netwire | 4328753e0685f48e5ee0e212e5bafbce11c43fb2aaa37a0b4d9fa6303d89e29d

General

Target

4328753e0685f48e5ee0e212e5bafbce11c43fb2aaa37a0b4d9fa6303d89e29d.exe
Size

1.1MB
MD5

4388de7dad58c945135233312a05daa8
SHA1

2a6f646402485d6e54e95bcffdbd632d8b433298
SHA256

4328753e0685f48e5ee0e212e5bafbce11c43fb2aaa37a0b4d9fa6303d89e29d
SHA512

e23e4c7f45640ce08fca109ed9c45c83510d4b0f31a25001eade3da9a73ddc33e39eaa192160b5337c496a161be32231544e7604da35a8280fd316938f15061a

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

xman2.duckdns.org:4433

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
lock_executable
false
offline_keylogger
false
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 7 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/592-66-0x0000000000400000-0x0000000000450000-memory.dmp	netwire
behavioral1/memory/592-68-0x0000000000400000-0x0000000000450000-memory.dmp	netwire
behavioral1/memory/592-69-0x0000000000400000-0x0000000000450000-memory.dmp	netwire
behavioral1/memory/592-71-0x0000000000400000-0x0000000000450000-memory.dmp	netwire
behavioral1/memory/592-72-0x000000000041AE7B-mapping.dmp	netwire
behavioral1/memory/592-75-0x0000000000400000-0x0000000000450000-memory.dmp	netwire
behavioral1/memory/592-78-0x0000000000400000-0x0000000000450000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

4328753e0685f48e5ee0e212e5bafbce11c43fb2aaa37a0b4d9fa6303d89e29d.exe

description pid process target process

PID 1912 set thread context of 592 1912 4328753e0685f48e5ee0e212e5bafbce11c43fb2aaa37a0b4d9fa6303d89e29d.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1600 schtasks.exe

description	pid	process	target process
PID 1912 set thread context of 592	1912	4328753e0685f48e5ee0e212e5bafbce11c43fb2aaa37a0b4d9fa6303d89e29d.exe	vbc.exe

pid	process
1600	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

4328753e0685f48e5ee0e212e5bafbce11c43fb2aaa37a0b4d9fa6303d89e29d.exepowershell.exe

pid	process
1912	4328753e0685f48e5ee0e212e5bafbce11c43fb2aaa37a0b4d9fa6303d89e29d.exe
1912	4328753e0685f48e5ee0e212e5bafbce11c43fb2aaa37a0b4d9fa6303d89e29d.exe
1912	4328753e0685f48e5ee0e212e5bafbce11c43fb2aaa37a0b4d9fa6303d89e29d.exe
1912	4328753e0685f48e5ee0e212e5bafbce11c43fb2aaa37a0b4d9fa6303d89e29d.exe
1912	4328753e0685f48e5ee0e212e5bafbce11c43fb2aaa37a0b4d9fa6303d89e29d.exe
1912	4328753e0685f48e5ee0e212e5bafbce11c43fb2aaa37a0b4d9fa6303d89e29d.exe
1564	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

4328753e0685f48e5ee0e212e5bafbce11c43fb2aaa37a0b4d9fa6303d89e29d.exepowershell.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	1912	4328753e0685f48e5ee0e212e5bafbce11c43fb2aaa37a0b4d9fa6303d89e29d.exe
Token: SeDebugPrivilege	1564	powershell.exe
Token: 33	1032	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1032	AUDIODG.EXE
Token: 33	1032	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1032	AUDIODG.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

4328753e0685f48e5ee0e212e5bafbce11c43fb2aaa37a0b4d9fa6303d89e29d.exe

description	pid	process	target process
PID 1912 wrote to memory of 1564	1912	4328753e0685f48e5ee0e212e5bafbce11c43fb2aaa37a0b4d9fa6303d89e29d.exe	powershell.exe
PID 1912 wrote to memory of 1564	1912	4328753e0685f48e5ee0e212e5bafbce11c43fb2aaa37a0b4d9fa6303d89e29d.exe	powershell.exe
PID 1912 wrote to memory of 1564	1912	4328753e0685f48e5ee0e212e5bafbce11c43fb2aaa37a0b4d9fa6303d89e29d.exe	powershell.exe
PID 1912 wrote to memory of 1564	1912	4328753e0685f48e5ee0e212e5bafbce11c43fb2aaa37a0b4d9fa6303d89e29d.exe	powershell.exe
PID 1912 wrote to memory of 1600	1912	4328753e0685f48e5ee0e212e5bafbce11c43fb2aaa37a0b4d9fa6303d89e29d.exe	schtasks.exe
PID 1912 wrote to memory of 1600	1912	4328753e0685f48e5ee0e212e5bafbce11c43fb2aaa37a0b4d9fa6303d89e29d.exe	schtasks.exe
PID 1912 wrote to memory of 1600	1912	4328753e0685f48e5ee0e212e5bafbce11c43fb2aaa37a0b4d9fa6303d89e29d.exe	schtasks.exe
PID 1912 wrote to memory of 1600	1912	4328753e0685f48e5ee0e212e5bafbce11c43fb2aaa37a0b4d9fa6303d89e29d.exe	schtasks.exe
PID 1912 wrote to memory of 592	1912	4328753e0685f48e5ee0e212e5bafbce11c43fb2aaa37a0b4d9fa6303d89e29d.exe	vbc.exe
PID 1912 wrote to memory of 592	1912	4328753e0685f48e5ee0e212e5bafbce11c43fb2aaa37a0b4d9fa6303d89e29d.exe	vbc.exe
PID 1912 wrote to memory of 592	1912	4328753e0685f48e5ee0e212e5bafbce11c43fb2aaa37a0b4d9fa6303d89e29d.exe	vbc.exe
PID 1912 wrote to memory of 592	1912	4328753e0685f48e5ee0e212e5bafbce11c43fb2aaa37a0b4d9fa6303d89e29d.exe	vbc.exe
PID 1912 wrote to memory of 592	1912	4328753e0685f48e5ee0e212e5bafbce11c43fb2aaa37a0b4d9fa6303d89e29d.exe	vbc.exe
PID 1912 wrote to memory of 592	1912	4328753e0685f48e5ee0e212e5bafbce11c43fb2aaa37a0b4d9fa6303d89e29d.exe	vbc.exe
PID 1912 wrote to memory of 592	1912	4328753e0685f48e5ee0e212e5bafbce11c43fb2aaa37a0b4d9fa6303d89e29d.exe	vbc.exe
PID 1912 wrote to memory of 592	1912	4328753e0685f48e5ee0e212e5bafbce11c43fb2aaa37a0b4d9fa6303d89e29d.exe	vbc.exe
PID 1912 wrote to memory of 592	1912	4328753e0685f48e5ee0e212e5bafbce11c43fb2aaa37a0b4d9fa6303d89e29d.exe	vbc.exe
PID 1912 wrote to memory of 592	1912	4328753e0685f48e5ee0e212e5bafbce11c43fb2aaa37a0b4d9fa6303d89e29d.exe	vbc.exe
PID 1912 wrote to memory of 592	1912	4328753e0685f48e5ee0e212e5bafbce11c43fb2aaa37a0b4d9fa6303d89e29d.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\4328753e0685f48e5ee0e212e5bafbce11c43fb2aaa37a0b4d9fa6303d89e29d.exe
"C:\Users\Admin\AppData\Local\Temp\4328753e0685f48e5ee0e212e5bafbce11c43fb2aaa37a0b4d9fa6303d89e29d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\zgnciRUYxN.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1564

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zgnciRUYxN" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBFC7.tmp"
2⤵
- Creates scheduled task(s)
PID:1600

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
PID:592

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1044

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xc4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Scripting

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpBFC7.tmp

Filesize
1KB

MD5
c89c937282ae7f016423a7a4dd14b709

SHA1
e4a7f72687756e88c72cbf98a39e853641f99a69

SHA256
4bef54010d09f2e0d7fc322bae2780f72e77e9174ddee223e98351e74c86d944

SHA512
b92a8626d408101cae349f6097da6daf0b7041a2c86ae0624c0b4f9f0209ad6829e583ece12f8d1468ac4fbe107d770aa69809061dbd57e455f4399ada584a48

Download Submit
memory/592-68-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/592-75-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/592-66-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/592-78-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/592-72-0x000000000041AE7B-mapping.dmp

Download
memory/592-61-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/592-62-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/592-64-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/592-69-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/592-71-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1044-80-0x000007FEFBC71000-0x000007FEFBC73000-memory.dmp

Filesize
8KB

Download
memory/1564-57-0x0000000000000000-mapping.dmp

Download
memory/1564-77-0x0000000074630000-0x0000000074BDB000-memory.dmp

Filesize
5.7MB

Download
memory/1564-79-0x0000000074630000-0x0000000074BDB000-memory.dmp

Filesize
5.7MB

Download
memory/1600-58-0x0000000000000000-mapping.dmp

Download
memory/1912-55-0x0000000074630000-0x0000000074BDB000-memory.dmp

Filesize
5.7MB

Download
memory/1912-56-0x0000000074630000-0x0000000074BDB000-memory.dmp

Filesize
5.7MB

Download
memory/1912-76-0x0000000074630000-0x0000000074BDB000-memory.dmp

Filesize
5.7MB

Download
memory/1912-54-0x0000000076071000-0x0000000076073000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads