netwire | 587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220722-en
resource tags

arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system
submitted
24-07-2022 14:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f.exe
Size

558KB
MD5

f131435dead0e37aee759622ababb51f
SHA1

3fb5bd52e8dc3bbc0a072ceda02255e8f9f4ea70
SHA256

587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f
SHA512

a16240153654064a65c32d17f9b8e6cb75924f37547b93b47a489aaa48a69a8c442947d1f559d1b9efc51a909f96f8e23a93f1bee721e6b2e7180dfcd938552f

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

173.46.85.16:89

Attributes

activex_autorun
true
activex_key
{J418T26D-3X70-W6QE-W00F-G37EOA6W8D23}
copy_executable
false
delete_original
true
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
fbbTJkoP
offline_keylogger
true
password
Password
registry_autorun
true
startup_name
NetWire
use_mutex
true

Signatures

NetWire RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4988-138-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{J418T26D-3X70-W6QE-W00F-G37EOA6W8D23}	587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{J418T26D-3X70-W6QE-W00F-G37EOA6W8D23}\StubPath = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f.exe\""	587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Local\\Temp\\587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f.exe"	587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f.exe

description	pid	process	target process
PID 4404 set thread context of 4988	4404	587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f.exe	587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f.exe

pid process

4404 587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f.exe

pid	process
4404	587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f.exe

description	pid	process	target process
PID 4404 wrote to memory of 4988	4404	587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f.exe	587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f.exe
PID 4404 wrote to memory of 4988	4404	587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f.exe	587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f.exe
PID 4404 wrote to memory of 4988	4404	587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f.exe	587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f.exe

C:\Users\Admin\AppData\Local\Temp\587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f.exe
"C:\Users\Admin\AppData\Local\Temp\587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4404

C:\Users\Admin\AppData\Local\Temp\587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f.exe
C:\Users\Admin\AppData\Local\Temp\587011c1c797b633a7dc0a2658e00a597066236c57acb0ed48abd732c9408d2f.exe"
2⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:4988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4404-134-0x0000000002260000-0x0000000002268000-memory.dmp

Filesize
32KB

Download
memory/4404-136-0x0000000077690000-0x0000000077833000-memory.dmp

Filesize
1.6MB

Download
memory/4988-135-0x0000000000000000-mapping.dmp

Download
memory/4988-138-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4988-144-0x0000000077690000-0x0000000077833000-memory.dmp

Filesize
1.6MB

Download
memory/4988-145-0x0000000077690000-0x0000000077833000-memory.dmp

Filesize
1.6MB

Download
memory/4988-146-0x0000000077690000-0x0000000077833000-memory.dmp

Filesize
1.6MB

Download