netwire | 345049ac125439890dfd44dc7451de56bcbdebb18230f0facf1858574ffa6c9f

Analysis

max time kernel
91s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
25-07-2022 05:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

345049ac125439890dfd44dc7451de56bcbdebb18230f0facf1858574ffa6c9f.exe
Size

334KB
MD5

d6e7b054d5d6fe1a95bc2ffe79cec555
SHA1

becb9f6c35b5e3028cf601b1af77630cb8f94005
SHA256

345049ac125439890dfd44dc7451de56bcbdebb18230f0facf1858574ffa6c9f
SHA512

a63a7ab033fdf7faa196ab652c304ab3c2fa47215e800aa46282b2623ba87c4aac58f8478e06d14d77e693c37015c2b2a3a2502dec67d35f4bc6af668477a5af

Score

10^/10

netwire botnet rat stealer

Malware Config

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4820-136-0x0000000000830000-0x000000000085B000-memory.dmp	netwire
behavioral2/memory/4820-139-0x0000000000830000-0x000000000085B000-memory.dmp	netwire
behavioral2/memory/4820-143-0x0000000000830000-0x000000000085B000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Suspicious use of SetThreadContext 1 IoCs

Processes:

345049ac125439890dfd44dc7451de56bcbdebb18230f0facf1858574ffa6c9f.exe

description	pid	process	target process
PID 1964 set thread context of 4820	1964	345049ac125439890dfd44dc7451de56bcbdebb18230f0facf1858574ffa6c9f.exe	345049ac125439890dfd44dc7451de56bcbdebb18230f0facf1858574ffa6c9f.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4784 4820 WerFault.exe 345049ac125439890dfd44dc7451de56bcbdebb18230f0facf1858574ffa6c9f.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

345049ac125439890dfd44dc7451de56bcbdebb18230f0facf1858574ffa6c9f.exe

pid process

1964 345049ac125439890dfd44dc7451de56bcbdebb18230f0facf1858574ffa6c9f.exe

pid	pid_target	process	target process
4784	4820	WerFault.exe	345049ac125439890dfd44dc7451de56bcbdebb18230f0facf1858574ffa6c9f.exe

pid	process
1964	345049ac125439890dfd44dc7451de56bcbdebb18230f0facf1858574ffa6c9f.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

345049ac125439890dfd44dc7451de56bcbdebb18230f0facf1858574ffa6c9f.exe

description	pid	process
Token: SeDebugPrivilege	1964	345049ac125439890dfd44dc7451de56bcbdebb18230f0facf1858574ffa6c9f.exe
Token: 33	1964	345049ac125439890dfd44dc7451de56bcbdebb18230f0facf1858574ffa6c9f.exe
Token: SeIncBasePriorityPrivilege	1964	345049ac125439890dfd44dc7451de56bcbdebb18230f0facf1858574ffa6c9f.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

345049ac125439890dfd44dc7451de56bcbdebb18230f0facf1858574ffa6c9f.exe

description	pid	process	target process
PID 1964 wrote to memory of 4820	1964	345049ac125439890dfd44dc7451de56bcbdebb18230f0facf1858574ffa6c9f.exe	345049ac125439890dfd44dc7451de56bcbdebb18230f0facf1858574ffa6c9f.exe
PID 1964 wrote to memory of 4820	1964	345049ac125439890dfd44dc7451de56bcbdebb18230f0facf1858574ffa6c9f.exe	345049ac125439890dfd44dc7451de56bcbdebb18230f0facf1858574ffa6c9f.exe
PID 1964 wrote to memory of 4820	1964	345049ac125439890dfd44dc7451de56bcbdebb18230f0facf1858574ffa6c9f.exe	345049ac125439890dfd44dc7451de56bcbdebb18230f0facf1858574ffa6c9f.exe
PID 1964 wrote to memory of 4820	1964	345049ac125439890dfd44dc7451de56bcbdebb18230f0facf1858574ffa6c9f.exe	345049ac125439890dfd44dc7451de56bcbdebb18230f0facf1858574ffa6c9f.exe
PID 1964 wrote to memory of 4820	1964	345049ac125439890dfd44dc7451de56bcbdebb18230f0facf1858574ffa6c9f.exe	345049ac125439890dfd44dc7451de56bcbdebb18230f0facf1858574ffa6c9f.exe
PID 1964 wrote to memory of 4820	1964	345049ac125439890dfd44dc7451de56bcbdebb18230f0facf1858574ffa6c9f.exe	345049ac125439890dfd44dc7451de56bcbdebb18230f0facf1858574ffa6c9f.exe
PID 1964 wrote to memory of 4820	1964	345049ac125439890dfd44dc7451de56bcbdebb18230f0facf1858574ffa6c9f.exe	345049ac125439890dfd44dc7451de56bcbdebb18230f0facf1858574ffa6c9f.exe
PID 1964 wrote to memory of 4820	1964	345049ac125439890dfd44dc7451de56bcbdebb18230f0facf1858574ffa6c9f.exe	345049ac125439890dfd44dc7451de56bcbdebb18230f0facf1858574ffa6c9f.exe
PID 1964 wrote to memory of 4820	1964	345049ac125439890dfd44dc7451de56bcbdebb18230f0facf1858574ffa6c9f.exe	345049ac125439890dfd44dc7451de56bcbdebb18230f0facf1858574ffa6c9f.exe
PID 1964 wrote to memory of 4820	1964	345049ac125439890dfd44dc7451de56bcbdebb18230f0facf1858574ffa6c9f.exe	345049ac125439890dfd44dc7451de56bcbdebb18230f0facf1858574ffa6c9f.exe

C:\Users\Admin\AppData\Local\Temp\345049ac125439890dfd44dc7451de56bcbdebb18230f0facf1858574ffa6c9f.exe
"C:\Users\Admin\AppData\Local\Temp\345049ac125439890dfd44dc7451de56bcbdebb18230f0facf1858574ffa6c9f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964

C:\Users\Admin\AppData\Local\Temp\345049ac125439890dfd44dc7451de56bcbdebb18230f0facf1858574ffa6c9f.exe
"C:/Users/Admin/AppData/Local/Temp/345049ac125439890dfd44dc7451de56bcbdebb18230f0facf1858574ffa6c9f.exe"
2⤵
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 316
3⤵
- Program crash
PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4820 -ip 4820
1⤵
PID:4832

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1964-130-0x0000000000FD0000-0x0000000001026000-memory.dmp

Filesize
344KB

Download
memory/1964-131-0x0000000006250000-0x00000000067F4000-memory.dmp

Filesize
5.6MB

Download
memory/1964-132-0x00000000059F0000-0x0000000005A82000-memory.dmp

Filesize
584KB

Download
memory/1964-133-0x0000000005B50000-0x0000000005BEC000-memory.dmp

Filesize
624KB

Download
memory/4820-134-0x0000000000000000-mapping.dmp

Download
memory/4820-136-0x0000000000830000-0x000000000085B000-memory.dmp

Filesize
172KB

Download
memory/4820-139-0x0000000000830000-0x000000000085B000-memory.dmp

Filesize
172KB

Download
memory/4820-143-0x0000000000830000-0x000000000085B000-memory.dmp

Filesize
172KB

Download