netwire | 59d3f41859d239271e8f15cf8a26ba3e3af04bd28f94584aa74e159861cf0acb

General

Target

59d3f41859d239271e8f15cf8a26ba3e3af04bd28f94584aa74e159861cf0acb.exe
Size

488KB
MD5

48fa86848e56656e699ace8b49c2841a
SHA1

e9d0b4f2a588f7cec6639b54aa1468e7e9b189c6
SHA256

59d3f41859d239271e8f15cf8a26ba3e3af04bd28f94584aa74e159861cf0acb
SHA512

735a7e838140617035c853990275d3cf2bb2c806d089a5b2b97de9f7b002d200b1abe59895b15307c8dd24b2c3ec3b5ec429266056fd4a6e8c88770f6e771002

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

185.208.211.136:3368

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
UIOnYWdp
offline_keylogger
true
password
Gentle123
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/892-75-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 1 IoCs

Processes:

Diskmedier4.exe

pid process

892 Diskmedier4.exe

pid	process
892	Diskmedier4.exe

Drops file in Windows directory 2 IoCs

Processes:

59d3f41859d239271e8f15cf8a26ba3e3af04bd28f94584aa74e159861cf0acb.exeDiskmedier4.exe

description	ioc	process
File opened for modification	C:\Windows\win.ini	59d3f41859d239271e8f15cf8a26ba3e3af04bd28f94584aa74e159861cf0acb.exe
File opened for modification	C:\Windows\win.ini	Diskmedier4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1484 schtasks.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

59d3f41859d239271e8f15cf8a26ba3e3af04bd28f94584aa74e159861cf0acb.exeDiskmedier4.exe

pid process

1092 59d3f41859d239271e8f15cf8a26ba3e3af04bd28f94584aa74e159861cf0acb.exe
892 Diskmedier4.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Diskmedier4.exe

pid process

892 Diskmedier4.exe

pid	process
1484	schtasks.exe

pid	process
1092	59d3f41859d239271e8f15cf8a26ba3e3af04bd28f94584aa74e159861cf0acb.exe
892	Diskmedier4.exe

pid	process
892	Diskmedier4.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

59d3f41859d239271e8f15cf8a26ba3e3af04bd28f94584aa74e159861cf0acb.exetaskeng.exe

description	pid	process	target process
PID 1092 wrote to memory of 1484	1092	59d3f41859d239271e8f15cf8a26ba3e3af04bd28f94584aa74e159861cf0acb.exe	schtasks.exe
PID 1092 wrote to memory of 1484	1092	59d3f41859d239271e8f15cf8a26ba3e3af04bd28f94584aa74e159861cf0acb.exe	schtasks.exe
PID 1092 wrote to memory of 1484	1092	59d3f41859d239271e8f15cf8a26ba3e3af04bd28f94584aa74e159861cf0acb.exe	schtasks.exe
PID 1092 wrote to memory of 1484	1092	59d3f41859d239271e8f15cf8a26ba3e3af04bd28f94584aa74e159861cf0acb.exe	schtasks.exe
PID 1092 wrote to memory of 1056	1092	59d3f41859d239271e8f15cf8a26ba3e3af04bd28f94584aa74e159861cf0acb.exe	schtasks.exe
PID 1092 wrote to memory of 1056	1092	59d3f41859d239271e8f15cf8a26ba3e3af04bd28f94584aa74e159861cf0acb.exe	schtasks.exe
PID 1092 wrote to memory of 1056	1092	59d3f41859d239271e8f15cf8a26ba3e3af04bd28f94584aa74e159861cf0acb.exe	schtasks.exe
PID 1092 wrote to memory of 1056	1092	59d3f41859d239271e8f15cf8a26ba3e3af04bd28f94584aa74e159861cf0acb.exe	schtasks.exe
PID 2016 wrote to memory of 892	2016	taskeng.exe	Diskmedier4.exe
PID 2016 wrote to memory of 892	2016	taskeng.exe	Diskmedier4.exe
PID 2016 wrote to memory of 892	2016	taskeng.exe	Diskmedier4.exe
PID 2016 wrote to memory of 892	2016	taskeng.exe	Diskmedier4.exe

C:\Users\Admin\AppData\Local\Temp\59d3f41859d239271e8f15cf8a26ba3e3af04bd28f94584aa74e159861cf0acb.exe
"C:\Users\Admin\AppData\Local\Temp\59d3f41859d239271e8f15cf8a26ba3e3af04bd28f94584aa74e159861cf0acb.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN "Nonperversion" /TR "C:\Users\Admin\AppData\Roaming\Diskmedier4.exe"
2⤵
- Creates scheduled task(s)
PID:1484

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /run /tn "Nonperversion"
2⤵
PID:1056

C:\Windows\system32\taskeng.exe
taskeng.exe {08B46156-90CF-48B8-9BBA-2EF393AFCFC4} S-1-5-21-3440072777-2118400376-1759599358-1000:NKWDSIWE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2016

C:\Users\Admin\AppData\Roaming\Diskmedier4.exe
C:\Users\Admin\AppData\Roaming\Diskmedier4.exe
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
PID:892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Diskmedier4.exe

Filesize
488KB

MD5
47cfea561c3a736691d4b8021e161db9

SHA1
8c9f3033a9e87b4216547341a74355afc7185b52

SHA256
6f07468af24c14e11566b2c2adcd5edec6e343c25ea5dc5448edcd521cd3ad46

SHA512
bec5096c91599505e4fed6ab3c0617249cb11ea43a88fa7b6cf6f85290be4881cc696f7ec6cf5810cf42405ec2b3c826f85fc0acfcb9661d4f88f405bb26ca48

Download Submit
C:\Users\Admin\AppData\Roaming\Diskmedier4.exe

Filesize
488KB

MD5
47cfea561c3a736691d4b8021e161db9

SHA1
8c9f3033a9e87b4216547341a74355afc7185b52

SHA256
6f07468af24c14e11566b2c2adcd5edec6e343c25ea5dc5448edcd521cd3ad46

SHA512
bec5096c91599505e4fed6ab3c0617249cb11ea43a88fa7b6cf6f85290be4881cc696f7ec6cf5810cf42405ec2b3c826f85fc0acfcb9661d4f88f405bb26ca48

Download Submit
C:\Windows\win.ini

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/892-70-0x00000000025C0000-0x00000000026C0000-memory.dmp

Filesize
1024KB

Download
memory/892-71-0x00000000025C0000-0x00000000026C0000-memory.dmp

Filesize
1024KB

Download
memory/892-82-0x0000000077790000-0x0000000077910000-memory.dmp

Filesize
1.5MB

Download
memory/892-81-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/892-75-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/892-64-0x0000000000000000-mapping.dmp

Download
memory/892-73-0x0000000077790000-0x0000000077910000-memory.dmp

Filesize
1.5MB

Download
memory/892-68-0x0000000000547000-0x000000000054A000-memory.dmp

Filesize
12KB

Download
memory/1056-61-0x0000000000000000-mapping.dmp

Download
memory/1092-57-0x0000000002700000-0x0000000002800000-memory.dmp

Filesize
1024KB

Download
memory/1092-56-0x0000000000557000-0x000000000055A000-memory.dmp

Filesize
12KB

Download
memory/1092-60-0x0000000077790000-0x0000000077910000-memory.dmp

Filesize
1.5MB

Download
memory/1092-58-0x0000000075481000-0x0000000075483000-memory.dmp

Filesize
8KB

Download
memory/1092-62-0x0000000077790000-0x0000000077910000-memory.dmp

Filesize
1.5MB

Download
memory/1484-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads