netwire | cc4fc81c6827c57ebc0ddf6a197e2e6277839e3b0f7c2d94a88dd5c91d586e72

Analysis

max time kernel
145s
max time network
153s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
25-07-2022 03:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc4fc81c6827c57ebc0ddf6a197e2e6277839e3b0f7c2d94a88dd5c91d586e72.exe
Size

521KB
MD5

c784ee0059d15987a9a306e322e0d062
SHA1

cf78fdd65e08005131e4ef42912fc8e07d685fa0
SHA256

cc4fc81c6827c57ebc0ddf6a197e2e6277839e3b0f7c2d94a88dd5c91d586e72
SHA512

6a85028af5becb599a130c3947a2f17d24672b35a676d7397efd9072df7cfe33fe4a3ccb8544e6f671524add7697100546bec351c357017f69f2ee74019b1463

Score

10^/10

netwire botnet collection persistence rat spyware stealer

Malware Config

Extracted

Family

netwire

185.171.25.3:1406

Attributes

activex_autorun
true
activex_key
{IXXTPY86-B7O0-U8M5-0OD1-4Y2C8828J3G0}
copy_executable
true
delete_original
false
host_id
bubu
install_path
%AppData%\Install\Host.exe
lock_executable
false
mutex
tvNRDcbc
offline_keylogger
false
password
Password
registry_autorun
true
startup_name
NetWire
use_mutex
true

Signatures

NetWire RAT payload 7 IoCs

rat

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SettingHost.exe	netwire
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SettingHost.exe	netwire
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SettingHost.exe	netwire
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SettingHost.exe	netwire
\Users\Admin\AppData\Roaming\Install\Host.exe	netwire
C:\Users\Admin\AppData\Roaming\Install\Host.exe	netwire
\Users\Admin\AppData\Roaming\Install\Host.exe	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 4 IoCs

Processes:

server.sfx.exeserver.exeSettingHost.exeHost.exe

pid process

920 server.sfx.exe
2016 server.exe
548 SettingHost.exe
1768 Host.exe

pid	process
920	server.sfx.exe
2016	server.exe
548	SettingHost.exe
1768	Host.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Host.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{IXXTPY86-B7O0-U8M5-0OD1-4Y2C8828J3G0}	Host.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{IXXTPY86-B7O0-U8M5-0OD1-4Y2C8828J3G0}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe\""	Host.exe

Loads dropped DLL 10 IoCs

Processes:

cmd.exeserver.sfx.exeserver.exeSettingHost.exe

pid	process
1280	cmd.exe
920	server.sfx.exe
920	server.sfx.exe
920	server.sfx.exe
920	server.sfx.exe
920	server.sfx.exe
2016	server.exe
2016	server.exe
548	SettingHost.exe
548	SettingHost.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

server.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	server.exe
Key opened	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	server.exe
Key opened	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	server.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Host.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Host.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe"	Host.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 checkip.dyndns.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

server.exe

pid process

2016 server.exe
2016 server.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

server.exe

description pid process

Token: SeDebugPrivilege 2016 server.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

server.exe

pid process

2016 server.exe

flow	ioc
4	checkip.dyndns.org

pid	process
2016	server.exe
2016	server.exe

description	pid	process
Token: SeDebugPrivilege	2016	server.exe

pid	process
2016	server.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

cc4fc81c6827c57ebc0ddf6a197e2e6277839e3b0f7c2d94a88dd5c91d586e72.execmd.exeserver.sfx.exeserver.exeSettingHost.exe

description	pid	process	target process
PID 1148 wrote to memory of 1280	1148	cc4fc81c6827c57ebc0ddf6a197e2e6277839e3b0f7c2d94a88dd5c91d586e72.exe	cmd.exe
PID 1148 wrote to memory of 1280	1148	cc4fc81c6827c57ebc0ddf6a197e2e6277839e3b0f7c2d94a88dd5c91d586e72.exe	cmd.exe
PID 1148 wrote to memory of 1280	1148	cc4fc81c6827c57ebc0ddf6a197e2e6277839e3b0f7c2d94a88dd5c91d586e72.exe	cmd.exe
PID 1148 wrote to memory of 1280	1148	cc4fc81c6827c57ebc0ddf6a197e2e6277839e3b0f7c2d94a88dd5c91d586e72.exe	cmd.exe
PID 1280 wrote to memory of 920	1280	cmd.exe	server.sfx.exe
PID 1280 wrote to memory of 920	1280	cmd.exe	server.sfx.exe
PID 1280 wrote to memory of 920	1280	cmd.exe	server.sfx.exe
PID 1280 wrote to memory of 920	1280	cmd.exe	server.sfx.exe
PID 920 wrote to memory of 2016	920	server.sfx.exe	server.exe
PID 920 wrote to memory of 2016	920	server.sfx.exe	server.exe
PID 920 wrote to memory of 2016	920	server.sfx.exe	server.exe
PID 920 wrote to memory of 2016	920	server.sfx.exe	server.exe
PID 2016 wrote to memory of 548	2016	server.exe	SettingHost.exe
PID 2016 wrote to memory of 548	2016	server.exe	SettingHost.exe
PID 2016 wrote to memory of 548	2016	server.exe	SettingHost.exe
PID 2016 wrote to memory of 548	2016	server.exe	SettingHost.exe
PID 548 wrote to memory of 1768	548	SettingHost.exe	Host.exe
PID 548 wrote to memory of 1768	548	SettingHost.exe	Host.exe
PID 548 wrote to memory of 1768	548	SettingHost.exe	Host.exe
PID 548 wrote to memory of 1768	548	SettingHost.exe	Host.exe

outlook_office_path 1 IoCs

Processes:

server.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	server.exe

outlook_win_path 1 IoCs

Processes:

server.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	server.exe

C:\Users\Admin\AppData\Local\Temp\cc4fc81c6827c57ebc0ddf6a197e2e6277839e3b0f7c2d94a88dd5c91d586e72.exe
"C:\Users\Admin\AppData\Local\Temp\cc4fc81c6827c57ebc0ddf6a197e2e6277839e3b0f7c2d94a88dd5c91d586e72.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1148

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\fud.bat" "
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1280

C:\Users\Admin\AppData\Local\Temp\RarSFX0\server.sfx.exe
server.sfx.exe -pzghemkatge -dC:\Users\Admin\AppData\Local\Temp
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:920

C:\Users\Admin\AppData\Local\Temp\RarSFX1\server.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\server.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2016

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SettingHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SettingHost.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:548

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
6⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:1768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fud.bat

Filesize
40B

MD5
4afa6ae5a7b42cff69ba53484c95ed0f

SHA1
d375d066ae2381ec1aa7b22ac9d2f8e6c2e87ad0

SHA256
b0f956553e01f3a57b67a2396ed0deff49ce76dd8ea591768f44599a20646b35

SHA512
c74f724d3495feb4ab894f4a4c40a045e2773c87cbd62065c3c3b2811367b2e5786b317937f5c27b4da6ec8dcfe0230042340d398e481442ebbc94b4d89d1da1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\server.sfx.exe

Filesize
394KB

MD5
f1f42a41681126733ac97b8713464cb4

SHA1
a4506c5445023e7874e587864bb38ec39c953f1b

SHA256
7365b9d3fd21780499118249c0de5358ac9157df9e928302a9ebecf7a5cd33bc

SHA512
9147efd6e563a0b7e9b311c47cccaabbd4b09d84d11dc46437e0513ec8ea761fe670088757412072493fa77dbc06810d504348b1def1b53e68edeae57fd6a081

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\server.sfx.exe

Filesize
394KB

MD5
f1f42a41681126733ac97b8713464cb4

SHA1
a4506c5445023e7874e587864bb38ec39c953f1b

SHA256
7365b9d3fd21780499118249c0de5358ac9157df9e928302a9ebecf7a5cd33bc

SHA512
9147efd6e563a0b7e9b311c47cccaabbd4b09d84d11dc46437e0513ec8ea761fe670088757412072493fa77dbc06810d504348b1def1b53e68edeae57fd6a081

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\server.exe

Filesize
378KB

MD5
3d6fbc940e83a38bdb52038a0fbdc288

SHA1
3f8f70c79c61034931420197a8de68699c583aa8

SHA256
01585ff657279eb96b6964f666a9f9e1140058bb331affcee152c69e7290dbf6

SHA512
70bf16d15d035342299c5da149389ca189813cbb303fd97934827ff18aa5cc79c4d6b84ce034f4938ff85c63e00c6ceae83abf12f0ffbd2b56714556ab38dd98

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\server.exe

Filesize
378KB

MD5
3d6fbc940e83a38bdb52038a0fbdc288

SHA1
3f8f70c79c61034931420197a8de68699c583aa8

SHA256
01585ff657279eb96b6964f666a9f9e1140058bb331affcee152c69e7290dbf6

SHA512
70bf16d15d035342299c5da149389ca189813cbb303fd97934827ff18aa5cc79c4d6b84ce034f4938ff85c63e00c6ceae83abf12f0ffbd2b56714556ab38dd98

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
131KB

MD5
9228d1005ce4d3a0cbb648bfeaa22a23

SHA1
5f21c987a3087096374be1bd767348dd06b5c419

SHA256
ad3e326dc8d9ff012d8d18c6da56aa2531105187e2c8d4dfef393bcaf2c72a7d

SHA512
56e1720c66a2a48ae976237da00dd6bdf346e24e8b1fda7939d3ce5247928d23429f5e9bf15031f347b1554f4a23dd5146d5866948deb843eaef525da9057475

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SettingHost.exe

Filesize
131KB

MD5
9228d1005ce4d3a0cbb648bfeaa22a23

SHA1
5f21c987a3087096374be1bd767348dd06b5c419

SHA256
ad3e326dc8d9ff012d8d18c6da56aa2531105187e2c8d4dfef393bcaf2c72a7d

SHA512
56e1720c66a2a48ae976237da00dd6bdf346e24e8b1fda7939d3ce5247928d23429f5e9bf15031f347b1554f4a23dd5146d5866948deb843eaef525da9057475

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SettingHost.exe

Filesize
131KB

MD5
9228d1005ce4d3a0cbb648bfeaa22a23

SHA1
5f21c987a3087096374be1bd767348dd06b5c419

SHA256
ad3e326dc8d9ff012d8d18c6da56aa2531105187e2c8d4dfef393bcaf2c72a7d

SHA512
56e1720c66a2a48ae976237da00dd6bdf346e24e8b1fda7939d3ce5247928d23429f5e9bf15031f347b1554f4a23dd5146d5866948deb843eaef525da9057475

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\server.sfx.exe

Filesize
394KB

MD5
f1f42a41681126733ac97b8713464cb4

SHA1
a4506c5445023e7874e587864bb38ec39c953f1b

SHA256
7365b9d3fd21780499118249c0de5358ac9157df9e928302a9ebecf7a5cd33bc

SHA512
9147efd6e563a0b7e9b311c47cccaabbd4b09d84d11dc46437e0513ec8ea761fe670088757412072493fa77dbc06810d504348b1def1b53e68edeae57fd6a081

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\server.exe

Filesize
378KB

MD5
3d6fbc940e83a38bdb52038a0fbdc288

SHA1
3f8f70c79c61034931420197a8de68699c583aa8

SHA256
01585ff657279eb96b6964f666a9f9e1140058bb331affcee152c69e7290dbf6

SHA512
70bf16d15d035342299c5da149389ca189813cbb303fd97934827ff18aa5cc79c4d6b84ce034f4938ff85c63e00c6ceae83abf12f0ffbd2b56714556ab38dd98

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\server.exe

Filesize
378KB

MD5
3d6fbc940e83a38bdb52038a0fbdc288

SHA1
3f8f70c79c61034931420197a8de68699c583aa8

SHA256
01585ff657279eb96b6964f666a9f9e1140058bb331affcee152c69e7290dbf6

SHA512
70bf16d15d035342299c5da149389ca189813cbb303fd97934827ff18aa5cc79c4d6b84ce034f4938ff85c63e00c6ceae83abf12f0ffbd2b56714556ab38dd98

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\server.exe

Filesize
378KB

MD5
3d6fbc940e83a38bdb52038a0fbdc288

SHA1
3f8f70c79c61034931420197a8de68699c583aa8

SHA256
01585ff657279eb96b6964f666a9f9e1140058bb331affcee152c69e7290dbf6

SHA512
70bf16d15d035342299c5da149389ca189813cbb303fd97934827ff18aa5cc79c4d6b84ce034f4938ff85c63e00c6ceae83abf12f0ffbd2b56714556ab38dd98

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\server.exe

Filesize
378KB

MD5
3d6fbc940e83a38bdb52038a0fbdc288

SHA1
3f8f70c79c61034931420197a8de68699c583aa8

SHA256
01585ff657279eb96b6964f666a9f9e1140058bb331affcee152c69e7290dbf6

SHA512
70bf16d15d035342299c5da149389ca189813cbb303fd97934827ff18aa5cc79c4d6b84ce034f4938ff85c63e00c6ceae83abf12f0ffbd2b56714556ab38dd98

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\server.exe

Filesize
378KB

MD5
3d6fbc940e83a38bdb52038a0fbdc288

SHA1
3f8f70c79c61034931420197a8de68699c583aa8

SHA256
01585ff657279eb96b6964f666a9f9e1140058bb331affcee152c69e7290dbf6

SHA512
70bf16d15d035342299c5da149389ca189813cbb303fd97934827ff18aa5cc79c4d6b84ce034f4938ff85c63e00c6ceae83abf12f0ffbd2b56714556ab38dd98

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
131KB

MD5
9228d1005ce4d3a0cbb648bfeaa22a23

SHA1
5f21c987a3087096374be1bd767348dd06b5c419

SHA256
ad3e326dc8d9ff012d8d18c6da56aa2531105187e2c8d4dfef393bcaf2c72a7d

SHA512
56e1720c66a2a48ae976237da00dd6bdf346e24e8b1fda7939d3ce5247928d23429f5e9bf15031f347b1554f4a23dd5146d5866948deb843eaef525da9057475

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
131KB

MD5
9228d1005ce4d3a0cbb648bfeaa22a23

SHA1
5f21c987a3087096374be1bd767348dd06b5c419

SHA256
ad3e326dc8d9ff012d8d18c6da56aa2531105187e2c8d4dfef393bcaf2c72a7d

SHA512
56e1720c66a2a48ae976237da00dd6bdf346e24e8b1fda7939d3ce5247928d23429f5e9bf15031f347b1554f4a23dd5146d5866948deb843eaef525da9057475

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SettingHost.exe

Filesize
131KB

MD5
9228d1005ce4d3a0cbb648bfeaa22a23

SHA1
5f21c987a3087096374be1bd767348dd06b5c419

SHA256
ad3e326dc8d9ff012d8d18c6da56aa2531105187e2c8d4dfef393bcaf2c72a7d

SHA512
56e1720c66a2a48ae976237da00dd6bdf346e24e8b1fda7939d3ce5247928d23429f5e9bf15031f347b1554f4a23dd5146d5866948deb843eaef525da9057475

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SettingHost.exe

Filesize
131KB

MD5
9228d1005ce4d3a0cbb648bfeaa22a23

SHA1
5f21c987a3087096374be1bd767348dd06b5c419

SHA256
ad3e326dc8d9ff012d8d18c6da56aa2531105187e2c8d4dfef393bcaf2c72a7d

SHA512
56e1720c66a2a48ae976237da00dd6bdf346e24e8b1fda7939d3ce5247928d23429f5e9bf15031f347b1554f4a23dd5146d5866948deb843eaef525da9057475

Download Submit
memory/548-75-0x0000000000000000-mapping.dmp

Download
memory/920-59-0x0000000000000000-mapping.dmp

Download
memory/1148-54-0x0000000075831000-0x0000000075833000-memory.dmp

Filesize
8KB

Download
memory/1280-55-0x0000000000000000-mapping.dmp

Download
memory/1768-81-0x0000000000000000-mapping.dmp

Download
memory/2016-72-0x0000000073EE0000-0x000000007448B000-memory.dmp

Filesize
5.7MB

Download
memory/2016-71-0x0000000073EE0000-0x000000007448B000-memory.dmp

Filesize
5.7MB

Download
memory/2016-67-0x0000000000000000-mapping.dmp

Download