netwire | 94c157980ea71c70134696ab3a285ac9668546370e9503433c5aa11df45ed15b

General

Target

New Trial Order CSI94950949349pdf.exe
Size

584KB
MD5

6c1466f2e02bff6394c42e9f9a79b872
SHA1

b691a323fa4ebea73aa728fa979be437e226eeb1
SHA256

94c157980ea71c70134696ab3a285ac9668546370e9503433c5aa11df45ed15b
SHA512

9252adaa812f85442e8c5f990406446c15cd4d4f16749ee9876dd4408e8f5930e78d9b85552b7cffce2969efea640fc23daac348b2bc53fe33aaa26af2ecb223

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

sani990.duckdns.org:5631

admin96.hopto.org:5631

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
THE SAINT
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
hPSXRboY
offline_keylogger
true
password
teamoluwa1
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 10 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1556-72-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1556-73-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1556-74-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1556-76-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1556-78-0x000000000040242D-mapping.dmp	netwire
behavioral1/memory/1556-77-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1556-81-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1232-82-0x000000006EA20000-0x000000006EFCB000-memory.dmp	netwire
behavioral1/memory/1556-84-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1556-85-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Suspicious use of SetThreadContext 1 IoCs

Processes:

New Trial Order CSI94950949349pdf.exe

description pid process target process

PID 1960 set thread context of 1556 1960 New Trial Order CSI94950949349pdf.exe New Trial Order CSI94950949349pdf.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1388 schtasks.exe

description	pid	process	target process
PID 1960 set thread context of 1556	1960	New Trial Order CSI94950949349pdf.exe	New Trial Order CSI94950949349pdf.exe

pid	process
1388	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

New Trial Order CSI94950949349pdf.exepowershell.exepowershell.exe

pid	process
1960	New Trial Order CSI94950949349pdf.exe
1960	New Trial Order CSI94950949349pdf.exe
1960	New Trial Order CSI94950949349pdf.exe
1960	New Trial Order CSI94950949349pdf.exe
1960	New Trial Order CSI94950949349pdf.exe
1960	New Trial Order CSI94950949349pdf.exe
1960	New Trial Order CSI94950949349pdf.exe
1960	New Trial Order CSI94950949349pdf.exe
1960	New Trial Order CSI94950949349pdf.exe
1960	New Trial Order CSI94950949349pdf.exe
1960	New Trial Order CSI94950949349pdf.exe
1960	New Trial Order CSI94950949349pdf.exe
1960	New Trial Order CSI94950949349pdf.exe
1960	New Trial Order CSI94950949349pdf.exe
1960	New Trial Order CSI94950949349pdf.exe
1960	New Trial Order CSI94950949349pdf.exe
1960	New Trial Order CSI94950949349pdf.exe
1960	New Trial Order CSI94950949349pdf.exe
1960	New Trial Order CSI94950949349pdf.exe
1960	New Trial Order CSI94950949349pdf.exe
1960	New Trial Order CSI94950949349pdf.exe
1960	New Trial Order CSI94950949349pdf.exe
1960	New Trial Order CSI94950949349pdf.exe
1960	New Trial Order CSI94950949349pdf.exe
2036	powershell.exe
1232	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

New Trial Order CSI94950949349pdf.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1960	New Trial Order CSI94950949349pdf.exe
Token: SeDebugPrivilege	1232	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

New Trial Order CSI94950949349pdf.exe

C:\Users\Admin\AppData\Local\Temp\New Trial Order CSI94950949349pdf.exe
"C:\Users\Admin\AppData\Local\Temp\New Trial Order CSI94950949349pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\New Trial Order CSI94950949349pdf.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1232

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\IsOEDKVF.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IsOEDKVF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp405B.tmp"
2⤵
- Creates scheduled task(s)
PID:1388

C:\Users\Admin\AppData\Local\Temp\New Trial Order CSI94950949349pdf.exe
"C:\Users\Admin\AppData\Local\Temp\New Trial Order CSI94950949349pdf.exe"
2⤵
PID:856

C:\Users\Admin\AppData\Local\Temp\New Trial Order CSI94950949349pdf.exe
"C:\Users\Admin\AppData\Local\Temp\New Trial Order CSI94950949349pdf.exe"
2⤵
PID:1036

C:\Users\Admin\AppData\Local\Temp\New Trial Order CSI94950949349pdf.exe
"C:\Users\Admin\AppData\Local\Temp\New Trial Order CSI94950949349pdf.exe"
2⤵
PID:1488

C:\Users\Admin\AppData\Local\Temp\New Trial Order CSI94950949349pdf.exe
"C:\Users\Admin\AppData\Local\Temp\New Trial Order CSI94950949349pdf.exe"
2⤵
PID:1556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp405B.tmp

Filesize
1KB

MD5
6b0b3d2b1df74b1c0ecfd4f29c5751e6

SHA1
c9c55ee1eaae9396e8f0e0d977d6e4564de730dd

SHA256
d4c3480e242e502b37a0dc4938f376522c976e4ce30faa767067debcee8ea4fc

SHA512
e1debd64f2662fcdb7c01f2afcea5e1e54e755387ac69efc8577fe0076b7f489497582a1dc6c80b0005451e92e5a5bcac7af14c0dd3bda87c4cf34e9e5f72b9e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
84449ae9d0357697c634367c7a99fdba

SHA1
528c10b977eb5b962d92254f5ea58ae776977c36

SHA256
7a821e557ae0c82d62e1b5e99273a91296874b8b981419ed348ae31c24d19e2a

SHA512
a1eebf265800f56e504fd21778fb4ec828621e78de7b1e4b44b35c0bd6df363b32f6ff2c653d376a061b0d11c5a54a7de75a6f1aa87008457f56d3bdb9d1c5d2

Download Submit
memory/1232-83-0x000000006EA20000-0x000000006EFCB000-memory.dmp

Filesize
5.7MB

Download
memory/1232-82-0x000000006EA20000-0x000000006EFCB000-memory.dmp

Filesize
5.7MB

Download
memory/1232-59-0x0000000000000000-mapping.dmp

Download
memory/1388-62-0x0000000000000000-mapping.dmp

Download
memory/1556-78-0x000000000040242D-mapping.dmp

Download
memory/1556-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1556-85-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1556-84-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1556-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1556-67-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1556-68-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1556-70-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1556-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1556-77-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1556-74-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1556-76-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-54-0x00000000001E0000-0x0000000000278000-memory.dmp

Filesize
608KB

Download
memory/1960-66-0x00000000021F0000-0x000000000221E000-memory.dmp

Filesize
184KB

Download
memory/1960-56-0x0000000000420000-0x000000000043E000-memory.dmp

Filesize
120KB

Download
memory/1960-55-0x0000000075B61000-0x0000000075B63000-memory.dmp

Filesize
8KB

Download
memory/1960-57-0x0000000000450000-0x000000000045A000-memory.dmp

Filesize
40KB

Download
memory/1960-58-0x0000000005B00000-0x0000000005B66000-memory.dmp

Filesize
408KB

Download
memory/2036-61-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 1960 wrote to memory of 1232	1960	New Trial Order CSI94950949349pdf.exe	powershell.exe
PID 1960 wrote to memory of 1232	1960	New Trial Order CSI94950949349pdf.exe	powershell.exe
PID 1960 wrote to memory of 1232	1960	New Trial Order CSI94950949349pdf.exe	powershell.exe
PID 1960 wrote to memory of 1232	1960	New Trial Order CSI94950949349pdf.exe	powershell.exe
PID 1960 wrote to memory of 2036	1960	New Trial Order CSI94950949349pdf.exe	powershell.exe
PID 1960 wrote to memory of 2036	1960	New Trial Order CSI94950949349pdf.exe	powershell.exe
PID 1960 wrote to memory of 2036	1960	New Trial Order CSI94950949349pdf.exe	powershell.exe
PID 1960 wrote to memory of 2036	1960	New Trial Order CSI94950949349pdf.exe	powershell.exe
PID 1960 wrote to memory of 1388	1960	New Trial Order CSI94950949349pdf.exe	schtasks.exe
PID 1960 wrote to memory of 1388	1960	New Trial Order CSI94950949349pdf.exe	schtasks.exe
PID 1960 wrote to memory of 1388	1960	New Trial Order CSI94950949349pdf.exe	schtasks.exe
PID 1960 wrote to memory of 1388	1960	New Trial Order CSI94950949349pdf.exe	schtasks.exe
PID 1960 wrote to memory of 856	1960	New Trial Order CSI94950949349pdf.exe	New Trial Order CSI94950949349pdf.exe
PID 1960 wrote to memory of 856	1960	New Trial Order CSI94950949349pdf.exe	New Trial Order CSI94950949349pdf.exe
PID 1960 wrote to memory of 856	1960	New Trial Order CSI94950949349pdf.exe	New Trial Order CSI94950949349pdf.exe
PID 1960 wrote to memory of 856	1960	New Trial Order CSI94950949349pdf.exe	New Trial Order CSI94950949349pdf.exe
PID 1960 wrote to memory of 1036	1960	New Trial Order CSI94950949349pdf.exe	New Trial Order CSI94950949349pdf.exe
PID 1960 wrote to memory of 1036	1960	New Trial Order CSI94950949349pdf.exe	New Trial Order CSI94950949349pdf.exe
PID 1960 wrote to memory of 1036	1960	New Trial Order CSI94950949349pdf.exe	New Trial Order CSI94950949349pdf.exe
PID 1960 wrote to memory of 1036	1960	New Trial Order CSI94950949349pdf.exe	New Trial Order CSI94950949349pdf.exe
PID 1960 wrote to memory of 1488	1960	New Trial Order CSI94950949349pdf.exe	New Trial Order CSI94950949349pdf.exe
PID 1960 wrote to memory of 1488	1960	New Trial Order CSI94950949349pdf.exe	New Trial Order CSI94950949349pdf.exe
PID 1960 wrote to memory of 1488	1960	New Trial Order CSI94950949349pdf.exe	New Trial Order CSI94950949349pdf.exe
PID 1960 wrote to memory of 1488	1960	New Trial Order CSI94950949349pdf.exe	New Trial Order CSI94950949349pdf.exe
PID 1960 wrote to memory of 1556	1960	New Trial Order CSI94950949349pdf.exe	New Trial Order CSI94950949349pdf.exe
PID 1960 wrote to memory of 1556	1960	New Trial Order CSI94950949349pdf.exe	New Trial Order CSI94950949349pdf.exe
PID 1960 wrote to memory of 1556	1960	New Trial Order CSI94950949349pdf.exe	New Trial Order CSI94950949349pdf.exe
PID 1960 wrote to memory of 1556	1960	New Trial Order CSI94950949349pdf.exe	New Trial Order CSI94950949349pdf.exe
PID 1960 wrote to memory of 1556	1960	New Trial Order CSI94950949349pdf.exe	New Trial Order CSI94950949349pdf.exe
PID 1960 wrote to memory of 1556	1960	New Trial Order CSI94950949349pdf.exe	New Trial Order CSI94950949349pdf.exe
PID 1960 wrote to memory of 1556	1960	New Trial Order CSI94950949349pdf.exe	New Trial Order CSI94950949349pdf.exe
PID 1960 wrote to memory of 1556	1960	New Trial Order CSI94950949349pdf.exe	New Trial Order CSI94950949349pdf.exe
PID 1960 wrote to memory of 1556	1960	New Trial Order CSI94950949349pdf.exe	New Trial Order CSI94950949349pdf.exe
PID 1960 wrote to memory of 1556	1960	New Trial Order CSI94950949349pdf.exe	New Trial Order CSI94950949349pdf.exe
PID 1960 wrote to memory of 1556	1960	New Trial Order CSI94950949349pdf.exe	New Trial Order CSI94950949349pdf.exe
PID 1960 wrote to memory of 1556	1960	New Trial Order CSI94950949349pdf.exe	New Trial Order CSI94950949349pdf.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads