netwire | e036752f36ea0c6f711330469d78e04cbf944466dcacc3e2b27544716c34e0a3

General

Target

Purchase Order.js
Size

416KB
MD5

c1e4692ddf7c0d185bd22009e16ecc23
SHA1

2ded130da9911cb4de8c0509274e0f3334e3a452
SHA256

e036752f36ea0c6f711330469d78e04cbf944466dcacc3e2b27544716c34e0a3
SHA512

21536109ada4b5a5481ec84a4cb0984932ec057866637655b9312199ab20d6260b2be06a961a9de672b9511f1fbb4225fec6ea1208534573cda0463b87751862

Score

10^/10

netwire vjw0rm botnet persistence rat stealer trojan worm

Malware Config

Signatures

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Host Ip Regular Startup.exe	netwire
C:\Users\Admin\AppData\Roaming\Host Ip Regular Startup.exe	netwire
C:\Users\Admin\AppData\Roaming\Install\Host.exe	netwire
C:\Users\Admin\AppData\Roaming\Install\Host.exe	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 9 IoCs

Processes:

wscript.exe

flow	pid	process
9	1444	wscript.exe
20	1444	wscript.exe
27	1444	wscript.exe
39	1444	wscript.exe
42	1444	wscript.exe
43	1444	wscript.exe
44	1444	wscript.exe
45	1444	wscript.exe
46	1444	wscript.exe

Executes dropped EXE 2 IoCs

Processes:

Host Ip Regular Startup.exeHost.exe

pid process

864 Host Ip Regular Startup.exe
4040 Host.exe

pid	process
864	Host Ip Regular Startup.exe
4040	Host.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exeHost Ip Regular Startup.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	Host Ip Regular Startup.exe

Drops startup file 3 IoCs

Processes:

wscript.exeHost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KTXYmVxtXS.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KTXYmVxtXS.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Notepad.lnk	Host.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exeHost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3LFOG3Z3XA = "\"C:\\Users\\Admin\\AppData\\Roaming\\KTXYmVxtXS.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Host.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\A»\¸©8/_m!´@þhÞ = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe"	Host.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

wscript.exeHost Ip Regular Startup.exe

description	pid	process	target process
PID 928 wrote to memory of 1444	928	wscript.exe	wscript.exe
PID 928 wrote to memory of 1444	928	wscript.exe	wscript.exe
PID 928 wrote to memory of 864	928	wscript.exe	Host Ip Regular Startup.exe
PID 928 wrote to memory of 864	928	wscript.exe	Host Ip Regular Startup.exe
PID 928 wrote to memory of 864	928	wscript.exe	Host Ip Regular Startup.exe
PID 864 wrote to memory of 4040	864	Host Ip Regular Startup.exe	Host.exe
PID 864 wrote to memory of 4040	864	Host Ip Regular Startup.exe	Host.exe
PID 864 wrote to memory of 4040	864	Host Ip Regular Startup.exe	Host.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Purchase Order.js"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:928

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\KTXYmVxtXS.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1444

C:\Users\Admin\AppData\Roaming\Host Ip Regular Startup.exe
"C:\Users\Admin\AppData\Roaming\Host Ip Regular Startup.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:864

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
PID:4040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Host Ip Regular Startup.exe

Filesize
227KB

MD5
388df235546f6b0bd2afac08cefad1f9

SHA1
cef9a225d50cf1b062e2040239622661c2cf255e

SHA256
1934228fe5236936942f5037c26f6d42e322caa60b6b42d1a30fa346433bc5d3

SHA512
771db8884c5b32c3aea6a29d5fa17fb6604a50930d3f0362d7eb0e37f62f60c730f0fd69cbb52e3d4b0a7d8a926e7808d8a7ea1bf85cb11b7764d6125faa06c8

Download Submit
C:\Users\Admin\AppData\Roaming\Host Ip Regular Startup.exe

Filesize
227KB

MD5
388df235546f6b0bd2afac08cefad1f9

SHA1
cef9a225d50cf1b062e2040239622661c2cf255e

SHA256
1934228fe5236936942f5037c26f6d42e322caa60b6b42d1a30fa346433bc5d3

SHA512
771db8884c5b32c3aea6a29d5fa17fb6604a50930d3f0362d7eb0e37f62f60c730f0fd69cbb52e3d4b0a7d8a926e7808d8a7ea1bf85cb11b7764d6125faa06c8

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
227KB

MD5
388df235546f6b0bd2afac08cefad1f9

SHA1
cef9a225d50cf1b062e2040239622661c2cf255e

SHA256
1934228fe5236936942f5037c26f6d42e322caa60b6b42d1a30fa346433bc5d3

SHA512
771db8884c5b32c3aea6a29d5fa17fb6604a50930d3f0362d7eb0e37f62f60c730f0fd69cbb52e3d4b0a7d8a926e7808d8a7ea1bf85cb11b7764d6125faa06c8

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
227KB

MD5
388df235546f6b0bd2afac08cefad1f9

SHA1
cef9a225d50cf1b062e2040239622661c2cf255e

SHA256
1934228fe5236936942f5037c26f6d42e322caa60b6b42d1a30fa346433bc5d3

SHA512
771db8884c5b32c3aea6a29d5fa17fb6604a50930d3f0362d7eb0e37f62f60c730f0fd69cbb52e3d4b0a7d8a926e7808d8a7ea1bf85cb11b7764d6125faa06c8

Download Submit
C:\Users\Admin\AppData\Roaming\KTXYmVxtXS.js

Filesize
5KB

MD5
a05f4f18409818213ad40f7cedc8c3c5

SHA1
d0b8650fe5c718adc0e7ce700bc9527b4be94411

SHA256
445c8795746ab9696f84cfdfad898c61efb8ea67f2e76084d549310ee1ce25d6

SHA512
1bb878170c8a9894aab223f180d52ec77a41088ca8e00955e18ce2e50a72e494600f2b8c242baa48b82987e13a6407900e4efa625777aeaceadffdd5047f1592

Download Submit
memory/864-132-0x0000000000000000-mapping.dmp

Download
memory/1444-130-0x0000000000000000-mapping.dmp

Download
memory/4040-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads