf386bd9fee109c74dd26bf5

SHA512
73faca336b464a4f4bfbb402e59cc692288edb01d705433228e84dc1669c33812fb0644fbe4ca1440f3953996a83a886b8cb0fdd63162c7f9f880b3a4cdd8476

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
812KB

MD5
d07de9673f83a9d2a8726902a324e9b6

SHA1
757006cbc6e8f1c0d51cb24de633ead08585482f

SHA256
be3dd3aea40216ce3f0a8427cef56e288bbbea5718983905adbc827dd79b3d80

SHA512
b56c6062d9817cfe783839a256f713a56be1968974f82ab25062d4bb0cbf2ab8201058bd96c4c66fc26def7b702d4d82b882154412e13dfd78c6c818d6b067da

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
812KB

MD5
d07de9673f83a9d2a8726902a324e9b6

SHA1
757006cbc6e8f1c0d51cb24de633ead08585482f

SHA256
be3dd3aea40216ce3f0a8427cef56e288bbbea5718983905adbc827dd79b3d80

SHA512
b56c6062d9817cfe783839a256f713a56be1968974f82ab25062d4bb0cbf2ab8201058bd96c4c66fc26def7b702d4d82b882154412e13dfd78c6c818d6b067da

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
812KB

MD5
d07de9673f83a9d2a8726902a324e9b6

SHA1
757006cbc6e8f1c0d51cb24de633ead08585482f

SHA256
be3dd3aea40216ce3f0a8427cef56e288bbbea5718983905adbc827dd79b3d80

SHA512
b56c6062d9817cfe783839a256f713a56be1968974f82ab25062d4bb0cbf2ab8201058bd96c4c66fc26def7b702d4d82b882154412e13dfd78c6c818d6b067da

Download Submit
memory/1144-163-0x0000000000000000-mapping.dmp

Download
memory/1860-137-0x0000000000000000-mapping.dmp

Download
memory/2284-135-0x000000000BA20000-0x000000000BA86000-memory.dmp

Filesize
408KB

Download
memory/2284-134-0x000000000B710000-0x000000000B7AC000-memory.dmp

Filesize
624KB

Download
memory/2284-133-0x00000000052D0000-0x00000000052DA000-memory.dmp

Filesize
40KB

Download
memory/2284-132-0x00000000052F0000-0x0000000005382000-memory.dmp

Filesize
584KB

Download
memory/2284-131-0x00000000058A0000-0x0000000005E44000-memory.dmp

Filesize
5.6MB

Download
memory/2284-130-0x0000000000850000-0x0000000000922000-memory.dmp

Filesize
840KB

Download
memory/2368-147-0x0000000000000000-mapping.dmp

Download
memory/2700-142-0x0000000000000000-mapping.dmp

Download
memory/2700-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-146-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-150-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3156-151-0x0000000006400000-0x000000000641E000-memory.dmp

Filesize
120KB

Download
memory/3156-152-0x0000000006930000-0x0000000006962000-memory.dmp

Filesize
200KB

Download
memory/3156-154-0x0000000006910000-0x000000000692E000-memory.dmp

Filesize
120KB

Download
memory/3156-155-0x0000000007D80000-0x00000000083FA000-memory.dmp

Filesize
6.5MB

Download
memory/3156-156-0x0000000007720000-0x000000000773A000-memory.dmp

Filesize
104KB

Download
memory/3156-157-0x0000000007780000-0x000000000778A000-memory.dmp

Filesize
40KB

Download
memory/3156-158-0x0000000007990000-0x0000000007A26000-memory.dmp

Filesize
600KB

Download
memory/3156-159-0x0000000007940000-0x000000000794E000-memory.dmp

Filesize
56KB

Download
memory/3156-160-0x0000000007A50000-0x0000000007A6A000-memory.dmp

Filesize
104KB

Download
memory/3156-161-0x0000000007A30000-0x0000000007A38000-memory.dmp

Filesize
32KB

Download
memory/3156-136-0x0000000000000000-mapping.dmp

Download
memory/3156-153-0x0000000075340000-0x000000007538C000-memory.dmp

Filesize
304KB

Download
memory/3156-145-0x0000000005640000-0x00000000056A6000-memory.dmp

Filesize
408KB

Download
memory/3156-141-0x00000000053C0000-0x00000000053E2000-memory.dmp

Filesize
136KB

Download
memory/3156-138-0x0000000002A80000-0x0000000002AB6000-memory.dmp

Filesize
216KB

Download
memory/3156-140-0x0000000005700000-0x0000000005D28000-memory.dmp

Filesize
6.2MB

Download
memory/3988-162-0x0000000000000000-mapping.dmp

Download
memory/3988-174-0x00000000721E0000-0x000000007222C000-memory.dmp

Filesize
304KB

Download
memory/4828-170-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-166-0x0000000000000000-mapping.dmp

Download
memory/4828-172-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads