netwire | 507cdb533ae17e2796a585b6c6cbb8b2e116fae2dc26209799df93333d40a0c1

General

Target

507cdb533ae17e2796a585b6c6cbb8b2e116fae2dc26209799df93333d40a0c1.exe
Size

780KB
MD5

24bc8e6bea3028f45e8862a845a2ee9b
SHA1

6d31f6ca00d355fe8dc779b377a0f1a7ce677970
SHA256

507cdb533ae17e2796a585b6c6cbb8b2e116fae2dc26209799df93333d40a0c1
SHA512

2c09d97b9034f33ed57292b2e5cd546745be725f3529007b04ba70c5057433d4011be4bbd90c483b8cc11a6e0d716cbe72338b36336a796d0b72d01437300e90

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

127.0.0.1:3360

192.3.24.231:3360

Attributes

activex_autorun
true
activex_key
{W41B645X-8AWL-1GUS-6R75-0DDXP4YA48S8}
copy_executable
true
delete_original
false
host_id
wolla
install_path
%AppData%\Windowsmedialites\windowsdfender.exe
keylogger_dir
%AppData%\Mediaupdater\
lock_executable
false
mutex
PLwAEmqL
offline_keylogger
true
password
Zynova@56070
registry_autorun
true
startup_name
windowsdfender
use_mutex
true

Signatures

NetWire RAT payload 8 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1756-58-0x0000000000000000-mapping.dmp	netwire
behavioral1/memory/1756-60-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1756-62-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1756-66-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/964-72-0x0000000000000000-mapping.dmp	netwire
behavioral1/memory/964-76-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/964-77-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/964-78-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

windowsdfender.exewindowsdfender.exe

pid process

1116 windowsdfender.exe
964 windowsdfender.exe

pid	process
1116	windowsdfender.exe
964	windowsdfender.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

windowsdfender.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{W41B645X-8AWL-1GUS-6R75-0DDXP4YA48S8}	windowsdfender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{W41B645X-8AWL-1GUS-6R75-0DDXP4YA48S8}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windowsmedialites\\windowsdfender.exe\""	windowsdfender.exe

Loads dropped DLL 2 IoCs

Processes:

507cdb533ae17e2796a585b6c6cbb8b2e116fae2dc26209799df93333d40a0c1.exe

pid	process
1756	507cdb533ae17e2796a585b6c6cbb8b2e116fae2dc26209799df93333d40a0c1.exe
1756	507cdb533ae17e2796a585b6c6cbb8b2e116fae2dc26209799df93333d40a0c1.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

windowsdfender.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows\CurrentVersion\Run\windowsdfender = "C:\\Users\\Admin\\AppData\\Roaming\\Windowsmedialites\\windowsdfender.exe"	windowsdfender.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	windowsdfender.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

507cdb533ae17e2796a585b6c6cbb8b2e116fae2dc26209799df93333d40a0c1.exewindowsdfender.exe

pid process

1660 507cdb533ae17e2796a585b6c6cbb8b2e116fae2dc26209799df93333d40a0c1.exe
1116 windowsdfender.exe

pid	process
1660	507cdb533ae17e2796a585b6c6cbb8b2e116fae2dc26209799df93333d40a0c1.exe
1116	windowsdfender.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

507cdb533ae17e2796a585b6c6cbb8b2e116fae2dc26209799df93333d40a0c1.exe507cdb533ae17e2796a585b6c6cbb8b2e116fae2dc26209799df93333d40a0c1.exewindowsdfender.exe

description	pid	process	target process
PID 1660 wrote to memory of 1756	1660	507cdb533ae17e2796a585b6c6cbb8b2e116fae2dc26209799df93333d40a0c1.exe	507cdb533ae17e2796a585b6c6cbb8b2e116fae2dc26209799df93333d40a0c1.exe
PID 1660 wrote to memory of 1756	1660	507cdb533ae17e2796a585b6c6cbb8b2e116fae2dc26209799df93333d40a0c1.exe	507cdb533ae17e2796a585b6c6cbb8b2e116fae2dc26209799df93333d40a0c1.exe
PID 1660 wrote to memory of 1756	1660	507cdb533ae17e2796a585b6c6cbb8b2e116fae2dc26209799df93333d40a0c1.exe	507cdb533ae17e2796a585b6c6cbb8b2e116fae2dc26209799df93333d40a0c1.exe
PID 1660 wrote to memory of 1756	1660	507cdb533ae17e2796a585b6c6cbb8b2e116fae2dc26209799df93333d40a0c1.exe	507cdb533ae17e2796a585b6c6cbb8b2e116fae2dc26209799df93333d40a0c1.exe
PID 1660 wrote to memory of 1756	1660	507cdb533ae17e2796a585b6c6cbb8b2e116fae2dc26209799df93333d40a0c1.exe	507cdb533ae17e2796a585b6c6cbb8b2e116fae2dc26209799df93333d40a0c1.exe
PID 1660 wrote to memory of 1756	1660	507cdb533ae17e2796a585b6c6cbb8b2e116fae2dc26209799df93333d40a0c1.exe	507cdb533ae17e2796a585b6c6cbb8b2e116fae2dc26209799df93333d40a0c1.exe
PID 1660 wrote to memory of 1756	1660	507cdb533ae17e2796a585b6c6cbb8b2e116fae2dc26209799df93333d40a0c1.exe	507cdb533ae17e2796a585b6c6cbb8b2e116fae2dc26209799df93333d40a0c1.exe
PID 1660 wrote to memory of 1756	1660	507cdb533ae17e2796a585b6c6cbb8b2e116fae2dc26209799df93333d40a0c1.exe	507cdb533ae17e2796a585b6c6cbb8b2e116fae2dc26209799df93333d40a0c1.exe
PID 1660 wrote to memory of 1756	1660	507cdb533ae17e2796a585b6c6cbb8b2e116fae2dc26209799df93333d40a0c1.exe	507cdb533ae17e2796a585b6c6cbb8b2e116fae2dc26209799df93333d40a0c1.exe
PID 1660 wrote to memory of 1756	1660	507cdb533ae17e2796a585b6c6cbb8b2e116fae2dc26209799df93333d40a0c1.exe	507cdb533ae17e2796a585b6c6cbb8b2e116fae2dc26209799df93333d40a0c1.exe
PID 1660 wrote to memory of 1756	1660	507cdb533ae17e2796a585b6c6cbb8b2e116fae2dc26209799df93333d40a0c1.exe	507cdb533ae17e2796a585b6c6cbb8b2e116fae2dc26209799df93333d40a0c1.exe
PID 1660 wrote to memory of 1756	1660	507cdb533ae17e2796a585b6c6cbb8b2e116fae2dc26209799df93333d40a0c1.exe	507cdb533ae17e2796a585b6c6cbb8b2e116fae2dc26209799df93333d40a0c1.exe
PID 1660 wrote to memory of 1756	1660	507cdb533ae17e2796a585b6c6cbb8b2e116fae2dc26209799df93333d40a0c1.exe	507cdb533ae17e2796a585b6c6cbb8b2e116fae2dc26209799df93333d40a0c1.exe
PID 1660 wrote to memory of 1756	1660	507cdb533ae17e2796a585b6c6cbb8b2e116fae2dc26209799df93333d40a0c1.exe	507cdb533ae17e2796a585b6c6cbb8b2e116fae2dc26209799df93333d40a0c1.exe
PID 1660 wrote to memory of 1756	1660	507cdb533ae17e2796a585b6c6cbb8b2e116fae2dc26209799df93333d40a0c1.exe	507cdb533ae17e2796a585b6c6cbb8b2e116fae2dc26209799df93333d40a0c1.exe
PID 1660 wrote to memory of 1756	1660	507cdb533ae17e2796a585b6c6cbb8b2e116fae2dc26209799df93333d40a0c1.exe	507cdb533ae17e2796a585b6c6cbb8b2e116fae2dc26209799df93333d40a0c1.exe
PID 1660 wrote to memory of 1756	1660	507cdb533ae17e2796a585b6c6cbb8b2e116fae2dc26209799df93333d40a0c1.exe	507cdb533ae17e2796a585b6c6cbb8b2e116fae2dc26209799df93333d40a0c1.exe
PID 1660 wrote to memory of 1756	1660	507cdb533ae17e2796a585b6c6cbb8b2e116fae2dc26209799df93333d40a0c1.exe	507cdb533ae17e2796a585b6c6cbb8b2e116fae2dc26209799df93333d40a0c1.exe
PID 1756 wrote to memory of 1116	1756	507cdb533ae17e2796a585b6c6cbb8b2e116fae2dc26209799df93333d40a0c1.exe	windowsdfender.exe
PID 1756 wrote to memory of 1116	1756	507cdb533ae17e2796a585b6c6cbb8b2e116fae2dc26209799df93333d40a0c1.exe	windowsdfender.exe
PID 1756 wrote to memory of 1116	1756	507cdb533ae17e2796a585b6c6cbb8b2e116fae2dc26209799df93333d40a0c1.exe	windowsdfender.exe
PID 1756 wrote to memory of 1116	1756	507cdb533ae17e2796a585b6c6cbb8b2e116fae2dc26209799df93333d40a0c1.exe	windowsdfender.exe
PID 1116 wrote to memory of 964	1116	windowsdfender.exe	windowsdfender.exe
PID 1116 wrote to memory of 964	1116	windowsdfender.exe	windowsdfender.exe
PID 1116 wrote to memory of 964	1116	windowsdfender.exe	windowsdfender.exe
PID 1116 wrote to memory of 964	1116	windowsdfender.exe	windowsdfender.exe
PID 1116 wrote to memory of 964	1116	windowsdfender.exe	windowsdfender.exe
PID 1116 wrote to memory of 964	1116	windowsdfender.exe	windowsdfender.exe
PID 1116 wrote to memory of 964	1116	windowsdfender.exe	windowsdfender.exe
PID 1116 wrote to memory of 964	1116	windowsdfender.exe	windowsdfender.exe
PID 1116 wrote to memory of 964	1116	windowsdfender.exe	windowsdfender.exe
PID 1116 wrote to memory of 964	1116	windowsdfender.exe	windowsdfender.exe
PID 1116 wrote to memory of 964	1116	windowsdfender.exe	windowsdfender.exe
PID 1116 wrote to memory of 964	1116	windowsdfender.exe	windowsdfender.exe
PID 1116 wrote to memory of 964	1116	windowsdfender.exe	windowsdfender.exe
PID 1116 wrote to memory of 964	1116	windowsdfender.exe	windowsdfender.exe
PID 1116 wrote to memory of 964	1116	windowsdfender.exe	windowsdfender.exe
PID 1116 wrote to memory of 964	1116	windowsdfender.exe	windowsdfender.exe
PID 1116 wrote to memory of 964	1116	windowsdfender.exe	windowsdfender.exe
PID 1116 wrote to memory of 964	1116	windowsdfender.exe	windowsdfender.exe

C:\Users\Admin\AppData\Local\Temp\507cdb533ae17e2796a585b6c6cbb8b2e116fae2dc26209799df93333d40a0c1.exe
"C:\Users\Admin\AppData\Local\Temp\507cdb533ae17e2796a585b6c6cbb8b2e116fae2dc26209799df93333d40a0c1.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1660

C:\Users\Admin\AppData\Local\Temp\507cdb533ae17e2796a585b6c6cbb8b2e116fae2dc26209799df93333d40a0c1.exe
"C:\Users\Admin\AppData\Local\Temp\507cdb533ae17e2796a585b6c6cbb8b2e116fae2dc26209799df93333d40a0c1.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756

C:\Users\Admin\AppData\Roaming\Windowsmedialites\windowsdfender.exe
"C:\Users\Admin\AppData\Roaming\Windowsmedialites\windowsdfender.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1116

C:\Users\Admin\AppData\Roaming\Windowsmedialites\windowsdfender.exe
"C:\Users\Admin\AppData\Roaming\Windowsmedialites\windowsdfender.exe"
4⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Windowsmedialites\windowsdfender.exe

Filesize
780KB

MD5
24bc8e6bea3028f45e8862a845a2ee9b

SHA1
6d31f6ca00d355fe8dc779b377a0f1a7ce677970

SHA256
507cdb533ae17e2796a585b6c6cbb8b2e116fae2dc26209799df93333d40a0c1

SHA512
2c09d97b9034f33ed57292b2e5cd546745be725f3529007b04ba70c5057433d4011be4bbd90c483b8cc11a6e0d716cbe72338b36336a796d0b72d01437300e90

Download Submit
C:\Users\Admin\AppData\Roaming\Windowsmedialites\windowsdfender.exe

Filesize
780KB

MD5
24bc8e6bea3028f45e8862a845a2ee9b

SHA1
6d31f6ca00d355fe8dc779b377a0f1a7ce677970

SHA256
507cdb533ae17e2796a585b6c6cbb8b2e116fae2dc26209799df93333d40a0c1

SHA512
2c09d97b9034f33ed57292b2e5cd546745be725f3529007b04ba70c5057433d4011be4bbd90c483b8cc11a6e0d716cbe72338b36336a796d0b72d01437300e90

Download Submit
C:\Users\Admin\AppData\Roaming\Windowsmedialites\windowsdfender.exe

Filesize
780KB

MD5
24bc8e6bea3028f45e8862a845a2ee9b

SHA1
6d31f6ca00d355fe8dc779b377a0f1a7ce677970

SHA256
507cdb533ae17e2796a585b6c6cbb8b2e116fae2dc26209799df93333d40a0c1

SHA512
2c09d97b9034f33ed57292b2e5cd546745be725f3529007b04ba70c5057433d4011be4bbd90c483b8cc11a6e0d716cbe72338b36336a796d0b72d01437300e90

Download Submit
\Users\Admin\AppData\Roaming\Windowsmedialites\windowsdfender.exe

Filesize
780KB

MD5
24bc8e6bea3028f45e8862a845a2ee9b

SHA1
6d31f6ca00d355fe8dc779b377a0f1a7ce677970

SHA256
507cdb533ae17e2796a585b6c6cbb8b2e116fae2dc26209799df93333d40a0c1

SHA512
2c09d97b9034f33ed57292b2e5cd546745be725f3529007b04ba70c5057433d4011be4bbd90c483b8cc11a6e0d716cbe72338b36336a796d0b72d01437300e90

Download Submit
\Users\Admin\AppData\Roaming\Windowsmedialites\windowsdfender.exe

Filesize
780KB

MD5
24bc8e6bea3028f45e8862a845a2ee9b

SHA1
6d31f6ca00d355fe8dc779b377a0f1a7ce677970

SHA256
507cdb533ae17e2796a585b6c6cbb8b2e116fae2dc26209799df93333d40a0c1

SHA512
2c09d97b9034f33ed57292b2e5cd546745be725f3529007b04ba70c5057433d4011be4bbd90c483b8cc11a6e0d716cbe72338b36336a796d0b72d01437300e90

Download Submit
memory/964-78-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/964-77-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/964-76-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/964-72-0x0000000000000000-mapping.dmp

Download
memory/1116-65-0x0000000000000000-mapping.dmp

Download
memory/1660-56-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/1660-59-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/1660-57-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download
memory/1756-66-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1756-62-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1756-60-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1756-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads