netwire | a49fda4699079ae9f0f5a851570154a8ca0b7c08280b41928844ca3261de8133

General

Target

a49fda4699079ae9f0f5a851570154a8ca0b7c08280b41928844ca3261de8133.exe
Size

801KB
MD5

7d6c9c0b234b1291cd37cbde1e6a9218
SHA1

0effecffd257c7dd149a50da851a6cc0f459bb52
SHA256

a49fda4699079ae9f0f5a851570154a8ca0b7c08280b41928844ca3261de8133
SHA512

14b1ed17c9a8e13c7e53bf62cf9053780251a045c343e76bac9e02ccbc30c3f4c5717d127a7cb1b20e998f695892c556335f33a8a310585b1a490c9dfc9ec3a4

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3164-154-0x0000000000400000-0x0000000000425000-memory.dmp	netwire
behavioral2/memory/3164-153-0x0000000000400000-0x000000000048E000-memory.dmp	netwire
behavioral2/memory/3164-162-0x0000000000400000-0x000000000048E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 3 IoCs

Processes:

PP_OUT~1.EXEDFGHJSDF.exeDFGHJSDF.exe

pid process

1940 PP_OUT~1.EXE
460 DFGHJSDF.exe
3164 DFGHJSDF.exe

pid	process
1940	PP_OUT~1.EXE
460	DFGHJSDF.exe
3164	DFGHJSDF.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

PP_OUT~1.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	PP_OUT~1.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a49fda4699079ae9f0f5a851570154a8ca0b7c08280b41928844ca3261de8133.exeWScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	a49fda4699079ae9f0f5a851570154a8ca0b7c08280b41928844ca3261de8133.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a49fda4699079ae9f0f5a851570154a8ca0b7c08280b41928844ca3261de8133.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DFGHJSDF = "C:\\Users\\Admin\\DFGHJSDF\\DFGHJSDF.vbs -rb"	WScript.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

PP_OUT~1.EXEDFGHJSDF.exeDFGHJSDF.exe

pid process

1940 PP_OUT~1.EXE
460 DFGHJSDF.exe
3164 DFGHJSDF.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

DFGHJSDF.exe

description pid process target process

PID 460 set thread context of 3164 460 DFGHJSDF.exe DFGHJSDF.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

PP_OUT~1.EXE

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings PP_OUT~1.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

PP_OUT~1.EXEDFGHJSDF.exe

pid process

1940 PP_OUT~1.EXE
460 DFGHJSDF.exe

pid	process
1940	PP_OUT~1.EXE
460	DFGHJSDF.exe
3164	DFGHJSDF.exe

description	pid	process	target process
PID 460 set thread context of 3164	460	DFGHJSDF.exe	DFGHJSDF.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings	PP_OUT~1.EXE

pid	process
1940	PP_OUT~1.EXE
460	DFGHJSDF.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

a49fda4699079ae9f0f5a851570154a8ca0b7c08280b41928844ca3261de8133.exePP_OUT~1.EXEDFGHJSDF.exe

description	pid	process	target process
PID 1624 wrote to memory of 1940	1624	a49fda4699079ae9f0f5a851570154a8ca0b7c08280b41928844ca3261de8133.exe	PP_OUT~1.EXE
PID 1624 wrote to memory of 1940	1624	a49fda4699079ae9f0f5a851570154a8ca0b7c08280b41928844ca3261de8133.exe	PP_OUT~1.EXE
PID 1624 wrote to memory of 1940	1624	a49fda4699079ae9f0f5a851570154a8ca0b7c08280b41928844ca3261de8133.exe	PP_OUT~1.EXE
PID 1940 wrote to memory of 1500	1940	PP_OUT~1.EXE	WScript.exe
PID 1940 wrote to memory of 1500	1940	PP_OUT~1.EXE	WScript.exe
PID 1940 wrote to memory of 1500	1940	PP_OUT~1.EXE	WScript.exe
PID 1940 wrote to memory of 460	1940	PP_OUT~1.EXE	DFGHJSDF.exe
PID 1940 wrote to memory of 460	1940	PP_OUT~1.EXE	DFGHJSDF.exe
PID 1940 wrote to memory of 460	1940	PP_OUT~1.EXE	DFGHJSDF.exe
PID 460 wrote to memory of 3164	460	DFGHJSDF.exe	DFGHJSDF.exe
PID 460 wrote to memory of 3164	460	DFGHJSDF.exe	DFGHJSDF.exe
PID 460 wrote to memory of 3164	460	DFGHJSDF.exe	DFGHJSDF.exe

C:\Users\Admin\AppData\Local\Temp\a49fda4699079ae9f0f5a851570154a8ca0b7c08280b41928844ca3261de8133.exe
"C:\Users\Admin\AppData\Local\Temp\a49fda4699079ae9f0f5a851570154a8ca0b7c08280b41928844ca3261de8133.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1624

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PP_OUT~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PP_OUT~1.EXE
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\DFGHJSDF\DFGHJSDF.vbs"
3⤵
- Adds Run key to start application
PID:1500

C:\Users\Admin\DFGHJSDF\DFGHJSDF.exe
"C:\Users\Admin\DFGHJSDF\DFGHJSDF.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:460

C:\Users\Admin\DFGHJSDF\DFGHJSDF.exe
"C:\Users\Admin\DFGHJSDF\DFGHJSDF.exe"
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3164

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PP_OUT~1.EXE

Filesize
59.2MB

MD5
d8f5443bb09a501cad5d4381af916ea5

SHA1
9bbf6c86cab6376e4cb293c554259e1a33d4e76e

SHA256
7d06d5add4d2bf84a1777fb111549dcd3250f2511e3b64e6df48f6246d34520a

SHA512
affabe756ff733e1c2c25fa9354a63acedd8f8b69bf2bce3cd1820a5d8ee0b5d39a94a0557588a8cd3e6353e77c323676bb3186b05ec72903d67a9c4c2c214b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PP_OUT~1.EXE

Filesize
58.1MB

MD5
fc73a0424d4d719af05f63f92bbfbdbb

SHA1
cf92ea7b21fcc62f69f0e9d68e6c6bd726304929

SHA256
4dd6474404ac9542d8c4c15840615873ef17278155c9b09fd4d55a6dcabc4ec6

SHA512
b279485ade1456253d463345430a8c405ae158ac7de8f392932647ecd94eb8d6795f9959c0510d81168500bd48022b039a1df1371c4f914bbe95e691af53c427

Download Submit
C:\Users\Admin\DFGHJSDF\DFGHJSDF.exe

Filesize
36.6MB

MD5
4c659c120b656abc83bcc61f010d2db7

SHA1
bce350b2c6e3ae7011351d8bb2105000a66f71ee

SHA256
2a25a603dea8f302c18b9dcaec67be2b70ec412acddf00d991cffc2f505a04dc

SHA512
ad9d9d7256ecf5349ce8a7242aff7723b32a3ff7fbe662786a3e6a92c830ce29068c1ce7117c86fc512a4b8fc740f5a428fedd7487772b13e1083517eac8328b

Download Submit
C:\Users\Admin\DFGHJSDF\DFGHJSDF.exe

Filesize
37.4MB

MD5
6f86a2ba82a11a858c64d0ac081ab1c5

SHA1
5a30e5a34bbb175b4618793289c8f3e86169c132

SHA256
78edb043c9d467569e4ea979cba3f1831e2b7bf95379747a9152969ff0030160

SHA512
17dbd67595e3185ce00d3cc9c3882f024e6e4af95f836322b28e569fbbfb5a3f90ac465162c2a2766c06a8b7017823a80605841b805a6d2027cefdf26781e54a

Download Submit
C:\Users\Admin\DFGHJSDF\DFGHJSDF.exe

Filesize
30.6MB

MD5
00d01bfcf5c97f2c36920b04455835bd

SHA1
1529a30c0e6e7751becfff2b43181fcc79864019

SHA256
394de9d1a689034fe2e19c4397a2e95cad2c35b4cbb610946865b16ec51ab392

SHA512
633e367ba6fb6770d1c6651cfc6955498a0542c964e32a0cd824ae7d754a423388bbddaf8a535fd83a4ccca637677a445cf94608909001df742d5adbc0ede926

Download Submit
C:\Users\Admin\DFGHJSDF\DFGHJSDF.vbs

Filesize
1020B

MD5
21fd07b365ac0f2c5f9a61143e12833e

SHA1
462a61c95508a5ffd054902e9db7b3333b9b2287

SHA256
bb4af526a619264ef383951044c64d6902ccf6402e688edb6402d531090a5349

SHA512
5a871bbbae3a3c727fe570741c8150fe250e537fe4dc0a90d9f07a73f428f44a61c114fe070931967f1dfe47c50b25b9d69f783bf30d5d444d42785082774bbe

Download Submit
memory/460-152-0x0000000077C60000-0x0000000077E03000-memory.dmp

Filesize
1.6MB

Download
memory/460-150-0x0000000001FF0000-0x0000000002008000-memory.dmp

Filesize
96KB

Download
memory/460-151-0x00007FF862850000-0x00007FF862A45000-memory.dmp

Filesize
2.0MB

Download
memory/460-140-0x0000000000000000-mapping.dmp

Download
memory/1500-138-0x0000000000000000-mapping.dmp

Download
memory/1940-130-0x0000000000000000-mapping.dmp

Download
memory/1940-146-0x0000000077C60000-0x0000000077E03000-memory.dmp

Filesize
1.6MB

Download
memory/1940-145-0x00007FF862850000-0x00007FF862A45000-memory.dmp

Filesize
2.0MB

Download
memory/1940-143-0x0000000002850000-0x0000000002868000-memory.dmp

Filesize
96KB

Download
memory/1940-137-0x0000000077C60000-0x0000000077E03000-memory.dmp

Filesize
1.6MB

Download
memory/1940-136-0x00007FF862850000-0x00007FF862A45000-memory.dmp

Filesize
2.0MB

Download
memory/1940-135-0x0000000002850000-0x0000000002868000-memory.dmp

Filesize
96KB

Download
memory/3164-148-0x0000000000000000-mapping.dmp

Download
memory/3164-154-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3164-153-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3164-160-0x00007FF862850000-0x00007FF862A45000-memory.dmp

Filesize
2.0MB

Download
memory/3164-162-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3164-161-0x0000000077C60000-0x0000000077E03000-memory.dmp

Filesize
1.6MB

Download
memory/3164-163-0x00000000005A0000-0x00000000005B8000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads