netwire | ddbb9e06fc1c9897376b03e1829a37799de7f0efed39a8ad5a547d77727df1dc

General

Target

ddbb9e06fc1c9897376b03e1829a37799de7f0efed39a8ad5a547d77727df1dc.exe
Size

372KB
MD5

48068dff85475dcd8031617e30d4f3bf
SHA1

bb78a750a8c9015ca32896346d53355810edf4bb
SHA256

ddbb9e06fc1c9897376b03e1829a37799de7f0efed39a8ad5a547d77727df1dc
SHA512

6b86edf45d0f681a3c5d061853bbb59b469236d18e0cc8199f506b7e5de5d14c9e2ea4d03a8640c58a4fac16ce92c7f49f4e64850049071edd367b28140f4694

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 11 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2044-62-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral1/memory/2044-63-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral1/memory/2044-65-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral1/memory/2044-68-0x00000000004026D0-mapping.dmp	netwire
behavioral1/memory/2044-67-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral1/memory/2044-71-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral1/memory/2044-72-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral1/memory/860-91-0x00000000004026D0-mapping.dmp	netwire
behavioral1/memory/860-95-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral1/memory/860-96-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral1/memory/860-97-0x0000000000400000-0x000000000042B000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

Host.exeHost.exe

pid process

1968 Host.exe
860 Host.exe

pid	process
1968	Host.exe
860	Host.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Host.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06O0H231-0250-MBBJ-C87V-G00VRG48F4N0}	Host.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06O0H231-0250-MBBJ-C87V-G00VRG48F4N0}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe\""	Host.exe

Loads dropped DLL 1 IoCs

Processes:

ddbb9e06fc1c9897376b03e1829a37799de7f0efed39a8ad5a547d77727df1dc.exe

pid process

2044 ddbb9e06fc1c9897376b03e1829a37799de7f0efed39a8ad5a547d77727df1dc.exe

pid	process
2044	ddbb9e06fc1c9897376b03e1829a37799de7f0efed39a8ad5a547d77727df1dc.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

ddbb9e06fc1c9897376b03e1829a37799de7f0efed39a8ad5a547d77727df1dc.exeHost.exe

description	pid	process	target process
PID 1180 set thread context of 2044	1180	ddbb9e06fc1c9897376b03e1829a37799de7f0efed39a8ad5a547d77727df1dc.exe	ddbb9e06fc1c9897376b03e1829a37799de7f0efed39a8ad5a547d77727df1dc.exe
PID 1968 set thread context of 860	1968	Host.exe	Host.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ddbb9e06fc1c9897376b03e1829a37799de7f0efed39a8ad5a547d77727df1dc.exeHost.exe

pid process

1180 ddbb9e06fc1c9897376b03e1829a37799de7f0efed39a8ad5a547d77727df1dc.exe
1968 Host.exe

pid	process
1180	ddbb9e06fc1c9897376b03e1829a37799de7f0efed39a8ad5a547d77727df1dc.exe
1968	Host.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ddbb9e06fc1c9897376b03e1829a37799de7f0efed39a8ad5a547d77727df1dc.exeHost.exe

description	pid	process
Token: SeDebugPrivilege	1180	ddbb9e06fc1c9897376b03e1829a37799de7f0efed39a8ad5a547d77727df1dc.exe
Token: SeDebugPrivilege	1968	Host.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

ddbb9e06fc1c9897376b03e1829a37799de7f0efed39a8ad5a547d77727df1dc.exeddbb9e06fc1c9897376b03e1829a37799de7f0efed39a8ad5a547d77727df1dc.exeHost.exe

description	pid	process	target process
PID 1180 wrote to memory of 2044	1180	ddbb9e06fc1c9897376b03e1829a37799de7f0efed39a8ad5a547d77727df1dc.exe	ddbb9e06fc1c9897376b03e1829a37799de7f0efed39a8ad5a547d77727df1dc.exe
PID 1180 wrote to memory of 2044	1180	ddbb9e06fc1c9897376b03e1829a37799de7f0efed39a8ad5a547d77727df1dc.exe	ddbb9e06fc1c9897376b03e1829a37799de7f0efed39a8ad5a547d77727df1dc.exe
PID 1180 wrote to memory of 2044	1180	ddbb9e06fc1c9897376b03e1829a37799de7f0efed39a8ad5a547d77727df1dc.exe	ddbb9e06fc1c9897376b03e1829a37799de7f0efed39a8ad5a547d77727df1dc.exe
PID 1180 wrote to memory of 2044	1180	ddbb9e06fc1c9897376b03e1829a37799de7f0efed39a8ad5a547d77727df1dc.exe	ddbb9e06fc1c9897376b03e1829a37799de7f0efed39a8ad5a547d77727df1dc.exe
PID 1180 wrote to memory of 2044	1180	ddbb9e06fc1c9897376b03e1829a37799de7f0efed39a8ad5a547d77727df1dc.exe	ddbb9e06fc1c9897376b03e1829a37799de7f0efed39a8ad5a547d77727df1dc.exe
PID 1180 wrote to memory of 2044	1180	ddbb9e06fc1c9897376b03e1829a37799de7f0efed39a8ad5a547d77727df1dc.exe	ddbb9e06fc1c9897376b03e1829a37799de7f0efed39a8ad5a547d77727df1dc.exe
PID 1180 wrote to memory of 2044	1180	ddbb9e06fc1c9897376b03e1829a37799de7f0efed39a8ad5a547d77727df1dc.exe	ddbb9e06fc1c9897376b03e1829a37799de7f0efed39a8ad5a547d77727df1dc.exe
PID 1180 wrote to memory of 2044	1180	ddbb9e06fc1c9897376b03e1829a37799de7f0efed39a8ad5a547d77727df1dc.exe	ddbb9e06fc1c9897376b03e1829a37799de7f0efed39a8ad5a547d77727df1dc.exe
PID 1180 wrote to memory of 2044	1180	ddbb9e06fc1c9897376b03e1829a37799de7f0efed39a8ad5a547d77727df1dc.exe	ddbb9e06fc1c9897376b03e1829a37799de7f0efed39a8ad5a547d77727df1dc.exe
PID 1180 wrote to memory of 2044	1180	ddbb9e06fc1c9897376b03e1829a37799de7f0efed39a8ad5a547d77727df1dc.exe	ddbb9e06fc1c9897376b03e1829a37799de7f0efed39a8ad5a547d77727df1dc.exe
PID 1180 wrote to memory of 2044	1180	ddbb9e06fc1c9897376b03e1829a37799de7f0efed39a8ad5a547d77727df1dc.exe	ddbb9e06fc1c9897376b03e1829a37799de7f0efed39a8ad5a547d77727df1dc.exe
PID 2044 wrote to memory of 1968	2044	ddbb9e06fc1c9897376b03e1829a37799de7f0efed39a8ad5a547d77727df1dc.exe	Host.exe
PID 2044 wrote to memory of 1968	2044	ddbb9e06fc1c9897376b03e1829a37799de7f0efed39a8ad5a547d77727df1dc.exe	Host.exe
PID 2044 wrote to memory of 1968	2044	ddbb9e06fc1c9897376b03e1829a37799de7f0efed39a8ad5a547d77727df1dc.exe	Host.exe
PID 2044 wrote to memory of 1968	2044	ddbb9e06fc1c9897376b03e1829a37799de7f0efed39a8ad5a547d77727df1dc.exe	Host.exe
PID 1968 wrote to memory of 860	1968	Host.exe	Host.exe
PID 1968 wrote to memory of 860	1968	Host.exe	Host.exe
PID 1968 wrote to memory of 860	1968	Host.exe	Host.exe
PID 1968 wrote to memory of 860	1968	Host.exe	Host.exe
PID 1968 wrote to memory of 860	1968	Host.exe	Host.exe
PID 1968 wrote to memory of 860	1968	Host.exe	Host.exe
PID 1968 wrote to memory of 860	1968	Host.exe	Host.exe
PID 1968 wrote to memory of 860	1968	Host.exe	Host.exe
PID 1968 wrote to memory of 860	1968	Host.exe	Host.exe
PID 1968 wrote to memory of 860	1968	Host.exe	Host.exe
PID 1968 wrote to memory of 860	1968	Host.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\ddbb9e06fc1c9897376b03e1829a37799de7f0efed39a8ad5a547d77727df1dc.exe
"C:\Users\Admin\AppData\Local\Temp\ddbb9e06fc1c9897376b03e1829a37799de7f0efed39a8ad5a547d77727df1dc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1180

C:\Users\Admin\AppData\Local\Temp\ddbb9e06fc1c9897376b03e1829a37799de7f0efed39a8ad5a547d77727df1dc.exe
"C:/Users/Admin/AppData/Local/Temp/ddbb9e06fc1c9897376b03e1829a37799de7f0efed39a8ad5a547d77727df1dc.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:/Users/Admin/AppData/Roaming/Install/Host.exe"
4⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
PID:860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
255KB

MD5
9af17c8393f0970ee5136bd3ffa27001

SHA1
4b285b72c1a11285a25f31f2597e090da6bbc049

SHA256
71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

SHA512
b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
372KB

MD5
48068dff85475dcd8031617e30d4f3bf

SHA1
bb78a750a8c9015ca32896346d53355810edf4bb

SHA256
ddbb9e06fc1c9897376b03e1829a37799de7f0efed39a8ad5a547d77727df1dc

SHA512
6b86edf45d0f681a3c5d061853bbb59b469236d18e0cc8199f506b7e5de5d14c9e2ea4d03a8640c58a4fac16ce92c7f49f4e64850049071edd367b28140f4694

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
372KB

MD5
48068dff85475dcd8031617e30d4f3bf

SHA1
bb78a750a8c9015ca32896346d53355810edf4bb

SHA256
ddbb9e06fc1c9897376b03e1829a37799de7f0efed39a8ad5a547d77727df1dc

SHA512
6b86edf45d0f681a3c5d061853bbb59b469236d18e0cc8199f506b7e5de5d14c9e2ea4d03a8640c58a4fac16ce92c7f49f4e64850049071edd367b28140f4694

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
372KB

MD5
48068dff85475dcd8031617e30d4f3bf

SHA1
bb78a750a8c9015ca32896346d53355810edf4bb

SHA256
ddbb9e06fc1c9897376b03e1829a37799de7f0efed39a8ad5a547d77727df1dc

SHA512
6b86edf45d0f681a3c5d061853bbb59b469236d18e0cc8199f506b7e5de5d14c9e2ea4d03a8640c58a4fac16ce92c7f49f4e64850049071edd367b28140f4694

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
372KB

MD5
48068dff85475dcd8031617e30d4f3bf

SHA1
bb78a750a8c9015ca32896346d53355810edf4bb

SHA256
ddbb9e06fc1c9897376b03e1829a37799de7f0efed39a8ad5a547d77727df1dc

SHA512
6b86edf45d0f681a3c5d061853bbb59b469236d18e0cc8199f506b7e5de5d14c9e2ea4d03a8640c58a4fac16ce92c7f49f4e64850049071edd367b28140f4694

Download Submit
memory/860-97-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/860-95-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/860-91-0x00000000004026D0-mapping.dmp

Download
memory/860-96-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1180-54-0x0000000000090000-0x00000000000F2000-memory.dmp

Filesize
392KB

Download
memory/1180-56-0x0000000075481000-0x0000000075483000-memory.dmp

Filesize
8KB

Download
memory/1180-55-0x00000000005D0000-0x00000000005FE000-memory.dmp

Filesize
184KB

Download
memory/1968-77-0x0000000000CC0000-0x0000000000D22000-memory.dmp

Filesize
392KB

Download
memory/1968-74-0x0000000000000000-mapping.dmp

Download
memory/2044-62-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2044-72-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2044-71-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2044-67-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2044-68-0x00000000004026D0-mapping.dmp

Download
memory/2044-65-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2044-63-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2044-60-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2044-58-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2044-57-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads