netwire | 99f632633f17babbae3446273033516839f84253e28b18f6afda1bd4e5713c2c

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
23-07-2022 04:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a01f958303908593960700e185621339.exe
Size

592KB
MD5

a01f958303908593960700e185621339
SHA1

f2d77bd0ac2fc032606c36d908d46613e29ba5d3
SHA256

99f632633f17babbae3446273033516839f84253e28b18f6afda1bd4e5713c2c
SHA512

d294564d72f7d747c5880c045115f493b2143ec2948004b343c6c10d1ef74d5ab1e39bb73d13fd18732299cb1a577012bee030c223993ec7784c0e0d9bfef285

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

logbox147.duckdns.org:3370

Attributes

activex_autorun
true
activex_key
{F43NBRHB-ST27-05SC-62QP-X844OXS2E107}
copy_executable
true
delete_original
false
host_id
MONEY
install_path
%AppData%\Install\skyp.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
iiXJiIYR
offline_keylogger
true
password
forgood
registry_autorun
true
startup_name
skyp
use_mutex
true

Signatures

NetWire RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Install\skyp.exe	netwire
C:\Users\Admin\AppData\Roaming\Install\skyp.exe	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 1 IoCs

Processes:

skyp.exe

pid process

4920 skyp.exe

pid	process
4920	skyp.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

skyp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F43NBRHB-ST27-05SC-62QP-X844OXS2E107}	skyp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F43NBRHB-ST27-05SC-62QP-X844OXS2E107}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Install\\skyp.exe\""	skyp.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a01f958303908593960700e185621339.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	a01f958303908593960700e185621339.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

skyp.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	skyp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\skyp = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\skyp.exe"	skyp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

a01f958303908593960700e185621339.exe

description	pid	process	target process
PID 4212 wrote to memory of 4920	4212	a01f958303908593960700e185621339.exe	skyp.exe
PID 4212 wrote to memory of 4920	4212	a01f958303908593960700e185621339.exe	skyp.exe
PID 4212 wrote to memory of 4920	4212	a01f958303908593960700e185621339.exe	skyp.exe

C:\Users\Admin\AppData\Local\Temp\a01f958303908593960700e185621339.exe
"C:\Users\Admin\AppData\Local\Temp\a01f958303908593960700e185621339.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4212

C:\Users\Admin\AppData\Roaming\Install\skyp.exe
"C:\Users\Admin\AppData\Roaming\Install\skyp.exe"
2⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:4920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Install\skyp.exe

Filesize
592KB

MD5
a01f958303908593960700e185621339

SHA1
f2d77bd0ac2fc032606c36d908d46613e29ba5d3

SHA256
99f632633f17babbae3446273033516839f84253e28b18f6afda1bd4e5713c2c

SHA512
d294564d72f7d747c5880c045115f493b2143ec2948004b343c6c10d1ef74d5ab1e39bb73d13fd18732299cb1a577012bee030c223993ec7784c0e0d9bfef285

Download Submit
C:\Users\Admin\AppData\Roaming\Install\skyp.exe

Filesize
592KB

MD5
a01f958303908593960700e185621339

SHA1
f2d77bd0ac2fc032606c36d908d46613e29ba5d3

SHA256
99f632633f17babbae3446273033516839f84253e28b18f6afda1bd4e5713c2c

SHA512
d294564d72f7d747c5880c045115f493b2143ec2948004b343c6c10d1ef74d5ab1e39bb73d13fd18732299cb1a577012bee030c223993ec7784c0e0d9bfef285

Download Submit
memory/4920-130-0x0000000000000000-mapping.dmp

Download