netwire | 52ebeec6271770d72e3f2ed73535cd4a9b4d614e8877bd52a777b5f23d492869

Analysis

max time kernel
183s
max time network
192s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
resource tags

arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system
submitted
17-07-2022 01:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52ebeec6271770d72e3f2ed73535cd4a9b4d614e8877bd52a777b5f23d492869.exe
Size

89KB
MD5

60ac7ad7eccc1cdc8e2fcd21cf42e068
SHA1

0d1b45bcbdbd9699bde81e984edbac26e6e39b11
SHA256

52ebeec6271770d72e3f2ed73535cd4a9b4d614e8877bd52a777b5f23d492869
SHA512

4cf4816f4587910e5541da1eb2bfc90d8281e7c11339a9708c692d7124f70b65f1fb714ff3e7e8ecb3e3cb10817a9080f313f31034c6b756f7589afbbc4a85ba

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

178.32.72.136:3361

193.124.117.153:3360

Attributes

activex_autorun
true
activex_key
{UL0J35EK-4812-5A22-5827-J02V07OJ0H4J}
copy_executable
true
delete_original
true
host_id
HostId-%Rand%
install_path
%AppData%\Install\Skype.exe
keylogger_dir
%AppData%\Logs\
lock_executable
true
mutex
TptENIRd
offline_keylogger
true
password
ebefob44
registry_autorun
true
startup_name
Skype
use_mutex
true

Signatures

NetWire RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Install\Skype.exe	netwire
C:\Users\Admin\AppData\Roaming\Install\Skype.exe	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 1 IoCs

Processes:

Skype.exe

pid process

1684 Skype.exe

pid	process
1684	Skype.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Skype.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{UL0J35EK-4812-5A22-5827-J02V07OJ0H4J}	Skype.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{UL0J35EK-4812-5A22-5827-J02V07OJ0H4J}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Install\\Skype.exe\""	Skype.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Skype.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Skype = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Skype.exe"	Skype.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

52ebeec6271770d72e3f2ed73535cd4a9b4d614e8877bd52a777b5f23d492869.exe

description	pid	process	target process
PID 4772 wrote to memory of 1684	4772	52ebeec6271770d72e3f2ed73535cd4a9b4d614e8877bd52a777b5f23d492869.exe	Skype.exe
PID 4772 wrote to memory of 1684	4772	52ebeec6271770d72e3f2ed73535cd4a9b4d614e8877bd52a777b5f23d492869.exe	Skype.exe
PID 4772 wrote to memory of 1684	4772	52ebeec6271770d72e3f2ed73535cd4a9b4d614e8877bd52a777b5f23d492869.exe	Skype.exe

C:\Users\Admin\AppData\Local\Temp\52ebeec6271770d72e3f2ed73535cd4a9b4d614e8877bd52a777b5f23d492869.exe
"C:\Users\Admin\AppData\Local\Temp\52ebeec6271770d72e3f2ed73535cd4a9b4d614e8877bd52a777b5f23d492869.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4772

C:\Users\Admin\AppData\Roaming\Install\Skype.exe
-m "C:\Users\Admin\AppData\Local\Temp\52ebeec6271770d72e3f2ed73535cd4a9b4d614e8877bd52a777b5f23d492869.exe"
2⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:1684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Install\Skype.exe

Filesize
89KB

MD5
60ac7ad7eccc1cdc8e2fcd21cf42e068

SHA1
0d1b45bcbdbd9699bde81e984edbac26e6e39b11

SHA256
52ebeec6271770d72e3f2ed73535cd4a9b4d614e8877bd52a777b5f23d492869

SHA512
4cf4816f4587910e5541da1eb2bfc90d8281e7c11339a9708c692d7124f70b65f1fb714ff3e7e8ecb3e3cb10817a9080f313f31034c6b756f7589afbbc4a85ba

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Skype.exe

Filesize
89KB

MD5
60ac7ad7eccc1cdc8e2fcd21cf42e068

SHA1
0d1b45bcbdbd9699bde81e984edbac26e6e39b11

SHA256
52ebeec6271770d72e3f2ed73535cd4a9b4d614e8877bd52a777b5f23d492869

SHA512
4cf4816f4587910e5541da1eb2bfc90d8281e7c11339a9708c692d7124f70b65f1fb714ff3e7e8ecb3e3cb10817a9080f313f31034c6b756f7589afbbc4a85ba

Download Submit
memory/1684-130-0x0000000000000000-mapping.dmp

Download