netwire | 52ebeec6271770d72e3f2ed73535cd4a9b4d614e8877bd52a777b5f23d492869

Analysis

max time kernel
132s
max time network
149s
platform
windows7_x64
resource
win7-20220414-en
resource tags

arch:x64arch:x86image:win7-20220414-enlocale:en-usos:windows7-x64system
submitted
17/07/2022, 01:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52ebeec6271770d72e3f2ed73535cd4a9b4d614e8877bd52a777b5f23d492869.exe
Size

89KB
MD5

60ac7ad7eccc1cdc8e2fcd21cf42e068
SHA1

0d1b45bcbdbd9699bde81e984edbac26e6e39b11
SHA256

52ebeec6271770d72e3f2ed73535cd4a9b4d614e8877bd52a777b5f23d492869
SHA512

4cf4816f4587910e5541da1eb2bfc90d8281e7c11339a9708c692d7124f70b65f1fb714ff3e7e8ecb3e3cb10817a9080f313f31034c6b756f7589afbbc4a85ba

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

178.32.72.136:3361

193.124.117.153:3360

Attributes

activex_autorun
true
activex_key
{UL0J35EK-4812-5A22-5827-J02V07OJ0H4J}
copy_executable
true
delete_original
true
host_id
HostId-%Rand%
install_path
%AppData%\Install\Skype.exe
keylogger_dir
%AppData%\Logs\
lock_executable
true
mutex
TptENIRd
offline_keylogger
true
password
ebefob44
registry_autorun
true
startup_name
Skype
use_mutex
true

Signatures

NetWire RAT payload 3 IoCs

rat

resource	yara_rule
behavioral1/files/0x00090000000134cf-55.dat	netwire
behavioral1/files/0x00090000000134cf-56.dat	netwire
behavioral1/files/0x00090000000134cf-58.dat	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Executes dropped EXE 1 IoCs

pid	Process
1968	Skype.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{UL0J35EK-4812-5A22-5827-J02V07OJ0H4J}	Skype.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{UL0J35EK-4812-5A22-5827-J02V07OJ0H4J}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Install\\Skype.exe\""	Skype.exe

Deletes itself 1 IoCs

pid	Process
1968	Skype.exe

Loads dropped DLL 2 IoCs

pid	Process
1056	52ebeec6271770d72e3f2ed73535cd4a9b4d614e8877bd52a777b5f23d492869.exe
1056	52ebeec6271770d72e3f2ed73535cd4a9b4d614e8877bd52a777b5f23d492869.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Skype = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Skype.exe"	Skype.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1056 wrote to memory of 1968	1056	52ebeec6271770d72e3f2ed73535cd4a9b4d614e8877bd52a777b5f23d492869.exe	27
PID 1056 wrote to memory of 1968	1056	52ebeec6271770d72e3f2ed73535cd4a9b4d614e8877bd52a777b5f23d492869.exe	27
PID 1056 wrote to memory of 1968	1056	52ebeec6271770d72e3f2ed73535cd4a9b4d614e8877bd52a777b5f23d492869.exe	27
PID 1056 wrote to memory of 1968	1056	52ebeec6271770d72e3f2ed73535cd4a9b4d614e8877bd52a777b5f23d492869.exe	27

C:\Users\Admin\AppData\Local\Temp\52ebeec6271770d72e3f2ed73535cd4a9b4d614e8877bd52a777b5f23d492869.exe
"C:\Users\Admin\AppData\Local\Temp\52ebeec6271770d72e3f2ed73535cd4a9b4d614e8877bd52a777b5f23d492869.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Users\Admin\AppData\Roaming\Install\Skype.exe
  -m "C:\Users\Admin\AppData\Local\Temp\52ebeec6271770d72e3f2ed73535cd4a9b4d614e8877bd52a777b5f23d492869.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Installed Components in the registry
  - Deletes itself
  - Adds Run key to start application
  PID:1968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Install\Skype.exe

Filesize
89KB

MD5
60ac7ad7eccc1cdc8e2fcd21cf42e068

SHA1
0d1b45bcbdbd9699bde81e984edbac26e6e39b11

SHA256
52ebeec6271770d72e3f2ed73535cd4a9b4d614e8877bd52a777b5f23d492869

SHA512
4cf4816f4587910e5541da1eb2bfc90d8281e7c11339a9708c692d7124f70b65f1fb714ff3e7e8ecb3e3cb10817a9080f313f31034c6b756f7589afbbc4a85ba

Download Submit
\Users\Admin\AppData\Roaming\Install\Skype.exe

Filesize
89KB

MD5
60ac7ad7eccc1cdc8e2fcd21cf42e068

SHA1
0d1b45bcbdbd9699bde81e984edbac26e6e39b11

SHA256
52ebeec6271770d72e3f2ed73535cd4a9b4d614e8877bd52a777b5f23d492869

SHA512
4cf4816f4587910e5541da1eb2bfc90d8281e7c11339a9708c692d7124f70b65f1fb714ff3e7e8ecb3e3cb10817a9080f313f31034c6b756f7589afbbc4a85ba

Download Submit
\Users\Admin\AppData\Roaming\Install\Skype.exe

Filesize
89KB

MD5
60ac7ad7eccc1cdc8e2fcd21cf42e068

SHA1
0d1b45bcbdbd9699bde81e984edbac26e6e39b11

SHA256
52ebeec6271770d72e3f2ed73535cd4a9b4d614e8877bd52a777b5f23d492869

SHA512
4cf4816f4587910e5541da1eb2bfc90d8281e7c11339a9708c692d7124f70b65f1fb714ff3e7e8ecb3e3cb10817a9080f313f31034c6b756f7589afbbc4a85ba

Download Submit
memory/1056-54-0x00000000764C1000-0x00000000764C3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads