netwire | e1a77fa5285413469295dae451a81e68613360acbd05c127701e6e289279acfd

General

Target

Receipt.exe
Size

1.1MB
MD5

92220ac479344c60ae11a3d8c74a2b36
SHA1

c8170dcc4766b603e6cad4d854f9ec3b7c4dcce2
SHA256

e1a77fa5285413469295dae451a81e68613360acbd05c127701e6e289279acfd
SHA512

cc1b11100fcb419a94b33215cad1949778e9e694977c09d77e384269ef9a012aba7d107cd00acd84c0a5114773b1a3c8e11e262e779e78624fcda318eb29c43f

Score

10^/10

netwire botnet evasion rat stealer

Malware Config

Extracted

Family

netwire

C2

185.140.53.61:3363

185.140.53.61:3365

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
move4ward
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1764-141-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/1764-143-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/1764-144-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/1764-145-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Receipt.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions Receipt.exe
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Receipt.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools Receipt.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions	Receipt.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	Receipt.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Receipt.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Receipt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Receipt.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Receipt.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\Control Panel\International\Geo\Nation	Receipt.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Receipt.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Receipt.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	Receipt.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Receipt.exe

description pid process target process

PID 3436 set thread context of 1764 3436 Receipt.exe Receipt.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

952 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Receipt.exe

pid process

3436 Receipt.exe
3436 Receipt.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Receipt.exe

description pid process

Token: SeDebugPrivilege 3436 Receipt.exe

description	pid	process	target process
PID 3436 set thread context of 1764	3436	Receipt.exe	Receipt.exe

pid	process
952	schtasks.exe

pid	process
3436	Receipt.exe
3436	Receipt.exe

description	pid	process
Token: SeDebugPrivilege	3436	Receipt.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

Receipt.exe

description	pid	process	target process
PID 3436 wrote to memory of 952	3436	Receipt.exe	schtasks.exe
PID 3436 wrote to memory of 952	3436	Receipt.exe	schtasks.exe
PID 3436 wrote to memory of 952	3436	Receipt.exe	schtasks.exe
PID 3436 wrote to memory of 1732	3436	Receipt.exe	Receipt.exe
PID 3436 wrote to memory of 1732	3436	Receipt.exe	Receipt.exe
PID 3436 wrote to memory of 1732	3436	Receipt.exe	Receipt.exe
PID 3436 wrote to memory of 1764	3436	Receipt.exe	Receipt.exe
PID 3436 wrote to memory of 1764	3436	Receipt.exe	Receipt.exe
PID 3436 wrote to memory of 1764	3436	Receipt.exe	Receipt.exe
PID 3436 wrote to memory of 1764	3436	Receipt.exe	Receipt.exe
PID 3436 wrote to memory of 1764	3436	Receipt.exe	Receipt.exe
PID 3436 wrote to memory of 1764	3436	Receipt.exe	Receipt.exe
PID 3436 wrote to memory of 1764	3436	Receipt.exe	Receipt.exe
PID 3436 wrote to memory of 1764	3436	Receipt.exe	Receipt.exe
PID 3436 wrote to memory of 1764	3436	Receipt.exe	Receipt.exe
PID 3436 wrote to memory of 1764	3436	Receipt.exe	Receipt.exe
PID 3436 wrote to memory of 1764	3436	Receipt.exe	Receipt.exe

C:\Users\Admin\AppData\Local\Temp\Receipt.exe
"C:\Users\Admin\AppData\Local\Temp\Receipt.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3436

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cPbvjkpUOOc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp632E.tmp"
2⤵
- Creates scheduled task(s)
PID:952

C:\Users\Admin\AppData\Local\Temp\Receipt.exe
"{path}"
2⤵
PID:1732

C:\Users\Admin\AppData\Local\Temp\Receipt.exe
"{path}"
2⤵
PID:1764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp632E.tmp

Filesize
1KB

MD5
748f2d38c6219eb5bc5e1fb1d544a5ef

SHA1
9bf0e27074a7be4aa4366c00c3bf81644751b86d

SHA256
235c5a0214282e0a5571db1b035129e59bf2c763ddb4bfa05f26aca73ab677ec

SHA512
efc15340027f7441e1ac037f58799298467464366871b3e0c396c31e3279211a66f9e1bff8821d707a4c835a2d5b6943ed47776ccb5b7a8feed50cef98b45c00

Download Submit
memory/952-137-0x0000000000000000-mapping.dmp

Download
memory/1732-139-0x0000000000000000-mapping.dmp

Download
memory/1764-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1764-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1764-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1764-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1764-140-0x0000000000000000-mapping.dmp

Download
memory/3436-133-0x00000000058C0000-0x0000000005952000-memory.dmp

Filesize
584KB

Download
memory/3436-136-0x0000000008300000-0x0000000008366000-memory.dmp

Filesize
408KB

Download
memory/3436-135-0x0000000005A50000-0x0000000005AA6000-memory.dmp

Filesize
344KB

Download
memory/3436-134-0x00000000057C0000-0x00000000057CA000-memory.dmp

Filesize
40KB

Download
memory/3436-130-0x0000000000C60000-0x0000000000D88000-memory.dmp

Filesize
1.2MB

Download
memory/3436-132-0x0000000005DD0000-0x0000000006374000-memory.dmp

Filesize
5.6MB

Download
memory/3436-131-0x00000000056E0000-0x000000000577C000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads