netwire | e036752f36ea0c6f711330469d78e04cbf944466dcacc3e2b27544716c34e0a3

General

Target

Purchase Order.js
Size

416KB
MD5

c1e4692ddf7c0d185bd22009e16ecc23
SHA1

2ded130da9911cb4de8c0509274e0f3334e3a452
SHA256

e036752f36ea0c6f711330469d78e04cbf944466dcacc3e2b27544716c34e0a3
SHA512

21536109ada4b5a5481ec84a4cb0984932ec057866637655b9312199ab20d6260b2be06a961a9de672b9511f1fbb4225fec6ea1208534573cda0463b87751862

Score

10^/10

netwire vjw0rm botnet persistence rat stealer trojan worm

Malware Config

Signatures

NetWire RAT payload 7 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Host Ip Regular Startup.exe	netwire
C:\Users\Admin\AppData\Roaming\Host Ip Regular Startup.exe	netwire
\Users\Admin\AppData\Roaming\Install\Host.exe	netwire
\Users\Admin\AppData\Roaming\Install\Host.exe	netwire
C:\Users\Admin\AppData\Roaming\Install\Host.exe	netwire
C:\Users\Admin\AppData\Roaming\Install\Host.exe	netwire
\Users\Admin\AppData\Roaming\Install\Host.exe	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 15 IoCs

Processes:

wscript.exe

flow	pid	process
5	980	wscript.exe
6	980	wscript.exe
7	980	wscript.exe
10	980	wscript.exe
11	980	wscript.exe
12	980	wscript.exe
14	980	wscript.exe
15	980	wscript.exe
16	980	wscript.exe
18	980	wscript.exe
19	980	wscript.exe
20	980	wscript.exe
22	980	wscript.exe
23	980	wscript.exe
24	980	wscript.exe

Executes dropped EXE 2 IoCs

Processes:

Host Ip Regular Startup.exeHost.exe

pid process

1732 Host Ip Regular Startup.exe
660 Host.exe

pid	process
1732	Host Ip Regular Startup.exe
660	Host.exe

Drops startup file 3 IoCs

Processes:

wscript.exeHost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KTXYmVxtXS.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KTXYmVxtXS.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Notepad.lnk	Host.exe

Loads dropped DLL 3 IoCs

Processes:

Host Ip Regular Startup.exeHost.exe

pid process

1732 Host Ip Regular Startup.exe
1732 Host Ip Regular Startup.exe
660 Host.exe

pid	process
1732	Host Ip Regular Startup.exe
1732	Host Ip Regular Startup.exe
660	Host.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exeHost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\3LFOG3Z3XA = "\"C:\\Users\\Admin\\AppData\\Roaming\\KTXYmVxtXS.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Host.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\A»\¸©8/_m!´@þhÞ = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe"	Host.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

wscript.exeHost Ip Regular Startup.exe

description	pid	process	target process
PID 1976 wrote to memory of 980	1976	wscript.exe	wscript.exe
PID 1976 wrote to memory of 980	1976	wscript.exe	wscript.exe
PID 1976 wrote to memory of 980	1976	wscript.exe	wscript.exe
PID 1976 wrote to memory of 1732	1976	wscript.exe	Host Ip Regular Startup.exe
PID 1976 wrote to memory of 1732	1976	wscript.exe	Host Ip Regular Startup.exe
PID 1976 wrote to memory of 1732	1976	wscript.exe	Host Ip Regular Startup.exe
PID 1976 wrote to memory of 1732	1976	wscript.exe	Host Ip Regular Startup.exe
PID 1732 wrote to memory of 660	1732	Host Ip Regular Startup.exe	Host.exe
PID 1732 wrote to memory of 660	1732	Host Ip Regular Startup.exe	Host.exe
PID 1732 wrote to memory of 660	1732	Host Ip Regular Startup.exe	Host.exe
PID 1732 wrote to memory of 660	1732	Host Ip Regular Startup.exe	Host.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Purchase Order.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\KTXYmVxtXS.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:980

C:\Users\Admin\AppData\Roaming\Host Ip Regular Startup.exe
"C:\Users\Admin\AppData\Roaming\Host Ip Regular Startup.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
PID:660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Host Ip Regular Startup.exe

Filesize
227KB

MD5
388df235546f6b0bd2afac08cefad1f9

SHA1
cef9a225d50cf1b062e2040239622661c2cf255e

SHA256
1934228fe5236936942f5037c26f6d42e322caa60b6b42d1a30fa346433bc5d3

SHA512
771db8884c5b32c3aea6a29d5fa17fb6604a50930d3f0362d7eb0e37f62f60c730f0fd69cbb52e3d4b0a7d8a926e7808d8a7ea1bf85cb11b7764d6125faa06c8

Download Submit
C:\Users\Admin\AppData\Roaming\Host Ip Regular Startup.exe

Filesize
227KB

MD5
388df235546f6b0bd2afac08cefad1f9

SHA1
cef9a225d50cf1b062e2040239622661c2cf255e

SHA256
1934228fe5236936942f5037c26f6d42e322caa60b6b42d1a30fa346433bc5d3

SHA512
771db8884c5b32c3aea6a29d5fa17fb6604a50930d3f0362d7eb0e37f62f60c730f0fd69cbb52e3d4b0a7d8a926e7808d8a7ea1bf85cb11b7764d6125faa06c8

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
227KB

MD5
388df235546f6b0bd2afac08cefad1f9

SHA1
cef9a225d50cf1b062e2040239622661c2cf255e

SHA256
1934228fe5236936942f5037c26f6d42e322caa60b6b42d1a30fa346433bc5d3

SHA512
771db8884c5b32c3aea6a29d5fa17fb6604a50930d3f0362d7eb0e37f62f60c730f0fd69cbb52e3d4b0a7d8a926e7808d8a7ea1bf85cb11b7764d6125faa06c8

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
227KB

MD5
388df235546f6b0bd2afac08cefad1f9

SHA1
cef9a225d50cf1b062e2040239622661c2cf255e

SHA256
1934228fe5236936942f5037c26f6d42e322caa60b6b42d1a30fa346433bc5d3

SHA512
771db8884c5b32c3aea6a29d5fa17fb6604a50930d3f0362d7eb0e37f62f60c730f0fd69cbb52e3d4b0a7d8a926e7808d8a7ea1bf85cb11b7764d6125faa06c8

Download Submit
C:\Users\Admin\AppData\Roaming\KTXYmVxtXS.js

Filesize
5KB

MD5
a05f4f18409818213ad40f7cedc8c3c5

SHA1
d0b8650fe5c718adc0e7ce700bc9527b4be94411

SHA256
445c8795746ab9696f84cfdfad898c61efb8ea67f2e76084d549310ee1ce25d6

SHA512
1bb878170c8a9894aab223f180d52ec77a41088ca8e00955e18ce2e50a72e494600f2b8c242baa48b82987e13a6407900e4efa625777aeaceadffdd5047f1592

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
227KB

MD5
388df235546f6b0bd2afac08cefad1f9

SHA1
cef9a225d50cf1b062e2040239622661c2cf255e

SHA256
1934228fe5236936942f5037c26f6d42e322caa60b6b42d1a30fa346433bc5d3

SHA512
771db8884c5b32c3aea6a29d5fa17fb6604a50930d3f0362d7eb0e37f62f60c730f0fd69cbb52e3d4b0a7d8a926e7808d8a7ea1bf85cb11b7764d6125faa06c8

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
227KB

MD5
388df235546f6b0bd2afac08cefad1f9

SHA1
cef9a225d50cf1b062e2040239622661c2cf255e

SHA256
1934228fe5236936942f5037c26f6d42e322caa60b6b42d1a30fa346433bc5d3

SHA512
771db8884c5b32c3aea6a29d5fa17fb6604a50930d3f0362d7eb0e37f62f60c730f0fd69cbb52e3d4b0a7d8a926e7808d8a7ea1bf85cb11b7764d6125faa06c8

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
227KB

MD5
388df235546f6b0bd2afac08cefad1f9

SHA1
cef9a225d50cf1b062e2040239622661c2cf255e

SHA256
1934228fe5236936942f5037c26f6d42e322caa60b6b42d1a30fa346433bc5d3

SHA512
771db8884c5b32c3aea6a29d5fa17fb6604a50930d3f0362d7eb0e37f62f60c730f0fd69cbb52e3d4b0a7d8a926e7808d8a7ea1bf85cb11b7764d6125faa06c8

Download Submit
memory/660-64-0x0000000000000000-mapping.dmp

Download
memory/980-55-0x0000000000000000-mapping.dmp

Download
memory/1732-57-0x0000000000000000-mapping.dmp

Download
memory/1732-59-0x0000000076601000-0x0000000076603000-memory.dmp

Filesize
8KB

Download
memory/1976-54-0x000007FEFBD71000-0x000007FEFBD73000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads