netwire | 56122070a3bdb1f168cbae330d58b9c268700509420d2670ccafd01221b45751

Analysis

max time kernel
133s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
25-07-2022 05:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

files/9.exe
Size

225KB
MD5

d6cabf8ccf6234a76fef52b30f60e798
SHA1

f1f351318f77fe80d1191e238127776a2066ce6c
SHA256

f2ec4e6c59e621e82f6e0f8e683f4a525c498041a272011d0c3772d6716c5317
SHA512

5d830240d0bce8005f9c598c0a54ed721989de40b35a325b7db257f48701e1fd64c8a1eca617e9f71acd294c362ceeeb78fc56af7a115531eec635fe5d0fc2b7

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

212.7.208.129:4951

Attributes

activex_autorun
true
activex_key
{W5H5J6SC-J820-0WAA-6G7H-B07JHQR8687C}
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
lock_executable
false
mutex
LGcSGuSj
offline_keylogger
false
password
Password
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral30/memory/3236-142-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral30/memory/3236-144-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral30/memory/3236-147-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 1 IoCs

Processes:

Host.exe

pid process

484 Host.exe
Drops startup file 1 IoCs

Processes:

9.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.url 9.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

9.exe

description pid process target process

PID 4460 set thread context of 3236 4460 9.exe vbc.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

9.exe

pid process

4460 9.exe
4460 9.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

9.exe

description pid process

Token: SeDebugPrivilege 4460 9.exe

pid	process
484	Host.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.url	9.exe

description	pid	process	target process
PID 4460 set thread context of 3236	4460	9.exe	vbc.exe

pid	process
4460	9.exe
4460	9.exe

description	pid	process
Token: SeDebugPrivilege	4460	9.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

9.execsc.exevbc.exe

description	pid	process	target process
PID 4460 wrote to memory of 1184	4460	9.exe	csc.exe
PID 4460 wrote to memory of 1184	4460	9.exe	csc.exe
PID 4460 wrote to memory of 1184	4460	9.exe	csc.exe
PID 1184 wrote to memory of 4836	1184	csc.exe	cvtres.exe
PID 1184 wrote to memory of 4836	1184	csc.exe	cvtres.exe
PID 1184 wrote to memory of 4836	1184	csc.exe	cvtres.exe
PID 4460 wrote to memory of 3236	4460	9.exe	vbc.exe
PID 4460 wrote to memory of 3236	4460	9.exe	vbc.exe
PID 4460 wrote to memory of 3236	4460	9.exe	vbc.exe
PID 4460 wrote to memory of 3236	4460	9.exe	vbc.exe
PID 4460 wrote to memory of 3236	4460	9.exe	vbc.exe
PID 4460 wrote to memory of 3236	4460	9.exe	vbc.exe
PID 4460 wrote to memory of 3236	4460	9.exe	vbc.exe
PID 4460 wrote to memory of 3236	4460	9.exe	vbc.exe
PID 4460 wrote to memory of 3236	4460	9.exe	vbc.exe
PID 4460 wrote to memory of 3236	4460	9.exe	vbc.exe
PID 3236 wrote to memory of 484	3236	vbc.exe	Host.exe
PID 3236 wrote to memory of 484	3236	vbc.exe	Host.exe
PID 3236 wrote to memory of 484	3236	vbc.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\files\9.exe
"C:\Users\Admin\AppData\Local\Temp\files\9.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ldlxhu3k\ldlxhu3k.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDE30.tmp" "c:\Users\Admin\AppData\Local\Temp\ldlxhu3k\CSC79E4E9DC56F3491BB1171A1F226BBFA.TMP"
3⤵
PID:4836

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3236

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
PID:484

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESDE30.tmp
Filesize
1KB

MD5
9174f24644bdd6a70dab1112ffa9cc80

SHA1
8a680429b1caba39e4028e2a238d4c0969519f3d

SHA256
078b58e1367869f2ffd298666c018a46804815c7c55d962cd2bbd925634eb1c9

SHA512
3d20b40fcca0f3c08018f4e2ade2852d95c289655d1a3ea4dbbada80d1211f83103f8aa6cba9b96d6f600ac1cf33268600192cb18e263195a7f3752c60680cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ldlxhu3k\ldlxhu3k.dll
Filesize
13KB

MD5
f476bac9b60c5f7142cd75cdc1b464eb

SHA1
abc88d776e1bcb7eeafaa4ae7c664bf25e886884

SHA256
c03fd86a19d2b2caa152c4d3506daa9facaa173c27d0703c54db6ece0ae3458b

SHA512
f6db141594ead04b7668b0c3c535faa83c4694dafb76c66f572ff7c4bc84e74414f539a2fc93b04a7d841f2ec94e654c1fcf3e31ecaebe08d809b347500ae745

Download Submit
C:\Users\Admin\AppData\Local\Temp\ldlxhu3k\ldlxhu3k.pdb
Filesize
39KB

MD5
f8f3502c57be78f8314965973791d72c

SHA1
462bb2271404b62ab2841f270ed8b0afc283f22c

SHA256
ac02f25ff2f7c35a234b1f921a520bc42c4c38e470a29dc74bc4da904874cbcd

SHA512
e3555a95e427d7d51f0c3e7445d3a97200544ba82cc567e48787bc6165e5d22f9403c2f766d768129ad5e69e739d0de4a1dbce3d2dda4c3c5b524e8f0ec0c2fa

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ldlxhu3k\CSC79E4E9DC56F3491BB1171A1F226BBFA.TMP
Filesize
1KB

MD5
8831d8a580428e921621471348141b61

SHA1
00e39a92caa10def5a6de00285e19d5169fcdd16

SHA256
dc47571942071731700f6cf548a5b8d54ce9a78f25c2ae6e6ce9d96c456f6226

SHA512
9fec3e3b534bcea9f84223e766a08ce832fbf98d686729cb1b20fdbe3605ffb0d871ee05ff0343d6012b1f872b886e41db852ce163f52b66a31040e1932c4e53

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ldlxhu3k\ldlxhu3k.0.cs
Filesize
22KB

MD5
8838687226e6284e6112c814ed32b916

SHA1
4262b9a3887d76358aa49021e84ea32fcdb19df0

SHA256
8cf35cd411608212a8989ba76bb3dd01228d8118c64c36121c7defb81ac8e6b6

SHA512
716630cac5b23b1417ce478613ae56b7bde341f5c36b85588376711f061bef8ce7ee499d3f6aaf3f1533ecc2d7c5a0c542d61f1580cb3820c321703dbcd8e071

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ldlxhu3k\ldlxhu3k.cmdline
Filesize
312B

MD5
f34a30e6daee1b5309bf14ff89d7147e

SHA1
dad4851e89e665997fdd9eb9f4b71b0eeae544a3

SHA256
fa0381b91bbca93b78b330c833e042f21655f6d48b2235a1bc3cefc15d47be9a

SHA512
6233d35a383efa57bb9dad69775e9d37e5c3fcb71543dacbd993bf747b150126d1ec0cbedfa287cbe9ba70c77a200dfe8b38aa41d580fd7da1c0e604c0d5478c

Download Submit
memory/484-145-0x0000000000000000-mapping.dmp

Download
memory/1184-131-0x0000000000000000-mapping.dmp

Download
memory/3236-142-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3236-141-0x0000000000000000-mapping.dmp

Download
memory/3236-144-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3236-147-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4460-130-0x0000000000BA0000-0x0000000000BDE000-memory.dmp

Filesize
248KB

Download
memory/4460-140-0x0000000005C90000-0x0000000005D2C000-memory.dmp

Filesize
624KB

Download
memory/4460-139-0x0000000005590000-0x0000000005622000-memory.dmp

Filesize
584KB

Download
memory/4836-134-0x0000000000000000-mapping.dmp

Download