netwire | b36eaf5a8176a868814cc8e962cdfecf2d525cd1f9147060c949f2b44963cfa1

Analysis

max time kernel
133s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
24-07-2022 17:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b36eaf5a8176a868814cc8e962cdfecf2d525cd1f9147060c949f2b44963cfa1.exe
Size

856KB
MD5

cf23e46ba9d3c1c3f3fe501e94c6d39e
SHA1

397114ceaa3eeeef4e81845080c1a09c6066f889
SHA256

b36eaf5a8176a868814cc8e962cdfecf2d525cd1f9147060c949f2b44963cfa1
SHA512

07fb9957d04bd359bf4563c6c145f2180a48583163782ff4ff1a4aba9f116fec0796072eab370c3988c5b18de73342929c9947dbd932590e3fcfc78e002a214d

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3468-143-0x0000000000400000-0x0000000000454000-memory.dmp	netwire
behavioral2/memory/4400-162-0x0000000000400000-0x0000000000454000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 4 IoCs

Processes:

MSK_OU~1.EXEMSK_OU~1.EXEmsk.exemsk.exe

pid process

1136 MSK_OU~1.EXE
3468 MSK_OU~1.EXE
1176 msk.exe
4400 msk.exe

pid	process
1136	MSK_OU~1.EXE
3468	MSK_OU~1.EXE
1176	msk.exe
4400	msk.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msk.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52L32356-50WU-8R83-SE18-64X71T8L55I4}	msk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52L32356-50WU-8R83-SE18-64X71T8L55I4}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Install\\msk.exe\""	msk.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MSK_OU~1.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	MSK_OU~1.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b36eaf5a8176a868814cc8e962cdfecf2d525cd1f9147060c949f2b44963cfa1.exemsk.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b36eaf5a8176a868814cc8e962cdfecf2d525cd1f9147060c949f2b44963cfa1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b36eaf5a8176a868814cc8e962cdfecf2d525cd1f9147060c949f2b44963cfa1.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	msk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msoffice = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\msk.exe"	msk.exe

Drops file in Windows directory 4 IoCs

Processes:

msk.exemsk.exeMSK_OU~1.EXEMSK_OU~1.EXE

description	ioc	process
File opened for modification	C:\Windows\win.ini	msk.exe
File opened for modification	C:\Windows\win.ini	msk.exe
File opened for modification	C:\Windows\win.ini	MSK_OU~1.EXE
File opened for modification	C:\Windows\win.ini	MSK_OU~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

MSK_OU~1.EXEMSK_OU~1.EXEmsk.exemsk.exe

pid process

1136 MSK_OU~1.EXE
3468 MSK_OU~1.EXE
1176 msk.exe
4400 msk.exe

pid	process
1136	MSK_OU~1.EXE
3468	MSK_OU~1.EXE
1176	msk.exe
4400	msk.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

b36eaf5a8176a868814cc8e962cdfecf2d525cd1f9147060c949f2b44963cfa1.exeMSK_OU~1.EXEMSK_OU~1.EXEmsk.exe

description	pid	process	target process
PID 868 wrote to memory of 1136	868	b36eaf5a8176a868814cc8e962cdfecf2d525cd1f9147060c949f2b44963cfa1.exe	MSK_OU~1.EXE
PID 868 wrote to memory of 1136	868	b36eaf5a8176a868814cc8e962cdfecf2d525cd1f9147060c949f2b44963cfa1.exe	MSK_OU~1.EXE
PID 868 wrote to memory of 1136	868	b36eaf5a8176a868814cc8e962cdfecf2d525cd1f9147060c949f2b44963cfa1.exe	MSK_OU~1.EXE
PID 1136 wrote to memory of 3468	1136	MSK_OU~1.EXE	MSK_OU~1.EXE
PID 1136 wrote to memory of 3468	1136	MSK_OU~1.EXE	MSK_OU~1.EXE
PID 1136 wrote to memory of 3468	1136	MSK_OU~1.EXE	MSK_OU~1.EXE
PID 3468 wrote to memory of 1176	3468	MSK_OU~1.EXE	msk.exe
PID 3468 wrote to memory of 1176	3468	MSK_OU~1.EXE	msk.exe
PID 3468 wrote to memory of 1176	3468	MSK_OU~1.EXE	msk.exe
PID 1176 wrote to memory of 4400	1176	msk.exe	msk.exe
PID 1176 wrote to memory of 4400	1176	msk.exe	msk.exe
PID 1176 wrote to memory of 4400	1176	msk.exe	msk.exe

C:\Users\Admin\AppData\Local\Temp\b36eaf5a8176a868814cc8e962cdfecf2d525cd1f9147060c949f2b44963cfa1.exe
"C:\Users\Admin\AppData\Local\Temp\b36eaf5a8176a868814cc8e962cdfecf2d525cd1f9147060c949f2b44963cfa1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:868

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MSK_OU~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MSK_OU~1.EXE
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1136

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MSK_OU~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MSK_OU~1.EXE
3⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3468

C:\Users\Admin\AppData\Roaming\Install\msk.exe
"C:\Users\Admin\AppData\Roaming\Install\msk.exe" -m "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MSK_OU~1.EXE"
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1176

C:\Users\Admin\AppData\Roaming\Install\msk.exe
"C:\Users\Admin\AppData\Roaming\Install\msk.exe" -m "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MSK_OU~1.EXE"
5⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4400

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MSK_OU~1.EXE

Filesize
224.5MB

MD5
e6c89a27486ce228c3164bd87c1617e0

SHA1
69d6f02b08454030a85ee4b56a1e1825d1c1dc40

SHA256
b8840825973c2516a4980db62dfed9051f0970d8937b7fec565df4c063555d4d

SHA512
a42a20204d292ea6659a0edfb18bdcd7aa5e434459b923a0743a05bb62894b46a7ff4203ca6c64f9dbed8a3e3f993a34824f376caa3954b93dce8323fd16434c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MSK_OU~1.EXE

Filesize
223.0MB

MD5
1627851c9f25a20d4906da94a5a8de2c

SHA1
463ae49c89ae247cdff4f555fa3aa18f599fda0c

SHA256
29988576f82bb0a32af051d41ba16e23a2223b4aab2e58e908f68ef96cce415c

SHA512
8760b3824a92d481a74788339f6fd3fb4f72cc4f60f35bcf77c3ba75575b488547b53dea54a4027f3405e138ff2df9c2f1cc36641092b4892e9a7bb9cbe49448

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MSK_OU~1.EXE

Filesize
191.1MB

MD5
8f2b1c078737aa9a103e4c163ea6432c

SHA1
d0b6a6e7da54a6f4234f258f400ba16a204c0ebd

SHA256
6701872be7ddba9862c59641569e250f683d8f1ff6c70a2ffb7a4509276c9f25

SHA512
8ae301bc6b8c634b3c565fb204464ded037540e73c68678dd59d4ba2ef15f35a256f02c938d0215b49165abc1009768f0446ae12e617c0e1e2adc83029e4a719

Download Submit
C:\Users\Admin\AppData\Roaming\Install\msk.exe

Filesize
180.6MB

MD5
79b867970ff359c0f4c94c01d144fbe8

SHA1
7a852b6f1b2ef73e55fce5c0d94e6fe144a3613e

SHA256
5be8ca92724635d7b54a708dd2f836334b225db4cc96e19fa776703452096a74

SHA512
c75f49c3c50e939ee3ef61925ffa0ee36126960baccbc988cb25af9a0e8af599355c6e570e60df67381d73f35315155983717103490f5ee6b7e60c1cedc78b16

Download Submit
C:\Users\Admin\AppData\Roaming\Install\msk.exe

Filesize
182.7MB

MD5
0816db80d702b5a2ce778095ea89fed0

SHA1
ef006f937fdfd929d672ac9f503bac266bdc2052

SHA256
1816fe0fdc949a7691f65dd4085c1425f07d64a4b7d9763017796388f5b71c43

SHA512
785244d4627408945cb58bfda99dc4581c959914dee7584e91820c29de6ebb5c63294ce781cedc9306112903b7205fcb3240d7d9e3c1f0884ca360d8578e7eaa

Download Submit
C:\Users\Admin\AppData\Roaming\Install\msk.exe

Filesize
176.4MB

MD5
d23adc997dcfb20e78c347f033366c48

SHA1
48095308a86fc7bf7ac6918ddde2ff4ed117269f

SHA256
1a3d9ceb6779d0e07629e08cf161520d3db84a25e39e3298e477cce0eb3ff470

SHA512
f68085ea97cd7fe82ebc0337b9c9689be101df6303d8ca320ad8ab2b4b95914c8140b4de1b6c4d0c244111428397a430eed74bee967de372dc32748892466006

Download Submit
C:\Windows\win.ini

Filesize
123B

MD5
6bf517432f65eb7f0d18d574bf14124c

SHA1
5b9f37c1dd1318ebbec3bd2f07c109eb9d22c727

SHA256
6e2b70dfccabf3cc651545676a3a566c9cfae03f15f772886646abce1da35b46

SHA512
7b0cb8c20034585ec8bf4b45eda5eda5993a56e24931a7426dc5a9f081ec1f82545f3e26a48a4df885c8691fc6e8026d0808aebe3cc3358ba85ddca08ac4cb06

Download Submit
C:\Windows\win.ini

Filesize
123B

MD5
6bf517432f65eb7f0d18d574bf14124c

SHA1
5b9f37c1dd1318ebbec3bd2f07c109eb9d22c727

SHA256
6e2b70dfccabf3cc651545676a3a566c9cfae03f15f772886646abce1da35b46

SHA512
7b0cb8c20034585ec8bf4b45eda5eda5993a56e24931a7426dc5a9f081ec1f82545f3e26a48a4df885c8691fc6e8026d0808aebe3cc3358ba85ddca08ac4cb06

Download Submit
C:\Windows\win.ini

Filesize
123B

MD5
6bf517432f65eb7f0d18d574bf14124c

SHA1
5b9f37c1dd1318ebbec3bd2f07c109eb9d22c727

SHA256
6e2b70dfccabf3cc651545676a3a566c9cfae03f15f772886646abce1da35b46

SHA512
7b0cb8c20034585ec8bf4b45eda5eda5993a56e24931a7426dc5a9f081ec1f82545f3e26a48a4df885c8691fc6e8026d0808aebe3cc3358ba85ddca08ac4cb06

Download Submit
memory/1136-130-0x0000000000000000-mapping.dmp

Download
memory/1136-140-0x0000000077B80000-0x0000000077D23000-memory.dmp

Filesize
1.6MB

Download
memory/1136-138-0x00007FFF3F930000-0x00007FFF3FB25000-memory.dmp

Filesize
2.0MB

Download
memory/1136-137-0x00000000029C0000-0x00000000029D0000-memory.dmp

Filesize
64KB

Download
memory/1176-159-0x00007FFF3F930000-0x00007FFF3FB25000-memory.dmp

Filesize
2.0MB

Download
memory/1176-158-0x00000000050A1000-0x00000000050A5000-memory.dmp

Filesize
16KB

Download
memory/1176-160-0x0000000077B80000-0x0000000077D23000-memory.dmp

Filesize
1.6MB

Download
memory/1176-147-0x0000000000000000-mapping.dmp

Download
memory/3468-146-0x0000000077B81000-0x0000000077CA1000-memory.dmp

Filesize
1.1MB

Download
memory/3468-150-0x0000000005101000-0x0000000005105000-memory.dmp

Filesize
16KB

Download
memory/3468-144-0x0000000005101000-0x0000000005105000-memory.dmp

Filesize
16KB

Download
memory/3468-145-0x00007FFF3F930000-0x00007FFF3FB25000-memory.dmp

Filesize
2.0MB

Download
memory/3468-143-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3468-135-0x0000000000000000-mapping.dmp

Download
memory/4400-154-0x0000000000000000-mapping.dmp

Download
memory/4400-162-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4400-163-0x00007FFF3F930000-0x00007FFF3FB25000-memory.dmp

Filesize
2.0MB

Download
memory/4400-164-0x0000000005191000-0x0000000005195000-memory.dmp

Filesize
16KB

Download