netwire | 52a931d26a5c731d659d4ff5321b9c3b4a135f4944cd46e6f9821d608a71add3

Analysis

max time kernel
180s
max time network
188s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
resource tags

arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system
submitted
17-07-2022 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52a931d26a5c731d659d4ff5321b9c3b4a135f4944cd46e6f9821d608a71add3.exe
Size

1.2MB
MD5

7f33d4d920c55535fb224546b3cb94bd
SHA1

004126cdbcecef4dc334d6ca352b719e74366248
SHA256

52a931d26a5c731d659d4ff5321b9c3b4a135f4944cd46e6f9821d608a71add3
SHA512

fb48b29d8d0752d66f421b9c0c3ca672c72aa96b7ba5da636462d6993a8a6041d0cdc09b34563d52e9c56453baf3271e2508979059680d2c18e1365c9736fad3

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

profoundation.linkpc.net:3595

Attributes

activex_autorun
true
activex_key
{E1677N83-AN77-01LA-0WK8-46188A3TY05U}
copy_executable
true
delete_original
false
host_id
HOPE - HOPE
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
YYODCdsO
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1900-134-0x0000000000540000-0x0000000000575000-memory.dmp	netwire
behavioral2/memory/1900-136-0x0000000000580000-0x00000000005AC000-memory.dmp	netwire
behavioral2/memory/2044-147-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 1 IoCs

Processes:

Host.exe

pid process

2044 Host.exe

pid	process
2044	Host.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Host.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1677N83-AN77-01LA-0WK8-46188A3TY05U}	Host.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1677N83-AN77-01LA-0WK8-46188A3TY05U}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe\""	Host.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Install\Host.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Install\Host.exe	autoit_exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

52a931d26a5c731d659d4ff5321b9c3b4a135f4944cd46e6f9821d608a71add3.exe

description	pid	process	target process
PID 1900 wrote to memory of 2044	1900	52a931d26a5c731d659d4ff5321b9c3b4a135f4944cd46e6f9821d608a71add3.exe	Host.exe
PID 1900 wrote to memory of 2044	1900	52a931d26a5c731d659d4ff5321b9c3b4a135f4944cd46e6f9821d608a71add3.exe	Host.exe
PID 1900 wrote to memory of 2044	1900	52a931d26a5c731d659d4ff5321b9c3b4a135f4944cd46e6f9821d608a71add3.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\52a931d26a5c731d659d4ff5321b9c3b4a135f4944cd46e6f9821d608a71add3.exe
"C:\Users\Admin\AppData\Local\Temp\52a931d26a5c731d659d4ff5321b9c3b4a135f4944cd46e6f9821d608a71add3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1900

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
2⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
PID:2044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\159.767541335896

Filesize
203KB

MD5
c863eb9c5fb6af65e8103c9c22495aad

SHA1
c475ea76748a3f175182a74e70f99c463115474a

SHA256
4f5c20550eb8487da5966006c43705283cf16336658e3a30bb4fb2378d22e16d

SHA512
31cacd6159bfcfbc95817d018b322d17db32df3a722df3f37b0970a53ade14febed9aaf1d1d5db37a53009a8aee4fc004b8d5e4d5c44b37cef8b401c1073482e

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
1.2MB

MD5
7f33d4d920c55535fb224546b3cb94bd

SHA1
004126cdbcecef4dc334d6ca352b719e74366248

SHA256
52a931d26a5c731d659d4ff5321b9c3b4a135f4944cd46e6f9821d608a71add3

SHA512
fb48b29d8d0752d66f421b9c0c3ca672c72aa96b7ba5da636462d6993a8a6041d0cdc09b34563d52e9c56453baf3271e2508979059680d2c18e1365c9736fad3

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
1.2MB

MD5
7f33d4d920c55535fb224546b3cb94bd

SHA1
004126cdbcecef4dc334d6ca352b719e74366248

SHA256
52a931d26a5c731d659d4ff5321b9c3b4a135f4944cd46e6f9821d608a71add3

SHA512
fb48b29d8d0752d66f421b9c0c3ca672c72aa96b7ba5da636462d6993a8a6041d0cdc09b34563d52e9c56453baf3271e2508979059680d2c18e1365c9736fad3

Download Submit
memory/1900-133-0x0000000000540000-0x0000000000575000-memory.dmp

Filesize
212KB

Download
memory/1900-134-0x0000000000540000-0x0000000000575000-memory.dmp

Filesize
212KB

Download
memory/1900-135-0x0000000000541000-0x000000000054C000-memory.dmp

Filesize
44KB

Download
memory/1900-136-0x0000000000580000-0x00000000005AC000-memory.dmp

Filesize
176KB

Download
memory/1900-130-0x0000000000540000-0x0000000000575000-memory.dmp

Filesize
212KB

Download
memory/1900-132-0x0000000000540000-0x0000000000575000-memory.dmp

Filesize
212KB

Download
memory/1900-131-0x0000000000540000-0x0000000000575000-memory.dmp

Filesize
212KB

Download
memory/2044-137-0x0000000000000000-mapping.dmp

Download
memory/2044-146-0x0000000003C51000-0x0000000003C5C000-memory.dmp

Filesize
44KB

Download
memory/2044-147-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download