netwire | 4d56278b029bdc00e31be2e1c2fbc5466e5922021339f76d9cd85627d2cbbe4d

Analysis

max time kernel
133s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
resource tags

arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2022 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Quote.xll
Size

3.5MB
MD5

a8e4d303989a278e632723fa6862d17c
SHA1

4f2e12a680fb2085ee688eedf12a28dc37276f70
SHA256

4d56278b029bdc00e31be2e1c2fbc5466e5922021339f76d9cd85627d2cbbe4d
SHA512

84d69b24e644409578392bb68a109a863820ddf6915efae1e82e686203c2dd6fd9e390589f6f6e500d17bc2528f2425a8d803db2b5dbe43aadd03c4b8e65679e

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Language

xlm4.0

Source

Extracted

Family

netwire

194.5.98.126:3378

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Pass@2023
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4140-166-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/4140-169-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/4140-173-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/4140-185-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.execmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2628	4160	cmd.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	5048	4160	cmd.exe	EXCEL.EXE

Executes dropped EXE 2 IoCs

Processes:

appPDJMLLLRMV.txt.exeappPDJMLLLRMV.txt.exe

pid process

32 appPDJMLLLRMV.txt.exe
4140 appPDJMLLLRMV.txt.exe

pid	process
32	appPDJMLLLRMV.txt.exe
4140	appPDJMLLLRMV.txt.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

appPDJMLLLRMV.txt.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	appPDJMLLLRMV.txt.exe

Loads dropped DLL 2 IoCs

Processes:

EXCEL.EXE

pid process

4160 EXCEL.EXE
4160 EXCEL.EXE
Suspicious use of SetThreadContext 1 IoCs

Processes:

appPDJMLLLRMV.txt.exe

description pid process target process

PID 32 set thread context of 4140 32 appPDJMLLLRMV.txt.exe appPDJMLLLRMV.txt.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 32 set thread context of 4140	32	appPDJMLLLRMV.txt.exe	appPDJMLLLRMV.txt.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4908 schtasks.exe

pid	process
4908	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4160 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

4668 powershell.exe
4668 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 4668 powershell.exe

pid	process
4668	powershell.exe
4668	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4668	powershell.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
4160	EXCEL.EXE
4160	EXCEL.EXE
4160	EXCEL.EXE
4160	EXCEL.EXE
4160	EXCEL.EXE
4160	EXCEL.EXE
4160	EXCEL.EXE
4160	EXCEL.EXE
4160	EXCEL.EXE
4160	EXCEL.EXE
4160	EXCEL.EXE
4160	EXCEL.EXE

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

EXCEL.EXEcmd.execmd.exeappPDJMLLLRMV.txt.exe

description	pid	process	target process
PID 4160 wrote to memory of 2628	4160	EXCEL.EXE	cmd.exe
PID 4160 wrote to memory of 2628	4160	EXCEL.EXE	cmd.exe
PID 2628 wrote to memory of 2096	2628	cmd.exe	certutil.exe
PID 2628 wrote to memory of 2096	2628	cmd.exe	certutil.exe
PID 4160 wrote to memory of 5048	4160	EXCEL.EXE	cmd.exe
PID 4160 wrote to memory of 5048	4160	EXCEL.EXE	cmd.exe
PID 5048 wrote to memory of 772	5048	cmd.exe	certutil.exe
PID 5048 wrote to memory of 772	5048	cmd.exe	certutil.exe
PID 5048 wrote to memory of 32	5048	cmd.exe	appPDJMLLLRMV.txt.exe
PID 5048 wrote to memory of 32	5048	cmd.exe	appPDJMLLLRMV.txt.exe
PID 5048 wrote to memory of 32	5048	cmd.exe	appPDJMLLLRMV.txt.exe
PID 32 wrote to memory of 4668	32	appPDJMLLLRMV.txt.exe	powershell.exe
PID 32 wrote to memory of 4668	32	appPDJMLLLRMV.txt.exe	powershell.exe
PID 32 wrote to memory of 4668	32	appPDJMLLLRMV.txt.exe	powershell.exe
PID 32 wrote to memory of 4908	32	appPDJMLLLRMV.txt.exe	schtasks.exe
PID 32 wrote to memory of 4908	32	appPDJMLLLRMV.txt.exe	schtasks.exe
PID 32 wrote to memory of 4908	32	appPDJMLLLRMV.txt.exe	schtasks.exe
PID 32 wrote to memory of 4140	32	appPDJMLLLRMV.txt.exe	appPDJMLLLRMV.txt.exe
PID 32 wrote to memory of 4140	32	appPDJMLLLRMV.txt.exe	appPDJMLLLRMV.txt.exe
PID 32 wrote to memory of 4140	32	appPDJMLLLRMV.txt.exe	appPDJMLLLRMV.txt.exe
PID 32 wrote to memory of 4140	32	appPDJMLLLRMV.txt.exe	appPDJMLLLRMV.txt.exe
PID 32 wrote to memory of 4140	32	appPDJMLLLRMV.txt.exe	appPDJMLLLRMV.txt.exe
PID 32 wrote to memory of 4140	32	appPDJMLLLRMV.txt.exe	appPDJMLLLRMV.txt.exe
PID 32 wrote to memory of 4140	32	appPDJMLLLRMV.txt.exe	appPDJMLLLRMV.txt.exe
PID 32 wrote to memory of 4140	32	appPDJMLLLRMV.txt.exe	appPDJMLLLRMV.txt.exe
PID 32 wrote to memory of 4140	32	appPDJMLLLRMV.txt.exe	appPDJMLLLRMV.txt.exe
PID 32 wrote to memory of 4140	32	appPDJMLLLRMV.txt.exe	appPDJMLLLRMV.txt.exe
PID 32 wrote to memory of 4140	32	appPDJMLLLRMV.txt.exe	appPDJMLLLRMV.txt.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Quote.xll"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4160

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C certutil -decode C:\Users\Admin\Downloads\appPDJMLLLRMV.txt C:\Users\Admin\Downloads\appPDJMLLLRMV.txt.xlsx
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2628

C:\Windows\system32\certutil.exe
certutil -decode C:\Users\Admin\Downloads\appPDJMLLLRMV.txt C:\Users\Admin\Downloads\appPDJMLLLRMV.txt.xlsx
3⤵
PID:2096

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C certutil -decode C:\Users\Admin\Downloads\appPDJMLLLRMV.txt C:\Users\Admin\Downloads\appPDJMLLLRMV.txt.exe & C:\Users\Admin\Downloads\appPDJMLLLRMV.txt.exe
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:5048

C:\Windows\system32\certutil.exe
certutil -decode C:\Users\Admin\Downloads\appPDJMLLLRMV.txt C:\Users\Admin\Downloads\appPDJMLLLRMV.txt.exe
3⤵
PID:772

C:\Users\Admin\Downloads\appPDJMLLLRMV.txt.exe
C:\Users\Admin\Downloads\appPDJMLLLRMV.txt.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:32

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UoEANl.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4668

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UoEANl" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA4DB.tmp"
4⤵
- Creates scheduled task(s)
PID:4908

C:\Users\Admin\Downloads\appPDJMLLLRMV.txt.exe
"C:\Users\Admin\Downloads\appPDJMLLLRMV.txt.exe"
4⤵
- Executes dropped EXE
PID:4140

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Quote.xll

Filesize
3.5MB

MD5
a8e4d303989a278e632723fa6862d17c

SHA1
4f2e12a680fb2085ee688eedf12a28dc37276f70

SHA256
4d56278b029bdc00e31be2e1c2fbc5466e5922021339f76d9cd85627d2cbbe4d

SHA512
84d69b24e644409578392bb68a109a863820ddf6915efae1e82e686203c2dd6fd9e390589f6f6e500d17bc2528f2425a8d803db2b5dbe43aadd03c4b8e65679e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Quote.xll

Filesize
3.5MB

MD5
a8e4d303989a278e632723fa6862d17c

SHA1
4f2e12a680fb2085ee688eedf12a28dc37276f70

SHA256
4d56278b029bdc00e31be2e1c2fbc5466e5922021339f76d9cd85627d2cbbe4d

SHA512
84d69b24e644409578392bb68a109a863820ddf6915efae1e82e686203c2dd6fd9e390589f6f6e500d17bc2528f2425a8d803db2b5dbe43aadd03c4b8e65679e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA4DB.tmp

Filesize
1KB

MD5
447fe025c3d349884428096d53493756

SHA1
f59beaa5b3ec367d8d9a1bffb77b5581e0f0fc57

SHA256
89a4f1168c17c015a6b8c231e1d0f640f934529701a63b176cf9218197b8a1f7

SHA512
c4b12b8b9a42c30813a353f334f9c889e5eabbf49a8c209b2480eca118851674743640dfca857a3d998ccb5229d7771214ae25936f0299aca6aa702a16735b14

Download Submit
C:\Users\Admin\Downloads\appPDJMLLLRMV.txt

Filesize
2.1MB

MD5
64fbe214c00b900393115edcd6bd3040

SHA1
65720069ac643f6fec7f3a835ae71090805e7f63

SHA256
ac4ad6762268715dd3a50c0ab0fcd372ab01a83381fc3cd6583f1acbaedf92f7

SHA512
252cc4f42671e5e572c83007cfe0cf03eff14c9dffc349ff31e2779f79b5b9526216ed6e8d0364bcf756a062068917d2209ca9772f10e1a60cb759a42cc8b2f4

Download Submit
C:\Users\Admin\Downloads\appPDJMLLLRMV.txt

Filesize
57KB

MD5
3bf777b958059b015e552c1fb0a153c1

SHA1
dcc21ff8bb10a2cccca322d04db740f6bc5f411d

SHA256
7a59d3b1d56a7776f0534f84497162965c24d3423fbe4d19569ae20debeccbf5

SHA512
91a5f31ada101554e6f4e55cbd661cae31b92775978d7db048319ed21b1300243b092e0df23758642bf35a383a284cc34b52901bd58c5e8bc8c022b54dbb1a78

Download Submit
C:\Users\Admin\Downloads\appPDJMLLLRMV.txt.exe

Filesize
795KB

MD5
f9ae59a92153aaebda65039990bc9789

SHA1
0c612ed8770eced1e084c0fe2ab0af70a6174037

SHA256
6a3821e1b0ee3abf92b50749dc07612ad341fe08414bf77beb1163a8b1f98aed

SHA512
c3419dbfbbc9cc3fd3cfd6baf849dc01b33b68a2cd93e6fc12cb988f0aac321b9391c5a9dcf9e10e358b2b72923f5ef9ad2bad7b1cfbfb5f0dfe717e01b96a84

Download Submit
C:\Users\Admin\Downloads\appPDJMLLLRMV.txt.exe

Filesize
795KB

MD5
f9ae59a92153aaebda65039990bc9789

SHA1
0c612ed8770eced1e084c0fe2ab0af70a6174037

SHA256
6a3821e1b0ee3abf92b50749dc07612ad341fe08414bf77beb1163a8b1f98aed

SHA512
c3419dbfbbc9cc3fd3cfd6baf849dc01b33b68a2cd93e6fc12cb988f0aac321b9391c5a9dcf9e10e358b2b72923f5ef9ad2bad7b1cfbfb5f0dfe717e01b96a84

Download Submit
C:\Users\Admin\Downloads\appPDJMLLLRMV.txt.exe

Filesize
795KB

MD5
f9ae59a92153aaebda65039990bc9789

SHA1
0c612ed8770eced1e084c0fe2ab0af70a6174037

SHA256
6a3821e1b0ee3abf92b50749dc07612ad341fe08414bf77beb1163a8b1f98aed

SHA512
c3419dbfbbc9cc3fd3cfd6baf849dc01b33b68a2cd93e6fc12cb988f0aac321b9391c5a9dcf9e10e358b2b72923f5ef9ad2bad7b1cfbfb5f0dfe717e01b96a84

Download Submit
C:\Users\Admin\Downloads\appPDJMLLLRMV.txt.xlsx

Filesize
43KB

MD5
287e0b1bd13fbdca2aa0baf624e04901

SHA1
20f0976f0882d61f77c78cf27b1124e16946040c

SHA256
c1ea924fc0fa2f07be75b263c5d624740e8f0a59e7fd24d1c90b620b97f02432

SHA512
4cbf9faa72ccbbeca9995c4970a49cb762f44a659e46169a5418bff1e883a63d84713dc1fe016ac139e64347f8f7e48796c92801b3da359fe10702e13850b5cb

Download Submit
memory/32-157-0x0000000007400000-0x000000000749C000-memory.dmp

Filesize
624KB

Download
memory/32-150-0x0000000000000000-mapping.dmp

Download
memory/32-156-0x0000000004ED0000-0x0000000004EDA000-memory.dmp

Filesize
40KB

Download
memory/32-153-0x00000000005C0000-0x000000000068E000-memory.dmp

Filesize
824KB

Download
memory/32-154-0x0000000005440000-0x00000000059E4000-memory.dmp

Filesize
5.6MB

Download
memory/32-155-0x0000000004F30000-0x0000000004FC2000-memory.dmp

Filesize
584KB

Download
memory/772-148-0x0000000000000000-mapping.dmp

Download
memory/2096-144-0x0000000000000000-mapping.dmp

Download
memory/2628-143-0x0000000000000000-mapping.dmp

Download
memory/4140-166-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4140-165-0x0000000000000000-mapping.dmp

Download
memory/4140-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4140-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4140-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4160-159-0x00000278AB7DC000-0x00000278AB7DF000-memory.dmp

Filesize
12KB

Download
memory/4160-132-0x00007FFE5E3D0000-0x00007FFE5E3E0000-memory.dmp

Filesize
64KB

Download
memory/4160-142-0x00000278AB7DC000-0x00000278AB7DF000-memory.dmp

Filesize
12KB

Download
memory/4160-141-0x00007FFE7A3A0000-0x00007FFE7AE61000-memory.dmp

Filesize
10.8MB

Download
memory/4160-158-0x00007FFE7A3A0000-0x00007FFE7AE61000-memory.dmp

Filesize
10.8MB

Download
memory/4160-130-0x00007FFE5E3D0000-0x00007FFE5E3E0000-memory.dmp

Filesize
64KB

Download
memory/4160-191-0x00007FFE7A3A0000-0x00007FFE7AE61000-memory.dmp

Filesize
10.8MB

Download
memory/4160-190-0x00007FFE5E3D0000-0x00007FFE5E3E0000-memory.dmp

Filesize
64KB

Download
memory/4160-189-0x00007FFE5E3D0000-0x00007FFE5E3E0000-memory.dmp

Filesize
64KB

Download
memory/4160-138-0x00000278AB0F0000-0x00000278AB483000-memory.dmp

Filesize
3.6MB

Download
memory/4160-188-0x00007FFE5E3D0000-0x00007FFE5E3E0000-memory.dmp

Filesize
64KB

Download
memory/4160-136-0x00007FFE5C370000-0x00007FFE5C380000-memory.dmp

Filesize
64KB

Download
memory/4160-135-0x00007FFE5C370000-0x00007FFE5C380000-memory.dmp

Filesize
64KB

Download
memory/4160-134-0x00007FFE5E3D0000-0x00007FFE5E3E0000-memory.dmp

Filesize
64KB

Download
memory/4160-133-0x00007FFE5E3D0000-0x00007FFE5E3E0000-memory.dmp

Filesize
64KB

Download
memory/4160-187-0x00007FFE5E3D0000-0x00007FFE5E3E0000-memory.dmp

Filesize
64KB

Download
memory/4160-131-0x00007FFE5E3D0000-0x00007FFE5E3E0000-memory.dmp

Filesize
64KB

Download
memory/4668-172-0x0000000005390000-0x00000000053F6000-memory.dmp

Filesize
408KB

Download
memory/4668-181-0x0000000006F80000-0x0000000007016000-memory.dmp

Filesize
600KB

Download
memory/4668-174-0x00000000059F0000-0x0000000005A0E000-memory.dmp

Filesize
120KB

Download
memory/4668-175-0x0000000005F90000-0x0000000005FC2000-memory.dmp

Filesize
200KB

Download
memory/4668-176-0x0000000070FC0000-0x000000007100C000-memory.dmp

Filesize
304KB

Download
memory/4668-177-0x0000000005F70000-0x0000000005F8E000-memory.dmp

Filesize
120KB

Download
memory/4668-178-0x0000000007330000-0x00000000079AA000-memory.dmp

Filesize
6.5MB

Download
memory/4668-179-0x0000000006CF0000-0x0000000006D0A000-memory.dmp

Filesize
104KB

Download
memory/4668-180-0x0000000006D60000-0x0000000006D6A000-memory.dmp

Filesize
40KB

Download
memory/4668-160-0x0000000000000000-mapping.dmp

Download
memory/4668-182-0x0000000006F30000-0x0000000006F3E000-memory.dmp

Filesize
56KB

Download
memory/4668-183-0x0000000007040000-0x000000000705A000-memory.dmp

Filesize
104KB

Download
memory/4668-184-0x0000000007020000-0x0000000007028000-memory.dmp

Filesize
32KB

Download
memory/4668-171-0x0000000005320000-0x0000000005386000-memory.dmp

Filesize
408KB

Download
memory/4668-170-0x0000000004AA0000-0x0000000004AC2000-memory.dmp

Filesize
136KB

Download
memory/4668-164-0x0000000004B40000-0x0000000005168000-memory.dmp

Filesize
6.2MB

Download
memory/4668-162-0x0000000002130000-0x0000000002166000-memory.dmp

Filesize
216KB

Download
memory/4908-161-0x0000000000000000-mapping.dmp

Download
memory/5048-147-0x0000000000000000-mapping.dmp

Download