netwire | 21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f

Analysis

max time kernel
143s
max time network
135s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
25-07-2022 02:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe
Size

738KB
MD5

4a95e7a9d4b8c642838e304b1f567bce
SHA1

0179ac1ce47a0d5038aa14748a85ad26373fa142
SHA256

21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f
SHA512

9b4121849d81407973300c80e4c725d03071b9b93feca7fd7bcb7aef0cd35d80dc7cf747d544a76db764745b31ac889b896987bbe3849a57e1860fa0a7e91729

Score

10^/10

netwire botnet rat stealer

Malware Config

Signatures

NetWire RAT payload 7 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/916-61-0x0000000000070000-0x000000000008F000-memory.dmp	netwire
behavioral1/memory/916-64-0x00000000004021DA-mapping.dmp	netwire
behavioral1/memory/916-65-0x0000000000070000-0x000000000008F000-memory.dmp	netwire
behavioral1/memory/1720-85-0x00000000004021DA-mapping.dmp	netwire
behavioral1/memory/1720-90-0x0000000000400000-0x000000000041F000-memory.dmp	netwire
behavioral1/memory/1720-93-0x0000000000400000-0x000000000041F000-memory.dmp	netwire
behavioral1/memory/1720-97-0x0000000000400000-0x000000000041F000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

system.exesystem.exe

pid process

280 system.exe
1720 system.exe
Deletes itself 1 IoCs

Processes:

system.exe

pid process

280 system.exe

pid	process
280	system.exe
1720	system.exe

pid	process
280	system.exe

Loads dropped DLL 3 IoCs

Processes:

21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exesystem.exe

pid	process
552	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe
552	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe
280	system.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exesystem.exe

description	pid	process	target process
PID 552 set thread context of 916	552	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe
PID 280 set thread context of 1720	280	system.exe	system.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1232 timeout.exe

pid	process
1232	timeout.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exesystem.exe

pid	process
552	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe
552	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe
280	system.exe
280	system.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exesystem.exe

description	pid	process
Token: SeDebugPrivilege	552	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe
Token: 33	552	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe
Token: SeIncBasePriorityPrivilege	552	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe
Token: SeDebugPrivilege	280	system.exe
Token: 33	280	system.exe
Token: SeIncBasePriorityPrivilege	280	system.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exesystem.execmd.exe

description	pid	process	target process
PID 552 wrote to memory of 916	552	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe
PID 552 wrote to memory of 916	552	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe
PID 552 wrote to memory of 916	552	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe
PID 552 wrote to memory of 916	552	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe
PID 552 wrote to memory of 916	552	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe
PID 552 wrote to memory of 916	552	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe
PID 552 wrote to memory of 916	552	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe
PID 552 wrote to memory of 916	552	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe
PID 552 wrote to memory of 916	552	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe
PID 552 wrote to memory of 280	552	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe	system.exe
PID 552 wrote to memory of 280	552	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe	system.exe
PID 552 wrote to memory of 280	552	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe	system.exe
PID 552 wrote to memory of 280	552	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe	system.exe
PID 280 wrote to memory of 1720	280	system.exe	system.exe
PID 280 wrote to memory of 1720	280	system.exe	system.exe
PID 280 wrote to memory of 1720	280	system.exe	system.exe
PID 280 wrote to memory of 1720	280	system.exe	system.exe
PID 280 wrote to memory of 1720	280	system.exe	system.exe
PID 280 wrote to memory of 1720	280	system.exe	system.exe
PID 280 wrote to memory of 1720	280	system.exe	system.exe
PID 280 wrote to memory of 1720	280	system.exe	system.exe
PID 280 wrote to memory of 1720	280	system.exe	system.exe
PID 280 wrote to memory of 1884	280	system.exe	cmd.exe
PID 280 wrote to memory of 1884	280	system.exe	cmd.exe
PID 280 wrote to memory of 1884	280	system.exe	cmd.exe
PID 280 wrote to memory of 1884	280	system.exe	cmd.exe
PID 1884 wrote to memory of 1232	1884	cmd.exe	timeout.exe
PID 1884 wrote to memory of 1232	1884	cmd.exe	timeout.exe
PID 1884 wrote to memory of 1232	1884	cmd.exe	timeout.exe
PID 1884 wrote to memory of 1232	1884	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe
"C:\Users\Admin\AppData\Local\Temp\21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:552

C:\Users\Admin\AppData\Local\Temp\21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe
"C:\Users\Admin\AppData\Local\Temp\21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe"
2⤵
PID:916

C:\Users\Admin\AppData\Local\Temp\Apples\system.exe
C:\Users\Admin\AppData\Local\Temp\Apples\system.exe
2⤵
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:280

C:\Users\Admin\AppData\Local\Temp\Apples\system.exe
"C:\Users\Admin\AppData\Local\Temp\Apples\system.exe"
3⤵
- Executes dropped EXE
PID:1720

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Apples\system.exe.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\SysWOW64\timeout.exe
timeout /t 300
4⤵
- Delays execution with timeout.exe
PID:1232

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Apples\melt.bat

Filesize
206B

MD5
21a46ebd2f4e277b896d9c432f1a14dd

SHA1
0f516085bf41fbedb07206757d2296e900aa8cf1

SHA256
cc6ccd29a0db8713d385063854a57221fb6bd93ac0b276da9cf0058adf3d8d7f

SHA512
1c286a32d9241d65d79f03285fe0bfde8be49454a4083b1304a7d33a51c4c24177162ad0c37e87ea573831d215d09debda08ffb21690be68f3afc871bf983d28

Download Submit
C:\Users\Admin\AppData\Local\Temp\Apples\system.exe

Filesize
738KB

MD5
4a95e7a9d4b8c642838e304b1f567bce

SHA1
0179ac1ce47a0d5038aa14748a85ad26373fa142

SHA256
21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f

SHA512
9b4121849d81407973300c80e4c725d03071b9b93feca7fd7bcb7aef0cd35d80dc7cf747d544a76db764745b31ac889b896987bbe3849a57e1860fa0a7e91729

Download Submit
C:\Users\Admin\AppData\Local\Temp\Apples\system.exe

Filesize
738KB

MD5
4a95e7a9d4b8c642838e304b1f567bce

SHA1
0179ac1ce47a0d5038aa14748a85ad26373fa142

SHA256
21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f

SHA512
9b4121849d81407973300c80e4c725d03071b9b93feca7fd7bcb7aef0cd35d80dc7cf747d544a76db764745b31ac889b896987bbe3849a57e1860fa0a7e91729

Download Submit
C:\Users\Admin\AppData\Local\Temp\Apples\system.exe

Filesize
738KB

MD5
4a95e7a9d4b8c642838e304b1f567bce

SHA1
0179ac1ce47a0d5038aa14748a85ad26373fa142

SHA256
21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f

SHA512
9b4121849d81407973300c80e4c725d03071b9b93feca7fd7bcb7aef0cd35d80dc7cf747d544a76db764745b31ac889b896987bbe3849a57e1860fa0a7e91729

Download Submit
C:\Users\Admin\AppData\Local\Temp\Apples\system.exe.bat

Filesize
211B

MD5
403469127eb9502223321b4a9c433cea

SHA1
6ad849d68f5cc12adf1fbe9f1bb673fef2274846

SHA256
01b3e1fd452f49bf6195f8f530aa9ef87c1177632a1443634e8d1920c056009b

SHA512
4d9de06b2980f9dec97b9e889502619fc8776ce6fba6bd438f2a2e1cd883cbddb8a7659195a7db8ae79d8af14a156075199e19fe7c663cc03d2bf0ccc6e48007

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
\Users\Admin\AppData\Local\Temp\Apples\system.exe

Filesize
738KB

MD5
4a95e7a9d4b8c642838e304b1f567bce

SHA1
0179ac1ce47a0d5038aa14748a85ad26373fa142

SHA256
21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f

SHA512
9b4121849d81407973300c80e4c725d03071b9b93feca7fd7bcb7aef0cd35d80dc7cf747d544a76db764745b31ac889b896987bbe3849a57e1860fa0a7e91729

Download Submit
\Users\Admin\AppData\Local\Temp\Apples\system.exe

Filesize
738KB

MD5
4a95e7a9d4b8c642838e304b1f567bce

SHA1
0179ac1ce47a0d5038aa14748a85ad26373fa142

SHA256
21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f

SHA512
9b4121849d81407973300c80e4c725d03071b9b93feca7fd7bcb7aef0cd35d80dc7cf747d544a76db764745b31ac889b896987bbe3849a57e1860fa0a7e91729

Download Submit
\Users\Admin\AppData\Local\Temp\Apples\system.exe

Filesize
738KB

MD5
4a95e7a9d4b8c642838e304b1f567bce

SHA1
0179ac1ce47a0d5038aa14748a85ad26373fa142

SHA256
21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f

SHA512
9b4121849d81407973300c80e4c725d03071b9b93feca7fd7bcb7aef0cd35d80dc7cf747d544a76db764745b31ac889b896987bbe3849a57e1860fa0a7e91729

Download Submit
memory/280-94-0x0000000074D50000-0x00000000752FB000-memory.dmp

Filesize
5.7MB

Download
memory/280-69-0x0000000000000000-mapping.dmp

Download
memory/280-96-0x0000000074D50000-0x00000000752FB000-memory.dmp

Filesize
5.7MB

Download
memory/280-73-0x0000000074D50000-0x00000000752FB000-memory.dmp

Filesize
5.7MB

Download
memory/552-66-0x0000000074D50000-0x00000000752FB000-memory.dmp

Filesize
5.7MB

Download
memory/552-54-0x0000000075CB1000-0x0000000075CB3000-memory.dmp

Filesize
8KB

Download
memory/552-74-0x0000000074D50000-0x00000000752FB000-memory.dmp

Filesize
5.7MB

Download
memory/552-55-0x0000000074D50000-0x00000000752FB000-memory.dmp

Filesize
5.7MB

Download
memory/916-65-0x0000000000070000-0x000000000008F000-memory.dmp

Filesize
124KB

Download
memory/916-64-0x00000000004021DA-mapping.dmp

Download
memory/916-61-0x0000000000070000-0x000000000008F000-memory.dmp

Filesize
124KB

Download
memory/916-59-0x0000000000070000-0x000000000008F000-memory.dmp

Filesize
124KB

Download
memory/916-57-0x0000000000070000-0x000000000008F000-memory.dmp

Filesize
124KB

Download
memory/916-56-0x0000000000070000-0x000000000008F000-memory.dmp

Filesize
124KB

Download
memory/1232-92-0x0000000000000000-mapping.dmp

Download
memory/1720-85-0x00000000004021DA-mapping.dmp

Download
memory/1720-90-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1720-93-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1720-97-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1884-88-0x0000000000000000-mapping.dmp

Download