netwire | 67ef63e5a825981d5df3913386c1d1e65d57097f03da162b7a5bd4f355cf8c2b

General

Target

67ef63e5a825981d5df3913386c1d1e65d57097f03da162b7a5bd4f355cf8c2b.exe
Size

805KB
MD5

646ed17ed05a8e0925c95e4b43210e2c
SHA1

ca333c718dad8faff0d6e99ba33b7c336d8b82db
SHA256

67ef63e5a825981d5df3913386c1d1e65d57097f03da162b7a5bd4f355cf8c2b
SHA512

6d63c2f96db0ca0cd97d6563cbc85099c090d165153c32794f6b7b86d966b2086af3192b1508d1b5342ced3f325856e36bfb76930cb93f372c7220b7632a30f7

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2740-154-0x0000000000400000-0x00000000004B2000-memory.dmp	netwire
behavioral2/memory/2740-155-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral2/memory/2740-163-0x0000000000400000-0x00000000004B2000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 3 IoCs

Processes:

PAKJHS~1.EXEbcvdfgsd.exebcvdfgsd.exe

pid process

4824 PAKJHS~1.EXE
4600 bcvdfgsd.exe
2740 bcvdfgsd.exe

pid	process
4824	PAKJHS~1.EXE
4600	bcvdfgsd.exe
2740	bcvdfgsd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

PAKJHS~1.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	PAKJHS~1.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exe67ef63e5a825981d5df3913386c1d1e65d57097f03da162b7a5bd4f355cf8c2b.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Net Host = "C:\\Users\\Admin\\vbnfghcbv\\bcvdfgsd.vbs -BN"	WScript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	67ef63e5a825981d5df3913386c1d1e65d57097f03da162b7a5bd4f355cf8c2b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	67ef63e5a825981d5df3913386c1d1e65d57097f03da162b7a5bd4f355cf8c2b.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

PAKJHS~1.EXEbcvdfgsd.exebcvdfgsd.exe

pid process

4824 PAKJHS~1.EXE
4600 bcvdfgsd.exe
2740 bcvdfgsd.exe
2740 bcvdfgsd.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

bcvdfgsd.exe

description pid process target process

PID 4600 set thread context of 2740 4600 bcvdfgsd.exe bcvdfgsd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

PAKJHS~1.EXE

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings PAKJHS~1.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

PAKJHS~1.EXEbcvdfgsd.exe

pid process

4824 PAKJHS~1.EXE
4600 bcvdfgsd.exe

pid	process
4824	PAKJHS~1.EXE
4600	bcvdfgsd.exe
2740	bcvdfgsd.exe
2740	bcvdfgsd.exe

description	pid	process	target process
PID 4600 set thread context of 2740	4600	bcvdfgsd.exe	bcvdfgsd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings	PAKJHS~1.EXE

pid	process
4824	PAKJHS~1.EXE
4600	bcvdfgsd.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

67ef63e5a825981d5df3913386c1d1e65d57097f03da162b7a5bd4f355cf8c2b.exePAKJHS~1.EXEbcvdfgsd.exe

description	pid	process	target process
PID 3188 wrote to memory of 4824	3188	67ef63e5a825981d5df3913386c1d1e65d57097f03da162b7a5bd4f355cf8c2b.exe	PAKJHS~1.EXE
PID 3188 wrote to memory of 4824	3188	67ef63e5a825981d5df3913386c1d1e65d57097f03da162b7a5bd4f355cf8c2b.exe	PAKJHS~1.EXE
PID 3188 wrote to memory of 4824	3188	67ef63e5a825981d5df3913386c1d1e65d57097f03da162b7a5bd4f355cf8c2b.exe	PAKJHS~1.EXE
PID 4824 wrote to memory of 224	4824	PAKJHS~1.EXE	WScript.exe
PID 4824 wrote to memory of 224	4824	PAKJHS~1.EXE	WScript.exe
PID 4824 wrote to memory of 224	4824	PAKJHS~1.EXE	WScript.exe
PID 4824 wrote to memory of 4600	4824	PAKJHS~1.EXE	bcvdfgsd.exe
PID 4824 wrote to memory of 4600	4824	PAKJHS~1.EXE	bcvdfgsd.exe
PID 4824 wrote to memory of 4600	4824	PAKJHS~1.EXE	bcvdfgsd.exe
PID 4600 wrote to memory of 2740	4600	bcvdfgsd.exe	bcvdfgsd.exe
PID 4600 wrote to memory of 2740	4600	bcvdfgsd.exe	bcvdfgsd.exe
PID 4600 wrote to memory of 2740	4600	bcvdfgsd.exe	bcvdfgsd.exe

C:\Users\Admin\AppData\Local\Temp\67ef63e5a825981d5df3913386c1d1e65d57097f03da162b7a5bd4f355cf8c2b.exe
"C:\Users\Admin\AppData\Local\Temp\67ef63e5a825981d5df3913386c1d1e65d57097f03da162b7a5bd4f355cf8c2b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3188

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PAKJHS~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PAKJHS~1.EXE
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4824

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\vbnfghcbv\bcvdfgsd.vbs"
3⤵
- Adds Run key to start application
PID:224

C:\Users\Admin\vbnfghcbv\bcvdfgsd.exe
"C:\Users\Admin\vbnfghcbv\bcvdfgsd.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4600

C:\Users\Admin\vbnfghcbv\bcvdfgsd.exe
"C:\Users\Admin\vbnfghcbv\bcvdfgsd.exe"
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PAKJHS~1.EXE

Filesize
205.7MB

MD5
b22c9d17d34128a32ed382001010ead7

SHA1
36cadb05195a3e3168d976f5797da62304c05ec7

SHA256
1a7bfb43ef8f251440b591984b6b83964b13cc70f19e8b935768fa4247f7aabf

SHA512
24a31841644c0efa7c328bb6390440d07ddaf5027a1ca38f4327bc06750b36a35d4aab1841c7617e4e66095e6a42e6f9872964fd109b072f252ac6b3f2fab210

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PAKJHS~1.EXE

Filesize
205.7MB

MD5
b22c9d17d34128a32ed382001010ead7

SHA1
36cadb05195a3e3168d976f5797da62304c05ec7

SHA256
1a7bfb43ef8f251440b591984b6b83964b13cc70f19e8b935768fa4247f7aabf

SHA512
24a31841644c0efa7c328bb6390440d07ddaf5027a1ca38f4327bc06750b36a35d4aab1841c7617e4e66095e6a42e6f9872964fd109b072f252ac6b3f2fab210

Download Submit
C:\Users\Admin\vbnfghcbv\bcvdfgsd.exe

Filesize
205.7MB

MD5
b22c9d17d34128a32ed382001010ead7

SHA1
36cadb05195a3e3168d976f5797da62304c05ec7

SHA256
1a7bfb43ef8f251440b591984b6b83964b13cc70f19e8b935768fa4247f7aabf

SHA512
24a31841644c0efa7c328bb6390440d07ddaf5027a1ca38f4327bc06750b36a35d4aab1841c7617e4e66095e6a42e6f9872964fd109b072f252ac6b3f2fab210

Download Submit
C:\Users\Admin\vbnfghcbv\bcvdfgsd.exe

Filesize
205.7MB

MD5
b22c9d17d34128a32ed382001010ead7

SHA1
36cadb05195a3e3168d976f5797da62304c05ec7

SHA256
1a7bfb43ef8f251440b591984b6b83964b13cc70f19e8b935768fa4247f7aabf

SHA512
24a31841644c0efa7c328bb6390440d07ddaf5027a1ca38f4327bc06750b36a35d4aab1841c7617e4e66095e6a42e6f9872964fd109b072f252ac6b3f2fab210

Download Submit
C:\Users\Admin\vbnfghcbv\bcvdfgsd.exe

Filesize
205.7MB

MD5
b22c9d17d34128a32ed382001010ead7

SHA1
36cadb05195a3e3168d976f5797da62304c05ec7

SHA256
1a7bfb43ef8f251440b591984b6b83964b13cc70f19e8b935768fa4247f7aabf

SHA512
24a31841644c0efa7c328bb6390440d07ddaf5027a1ca38f4327bc06750b36a35d4aab1841c7617e4e66095e6a42e6f9872964fd109b072f252ac6b3f2fab210

Download Submit
C:\Users\Admin\vbnfghcbv\bcvdfgsd.vbs

Filesize
1020B

MD5
b767073812150f580da5776d76d28c59

SHA1
99314a2ae5a0435153ea8010c5525d939a61a64a

SHA256
21ec41247c1f78aa36ba2db84215de3744621453e5284eabdb79e06c29284523

SHA512
779f80e8a2dd25e5615c711fbc7825535fa90b2d7c31740ea327ee99bc8792f9ff2deff779cfd68df9cfef6c9e4c8575f2eedec1bd6da12a45f272eff0324460

Download Submit
memory/224-138-0x0000000000000000-mapping.dmp

Download
memory/2740-150-0x0000000000000000-mapping.dmp

Download
memory/2740-161-0x00007FF8257F0000-0x00007FF8259E5000-memory.dmp

Filesize
2.0MB

Download
memory/2740-162-0x0000000077540000-0x00000000776E3000-memory.dmp

Filesize
1.6MB

Download
memory/2740-155-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2740-163-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2740-154-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2740-164-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/4600-152-0x0000000002050000-0x000000000205F000-memory.dmp

Filesize
60KB

Download
memory/4600-149-0x0000000077540000-0x00000000776E3000-memory.dmp

Filesize
1.6MB

Download
memory/4600-148-0x00007FF8257F0000-0x00007FF8259E5000-memory.dmp

Filesize
2.0MB

Download
memory/4600-153-0x0000000077540000-0x00000000776E3000-memory.dmp

Filesize
1.6MB

Download
memory/4600-140-0x0000000000000000-mapping.dmp

Download
memory/4824-146-0x00007FF8257F0000-0x00007FF8259E5000-memory.dmp

Filesize
2.0MB

Download
memory/4824-130-0x0000000000000000-mapping.dmp

Download
memory/4824-147-0x0000000077540000-0x00000000776E3000-memory.dmp

Filesize
1.6MB

Download
memory/4824-143-0x0000000002BD0000-0x0000000002BDF000-memory.dmp

Filesize
60KB

Download
memory/4824-137-0x0000000077540000-0x00000000776E3000-memory.dmp

Filesize
1.6MB

Download
memory/4824-136-0x00007FF8257F0000-0x00007FF8259E5000-memory.dmp

Filesize
2.0MB

Download
memory/4824-135-0x0000000002BD0000-0x0000000002BDF000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads