netwire | 56dce82fbb50a596c617d96dbc093df4dc0e706743dcb5014bff4e05b067f9c1

General

Target

56dce82fbb50a596c617d96dbc093df4dc0e706743dcb5014bff4e05b067f9c1.exe
Size

2.3MB
MD5

769b53a20169c402f96c41264e63d993
SHA1

234efdc38581283b433b9ae93acad8ca0adbb38b
SHA256

56dce82fbb50a596c617d96dbc093df4dc0e706743dcb5014bff4e05b067f9c1
SHA512

130668eb4eb2f74088176a0dfaad0b7a23a2b7fec5d333a7c919b2e062778c8e95f84dc7c4b7bd3ad9dee2e2e2af4392617f8bdb0068b43e9bc8444745c4d9ca

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

bedahogs.100chickens.me:6065

Attributes

activex_autorun
true
activex_key
{5M67M2F2-36J1-VF8Q-82EI-SXNC4S0578Q0}
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\MSC.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
dNigsAJo
offline_keylogger
true
password
Password
registry_autorun
true
startup_name
Settings
use_mutex
true

Signatures

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1260-68-0x0000000000400000-0x000000000064E000-memory.dmp	netwire
behavioral1/memory/1260-69-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1664-96-0x0000000000400000-0x000000000064E000-memory.dmp	netwire
behavioral1/memory/1664-97-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

MSC.exeMSC.exe

pid process

1704 MSC.exe
1664 MSC.exe

pid	process
1704	MSC.exe
1664	MSC.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MSC.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5M67M2F2-36J1-VF8Q-82EI-SXNC4S0578Q0}	MSC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5M67M2F2-36J1-VF8Q-82EI-SXNC4S0578Q0}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Install\\MSC.exe\""	MSC.exe

Loads dropped DLL 2 IoCs

Processes:

56dce82fbb50a596c617d96dbc093df4dc0e706743dcb5014bff4e05b067f9c1.exe

pid	process
1260	56dce82fbb50a596c617d96dbc093df4dc0e706743dcb5014bff4e05b067f9c1.exe
1260	56dce82fbb50a596c617d96dbc093df4dc0e706743dcb5014bff4e05b067f9c1.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MSC.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	MSC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows\CurrentVersion\Run\Settings = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\MSC.exe"	MSC.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

56dce82fbb50a596c617d96dbc093df4dc0e706743dcb5014bff4e05b067f9c1.exe56dce82fbb50a596c617d96dbc093df4dc0e706743dcb5014bff4e05b067f9c1.exeMSC.exeMSC.exe

pid	process
1816	56dce82fbb50a596c617d96dbc093df4dc0e706743dcb5014bff4e05b067f9c1.exe
1260	56dce82fbb50a596c617d96dbc093df4dc0e706743dcb5014bff4e05b067f9c1.exe
1260	56dce82fbb50a596c617d96dbc093df4dc0e706743dcb5014bff4e05b067f9c1.exe
1704	MSC.exe
1664	MSC.exe
1664	MSC.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

56dce82fbb50a596c617d96dbc093df4dc0e706743dcb5014bff4e05b067f9c1.exeMSC.exe

description	pid	process	target process
PID 1816 set thread context of 1260	1816	56dce82fbb50a596c617d96dbc093df4dc0e706743dcb5014bff4e05b067f9c1.exe	56dce82fbb50a596c617d96dbc093df4dc0e706743dcb5014bff4e05b067f9c1.exe
PID 1704 set thread context of 1664	1704	MSC.exe	MSC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

DllHost.exe

pid process

936 DllHost.exe
936 DllHost.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

56dce82fbb50a596c617d96dbc093df4dc0e706743dcb5014bff4e05b067f9c1.exeMSC.exe

pid process

1816 56dce82fbb50a596c617d96dbc093df4dc0e706743dcb5014bff4e05b067f9c1.exe
1704 MSC.exe

pid	process
936	DllHost.exe
936	DllHost.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

56dce82fbb50a596c617d96dbc093df4dc0e706743dcb5014bff4e05b067f9c1.exe56dce82fbb50a596c617d96dbc093df4dc0e706743dcb5014bff4e05b067f9c1.exeMSC.exe

description	pid	process	target process
PID 1816 wrote to memory of 1260	1816	56dce82fbb50a596c617d96dbc093df4dc0e706743dcb5014bff4e05b067f9c1.exe	56dce82fbb50a596c617d96dbc093df4dc0e706743dcb5014bff4e05b067f9c1.exe
PID 1816 wrote to memory of 1260	1816	56dce82fbb50a596c617d96dbc093df4dc0e706743dcb5014bff4e05b067f9c1.exe	56dce82fbb50a596c617d96dbc093df4dc0e706743dcb5014bff4e05b067f9c1.exe
PID 1816 wrote to memory of 1260	1816	56dce82fbb50a596c617d96dbc093df4dc0e706743dcb5014bff4e05b067f9c1.exe	56dce82fbb50a596c617d96dbc093df4dc0e706743dcb5014bff4e05b067f9c1.exe
PID 1816 wrote to memory of 1260	1816	56dce82fbb50a596c617d96dbc093df4dc0e706743dcb5014bff4e05b067f9c1.exe	56dce82fbb50a596c617d96dbc093df4dc0e706743dcb5014bff4e05b067f9c1.exe
PID 1260 wrote to memory of 1704	1260	56dce82fbb50a596c617d96dbc093df4dc0e706743dcb5014bff4e05b067f9c1.exe	MSC.exe
PID 1260 wrote to memory of 1704	1260	56dce82fbb50a596c617d96dbc093df4dc0e706743dcb5014bff4e05b067f9c1.exe	MSC.exe
PID 1260 wrote to memory of 1704	1260	56dce82fbb50a596c617d96dbc093df4dc0e706743dcb5014bff4e05b067f9c1.exe	MSC.exe
PID 1260 wrote to memory of 1704	1260	56dce82fbb50a596c617d96dbc093df4dc0e706743dcb5014bff4e05b067f9c1.exe	MSC.exe
PID 1704 wrote to memory of 1664	1704	MSC.exe	MSC.exe
PID 1704 wrote to memory of 1664	1704	MSC.exe	MSC.exe
PID 1704 wrote to memory of 1664	1704	MSC.exe	MSC.exe
PID 1704 wrote to memory of 1664	1704	MSC.exe	MSC.exe

C:\Users\Admin\AppData\Local\Temp\56dce82fbb50a596c617d96dbc093df4dc0e706743dcb5014bff4e05b067f9c1.exe
"C:\Users\Admin\AppData\Local\Temp\56dce82fbb50a596c617d96dbc093df4dc0e706743dcb5014bff4e05b067f9c1.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1816

C:\Users\Admin\AppData\Local\Temp\56dce82fbb50a596c617d96dbc093df4dc0e706743dcb5014bff4e05b067f9c1.exe
"C:\Users\Admin\AppData\Local\Temp\56dce82fbb50a596c617d96dbc093df4dc0e706743dcb5014bff4e05b067f9c1.exe"
2⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1260

C:\Users\Admin\AppData\Roaming\Install\MSC.exe
"C:\Users\Admin\AppData\Roaming\Install\MSC.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1704

C:\Users\Admin\AppData\Roaming\Install\MSC.exe
"C:\Users\Admin\AppData\Roaming\Install\MSC.exe"
4⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1664

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Lisiting.JPG

Filesize
70KB

MD5
86b1bae6d38d665d83d3e6800fba3d48

SHA1
5494253c2e28b0468367248f08a1b629bf066e70

SHA256
f92fda5430f52de54e2894de6bbf4907ff21ce046abeb62edfcdbc09007133d1

SHA512
cbd137cceb4f1bbc11dffab16d35206fb5187dc0f7b41ef3712f071c31a75b7052fd38488b4285ce979fa9de12a3c65ed8af23f2d9d995c785384939422d8de1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lisiting.JPG

Filesize
70KB

MD5
86b1bae6d38d665d83d3e6800fba3d48

SHA1
5494253c2e28b0468367248f08a1b629bf066e70

SHA256
f92fda5430f52de54e2894de6bbf4907ff21ce046abeb62edfcdbc09007133d1

SHA512
cbd137cceb4f1bbc11dffab16d35206fb5187dc0f7b41ef3712f071c31a75b7052fd38488b4285ce979fa9de12a3c65ed8af23f2d9d995c785384939422d8de1

Download Submit
C:\Users\Admin\AppData\Roaming\Install\MSC.exe

Filesize
2.3MB

MD5
769b53a20169c402f96c41264e63d993

SHA1
234efdc38581283b433b9ae93acad8ca0adbb38b

SHA256
56dce82fbb50a596c617d96dbc093df4dc0e706743dcb5014bff4e05b067f9c1

SHA512
130668eb4eb2f74088176a0dfaad0b7a23a2b7fec5d333a7c919b2e062778c8e95f84dc7c4b7bd3ad9dee2e2e2af4392617f8bdb0068b43e9bc8444745c4d9ca

Download Submit
C:\Users\Admin\AppData\Roaming\Install\MSC.exe

Filesize
2.3MB

MD5
769b53a20169c402f96c41264e63d993

SHA1
234efdc38581283b433b9ae93acad8ca0adbb38b

SHA256
56dce82fbb50a596c617d96dbc093df4dc0e706743dcb5014bff4e05b067f9c1

SHA512
130668eb4eb2f74088176a0dfaad0b7a23a2b7fec5d333a7c919b2e062778c8e95f84dc7c4b7bd3ad9dee2e2e2af4392617f8bdb0068b43e9bc8444745c4d9ca

Download Submit
C:\Users\Admin\AppData\Roaming\Install\MSC.exe

Filesize
2.3MB

MD5
769b53a20169c402f96c41264e63d993

SHA1
234efdc38581283b433b9ae93acad8ca0adbb38b

SHA256
56dce82fbb50a596c617d96dbc093df4dc0e706743dcb5014bff4e05b067f9c1

SHA512
130668eb4eb2f74088176a0dfaad0b7a23a2b7fec5d333a7c919b2e062778c8e95f84dc7c4b7bd3ad9dee2e2e2af4392617f8bdb0068b43e9bc8444745c4d9ca

Download Submit
\Users\Admin\AppData\Roaming\Install\MSC.exe

Filesize
2.3MB

MD5
769b53a20169c402f96c41264e63d993

SHA1
234efdc38581283b433b9ae93acad8ca0adbb38b

SHA256
56dce82fbb50a596c617d96dbc093df4dc0e706743dcb5014bff4e05b067f9c1

SHA512
130668eb4eb2f74088176a0dfaad0b7a23a2b7fec5d333a7c919b2e062778c8e95f84dc7c4b7bd3ad9dee2e2e2af4392617f8bdb0068b43e9bc8444745c4d9ca

Download Submit
\Users\Admin\AppData\Roaming\Install\MSC.exe

Filesize
2.3MB

MD5
769b53a20169c402f96c41264e63d993

SHA1
234efdc38581283b433b9ae93acad8ca0adbb38b

SHA256
56dce82fbb50a596c617d96dbc093df4dc0e706743dcb5014bff4e05b067f9c1

SHA512
130668eb4eb2f74088176a0dfaad0b7a23a2b7fec5d333a7c919b2e062778c8e95f84dc7c4b7bd3ad9dee2e2e2af4392617f8bdb0068b43e9bc8444745c4d9ca

Download Submit
memory/1260-82-0x0000000077730000-0x00000000778B0000-memory.dmp

Filesize
1.5MB

Download
memory/1260-80-0x0000000077550000-0x00000000776F9000-memory.dmp

Filesize
1.7MB

Download
memory/1260-69-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1260-79-0x0000000000220000-0x000000000022E000-memory.dmp

Filesize
56KB

Download
memory/1260-62-0x000000000048677B-mapping.dmp

Download
memory/1260-68-0x0000000000400000-0x000000000064E000-memory.dmp

Filesize
2.3MB

Download
memory/1664-96-0x0000000000400000-0x000000000064E000-memory.dmp

Filesize
2.3MB

Download
memory/1664-95-0x0000000077550000-0x00000000776F9000-memory.dmp

Filesize
1.7MB

Download
memory/1664-97-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1664-89-0x000000000048677B-mapping.dmp

Download
memory/1704-77-0x0000000000000000-mapping.dmp

Download
memory/1704-92-0x0000000077730000-0x00000000778B0000-memory.dmp

Filesize
1.5MB

Download
memory/1704-91-0x00000000003B0000-0x00000000003BE000-memory.dmp

Filesize
56KB

Download
memory/1704-88-0x0000000077550000-0x00000000776F9000-memory.dmp

Filesize
1.7MB

Download
memory/1816-56-0x0000000000240000-0x000000000024E000-memory.dmp

Filesize
56KB

Download
memory/1816-60-0x0000000077730000-0x00000000778B0000-memory.dmp

Filesize
1.5MB

Download
memory/1816-57-0x0000000076091000-0x0000000076093000-memory.dmp

Filesize
8KB

Download
memory/1816-59-0x0000000077550000-0x00000000776F9000-memory.dmp

Filesize
1.7MB

Download
memory/1816-65-0x0000000077730000-0x00000000778B0000-memory.dmp

Filesize
1.5MB

Download
memory/1816-64-0x0000000000240000-0x000000000024E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads