netwire | 5db7976a06c896dce4c2749d697b9b265d2d4f40c739b600fdd8ffc02c208c4f

Analysis

max time kernel
149s
max time network
158s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
24-07-2022 21:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5db7976a06c896dce4c2749d697b9b265d2d4f40c739b600fdd8ffc02c208c4f.exe
Size

988KB
MD5

d03ba9e213edd46a343511e079637126
SHA1

5ce61b2a7b537ef63784084a1b0a26fd7d7fbd44
SHA256

5db7976a06c896dce4c2749d697b9b265d2d4f40c739b600fdd8ffc02c208c4f
SHA512

302c6e6bbb72241ac7e759be24b8c737ac41c90cb6af02f734aba98489dce8b571ef17d3b99b4e64ce3df435f585f5e14f4f781e11343ff2aa126d0d99312eaa

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 11 IoCs

rat

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Host.exe	netwire
C:\Users\Admin\AppData\Local\Temp\Host.exe	netwire
\Users\Admin\AppData\Local\Temp\Host.exe	netwire
\Users\Admin\AppData\Roaming\windows\windows.exe	netwire
\Users\Admin\AppData\Roaming\windows\windows.exe	netwire
behavioral1/memory/1476-62-0x0000000000400000-0x00000000004FD000-memory.dmp	netwire
C:\Users\Admin\AppData\Roaming\windows\windows.exe	netwire
C:\Users\Admin\AppData\Local\Temp\Host.exe	netwire
\Users\Admin\AppData\Roaming\Install\Host.exe	netwire
\Users\Admin\AppData\Roaming\Install\Host.exe	netwire
C:\Users\Admin\AppData\Roaming\Install\Host.exe	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 3 IoCs

Processes:

Host.exewindows.exeHost.exe

pid process

1128 Host.exe
108 windows.exe
1504 Host.exe

pid	process
1128	Host.exe
108	windows.exe
1504	Host.exe

Loads dropped DLL 6 IoCs

Processes:

5db7976a06c896dce4c2749d697b9b265d2d4f40c739b600fdd8ffc02c208c4f.exeHost.exe

pid	process
1476	5db7976a06c896dce4c2749d697b9b265d2d4f40c739b600fdd8ffc02c208c4f.exe
1476	5db7976a06c896dce4c2749d697b9b265d2d4f40c739b600fdd8ffc02c208c4f.exe
1476	5db7976a06c896dce4c2749d697b9b265d2d4f40c739b600fdd8ffc02c208c4f.exe
1476	5db7976a06c896dce4c2749d697b9b265d2d4f40c739b600fdd8ffc02c208c4f.exe
1128	Host.exe
1128	Host.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Host.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Host.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe"	Host.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NTFS ADS 1 IoCs

Processes:

5db7976a06c896dce4c2749d697b9b265d2d4f40c739b600fdd8ffc02c208c4f.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\windows\windows.exe:ZoneIdentifier	5db7976a06c896dce4c2749d697b9b265d2d4f40c739b600fdd8ffc02c208c4f.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

5db7976a06c896dce4c2749d697b9b265d2d4f40c739b600fdd8ffc02c208c4f.exe

pid process

1476 5db7976a06c896dce4c2749d697b9b265d2d4f40c739b600fdd8ffc02c208c4f.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

5db7976a06c896dce4c2749d697b9b265d2d4f40c739b600fdd8ffc02c208c4f.exeHost.exe

description	pid	process	target process
PID 1476 wrote to memory of 1128	1476	5db7976a06c896dce4c2749d697b9b265d2d4f40c739b600fdd8ffc02c208c4f.exe	Host.exe
PID 1476 wrote to memory of 1128	1476	5db7976a06c896dce4c2749d697b9b265d2d4f40c739b600fdd8ffc02c208c4f.exe	Host.exe
PID 1476 wrote to memory of 1128	1476	5db7976a06c896dce4c2749d697b9b265d2d4f40c739b600fdd8ffc02c208c4f.exe	Host.exe
PID 1476 wrote to memory of 1128	1476	5db7976a06c896dce4c2749d697b9b265d2d4f40c739b600fdd8ffc02c208c4f.exe	Host.exe
PID 1476 wrote to memory of 108	1476	5db7976a06c896dce4c2749d697b9b265d2d4f40c739b600fdd8ffc02c208c4f.exe	windows.exe
PID 1476 wrote to memory of 108	1476	5db7976a06c896dce4c2749d697b9b265d2d4f40c739b600fdd8ffc02c208c4f.exe	windows.exe
PID 1476 wrote to memory of 108	1476	5db7976a06c896dce4c2749d697b9b265d2d4f40c739b600fdd8ffc02c208c4f.exe	windows.exe
PID 1476 wrote to memory of 108	1476	5db7976a06c896dce4c2749d697b9b265d2d4f40c739b600fdd8ffc02c208c4f.exe	windows.exe
PID 1128 wrote to memory of 1504	1128	Host.exe	Host.exe
PID 1128 wrote to memory of 1504	1128	Host.exe	Host.exe
PID 1128 wrote to memory of 1504	1128	Host.exe	Host.exe
PID 1128 wrote to memory of 1504	1128	Host.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\5db7976a06c896dce4c2749d697b9b265d2d4f40c739b600fdd8ffc02c208c4f.exe
"C:\Users\Admin\AppData\Local\Temp\5db7976a06c896dce4c2749d697b9b265d2d4f40c739b600fdd8ffc02c208c4f.exe"
1⤵
- Loads dropped DLL
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1476

C:\Users\Admin\AppData\Local\Temp\Host.exe
"C:\Users\Admin\AppData\Local\Temp\Host.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1128

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1504

C:\Users\Admin\AppData\Roaming\windows\windows.exe
"C:\Users\Admin\AppData\Roaming\windows\windows.exe"
2⤵
- Executes dropped EXE
PID:108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Host.exe

Filesize
127KB

MD5
a0801a22c0b8384e64e8e86c7315d450

SHA1
ac63c13511c952fdb432c2ef4994dde73f25e1a0

SHA256
f7f39c5eb13af3a41222f44d27bada69a54392421a02cbe0fa69e462889c11f5

SHA512
466732fbeb41f212ae4e7e67d86eb23824b262a1262cc86c015390cacc5f994e28e90037d62186d1ae192ed5cbd7cb090827014b078bafb46deb2a573ba27a37

Download Submit
C:\Users\Admin\AppData\Local\Temp\Host.exe

Filesize
127KB

MD5
a0801a22c0b8384e64e8e86c7315d450

SHA1
ac63c13511c952fdb432c2ef4994dde73f25e1a0

SHA256
f7f39c5eb13af3a41222f44d27bada69a54392421a02cbe0fa69e462889c11f5

SHA512
466732fbeb41f212ae4e7e67d86eb23824b262a1262cc86c015390cacc5f994e28e90037d62186d1ae192ed5cbd7cb090827014b078bafb46deb2a573ba27a37

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
127KB

MD5
a0801a22c0b8384e64e8e86c7315d450

SHA1
ac63c13511c952fdb432c2ef4994dde73f25e1a0

SHA256
f7f39c5eb13af3a41222f44d27bada69a54392421a02cbe0fa69e462889c11f5

SHA512
466732fbeb41f212ae4e7e67d86eb23824b262a1262cc86c015390cacc5f994e28e90037d62186d1ae192ed5cbd7cb090827014b078bafb46deb2a573ba27a37

Download Submit
C:\Users\Admin\AppData\Roaming\windows\windows.exe

Filesize
988KB

MD5
d03ba9e213edd46a343511e079637126

SHA1
5ce61b2a7b537ef63784084a1b0a26fd7d7fbd44

SHA256
5db7976a06c896dce4c2749d697b9b265d2d4f40c739b600fdd8ffc02c208c4f

SHA512
302c6e6bbb72241ac7e759be24b8c737ac41c90cb6af02f734aba98489dce8b571ef17d3b99b4e64ce3df435f585f5e14f4f781e11343ff2aa126d0d99312eaa

Download Submit
\Users\Admin\AppData\Local\Temp\Host.exe

Filesize
127KB

MD5
a0801a22c0b8384e64e8e86c7315d450

SHA1
ac63c13511c952fdb432c2ef4994dde73f25e1a0

SHA256
f7f39c5eb13af3a41222f44d27bada69a54392421a02cbe0fa69e462889c11f5

SHA512
466732fbeb41f212ae4e7e67d86eb23824b262a1262cc86c015390cacc5f994e28e90037d62186d1ae192ed5cbd7cb090827014b078bafb46deb2a573ba27a37

Download Submit
\Users\Admin\AppData\Local\Temp\Host.exe

Filesize
127KB

MD5
a0801a22c0b8384e64e8e86c7315d450

SHA1
ac63c13511c952fdb432c2ef4994dde73f25e1a0

SHA256
f7f39c5eb13af3a41222f44d27bada69a54392421a02cbe0fa69e462889c11f5

SHA512
466732fbeb41f212ae4e7e67d86eb23824b262a1262cc86c015390cacc5f994e28e90037d62186d1ae192ed5cbd7cb090827014b078bafb46deb2a573ba27a37

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
127KB

MD5
a0801a22c0b8384e64e8e86c7315d450

SHA1
ac63c13511c952fdb432c2ef4994dde73f25e1a0

SHA256
f7f39c5eb13af3a41222f44d27bada69a54392421a02cbe0fa69e462889c11f5

SHA512
466732fbeb41f212ae4e7e67d86eb23824b262a1262cc86c015390cacc5f994e28e90037d62186d1ae192ed5cbd7cb090827014b078bafb46deb2a573ba27a37

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
127KB

MD5
a0801a22c0b8384e64e8e86c7315d450

SHA1
ac63c13511c952fdb432c2ef4994dde73f25e1a0

SHA256
f7f39c5eb13af3a41222f44d27bada69a54392421a02cbe0fa69e462889c11f5

SHA512
466732fbeb41f212ae4e7e67d86eb23824b262a1262cc86c015390cacc5f994e28e90037d62186d1ae192ed5cbd7cb090827014b078bafb46deb2a573ba27a37

Download Submit
\Users\Admin\AppData\Roaming\windows\windows.exe

Filesize
988KB

MD5
d03ba9e213edd46a343511e079637126

SHA1
5ce61b2a7b537ef63784084a1b0a26fd7d7fbd44

SHA256
5db7976a06c896dce4c2749d697b9b265d2d4f40c739b600fdd8ffc02c208c4f

SHA512
302c6e6bbb72241ac7e759be24b8c737ac41c90cb6af02f734aba98489dce8b571ef17d3b99b4e64ce3df435f585f5e14f4f781e11343ff2aa126d0d99312eaa

Download Submit
\Users\Admin\AppData\Roaming\windows\windows.exe

Filesize
988KB

MD5
d03ba9e213edd46a343511e079637126

SHA1
5ce61b2a7b537ef63784084a1b0a26fd7d7fbd44

SHA256
5db7976a06c896dce4c2749d697b9b265d2d4f40c739b600fdd8ffc02c208c4f

SHA512
302c6e6bbb72241ac7e759be24b8c737ac41c90cb6af02f734aba98489dce8b571ef17d3b99b4e64ce3df435f585f5e14f4f781e11343ff2aa126d0d99312eaa

Download Submit
memory/108-61-0x0000000000000000-mapping.dmp

Download
memory/1128-57-0x0000000000000000-mapping.dmp

Download
memory/1476-62-0x0000000000400000-0x00000000004FD000-memory.dmp

Filesize
1012KB

Download
memory/1476-54-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/1504-69-0x0000000000000000-mapping.dmp

Download