netwire | 8504e5e5723b427002e86b953ff6414ef960af74818f359a0d93084c974f800b

Analysis

max time kernel
92s
max time network
179s
platform
windows10-1703_x64
resource
win10-20220718-en
resource tags

arch:x64arch:x86image:win10-20220718-enlocale:en-usos:windows10-1703-x64system
submitted
26-07-2022 02:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CONTRACT-HSB7555-07-22.exe
Size

574KB
MD5

ab250d08a1c4628ecdb5f067c4219e7d
SHA1

ca73fb0aa8e1d5d9e125eecf8ebc13612e773765
SHA256

a832f30bbb32bcf5c4138d8058214e47ea72a6fe10d448dbea5fbc84e1ce375b
SHA512

61dadbcdeac15afcd0f34f55333c9ce5aa35d9afff3c70d0aff2b9694d4f252def58abe5d07d235ca902782c99715511898a1ffc973b8e584e57936e431c7f4f

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

37.0.14.206:3384

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
true
offline_keylogger
true
password
Password234
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/3460-260-0x000000000040242D-mapping.dmp	netwire
behavioral1/memory/3460-320-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 1 IoCs

Processes:

Host.exe

pid process

2620 Host.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

CONTRACT-HSB7555-07-22.exe

description pid process target process

PID 3536 set thread context of 3460 3536 CONTRACT-HSB7555-07-22.exe MSBuild.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2380 schtasks.exe

pid	process
2620	Host.exe

description	pid	process	target process
PID 3536 set thread context of 3460	3536	CONTRACT-HSB7555-07-22.exe	MSBuild.exe

pid	process
2380	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

CONTRACT-HSB7555-07-22.exepowershell.exe

pid	process
3536	CONTRACT-HSB7555-07-22.exe
3536	CONTRACT-HSB7555-07-22.exe
3536	CONTRACT-HSB7555-07-22.exe
3536	CONTRACT-HSB7555-07-22.exe
3536	CONTRACT-HSB7555-07-22.exe
2616	powershell.exe
2616	powershell.exe
2616	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

CONTRACT-HSB7555-07-22.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3536 CONTRACT-HSB7555-07-22.exe
Token: SeDebugPrivilege 2616 powershell.exe

description	pid	process
Token: SeDebugPrivilege	3536	CONTRACT-HSB7555-07-22.exe
Token: SeDebugPrivilege	2616	powershell.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

CONTRACT-HSB7555-07-22.exeMSBuild.exe

description	pid	process	target process
PID 3536 wrote to memory of 2616	3536	CONTRACT-HSB7555-07-22.exe	powershell.exe
PID 3536 wrote to memory of 2616	3536	CONTRACT-HSB7555-07-22.exe	powershell.exe
PID 3536 wrote to memory of 2616	3536	CONTRACT-HSB7555-07-22.exe	powershell.exe
PID 3536 wrote to memory of 2380	3536	CONTRACT-HSB7555-07-22.exe	schtasks.exe
PID 3536 wrote to memory of 2380	3536	CONTRACT-HSB7555-07-22.exe	schtasks.exe
PID 3536 wrote to memory of 2380	3536	CONTRACT-HSB7555-07-22.exe	schtasks.exe
PID 3536 wrote to memory of 2596	3536	CONTRACT-HSB7555-07-22.exe	MSBuild.exe
PID 3536 wrote to memory of 2596	3536	CONTRACT-HSB7555-07-22.exe	MSBuild.exe
PID 3536 wrote to memory of 2596	3536	CONTRACT-HSB7555-07-22.exe	MSBuild.exe
PID 3536 wrote to memory of 3460	3536	CONTRACT-HSB7555-07-22.exe	MSBuild.exe
PID 3536 wrote to memory of 3460	3536	CONTRACT-HSB7555-07-22.exe	MSBuild.exe
PID 3536 wrote to memory of 3460	3536	CONTRACT-HSB7555-07-22.exe	MSBuild.exe
PID 3536 wrote to memory of 3460	3536	CONTRACT-HSB7555-07-22.exe	MSBuild.exe
PID 3536 wrote to memory of 3460	3536	CONTRACT-HSB7555-07-22.exe	MSBuild.exe
PID 3536 wrote to memory of 3460	3536	CONTRACT-HSB7555-07-22.exe	MSBuild.exe
PID 3536 wrote to memory of 3460	3536	CONTRACT-HSB7555-07-22.exe	MSBuild.exe
PID 3536 wrote to memory of 3460	3536	CONTRACT-HSB7555-07-22.exe	MSBuild.exe
PID 3536 wrote to memory of 3460	3536	CONTRACT-HSB7555-07-22.exe	MSBuild.exe
PID 3536 wrote to memory of 3460	3536	CONTRACT-HSB7555-07-22.exe	MSBuild.exe
PID 3536 wrote to memory of 3460	3536	CONTRACT-HSB7555-07-22.exe	MSBuild.exe
PID 3460 wrote to memory of 2620	3460	MSBuild.exe	Host.exe
PID 3460 wrote to memory of 2620	3460	MSBuild.exe	Host.exe
PID 3460 wrote to memory of 2620	3460	MSBuild.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\CONTRACT-HSB7555-07-22.exe
"C:\Users\Admin\AppData\Local\Temp\CONTRACT-HSB7555-07-22.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3536

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\lpuqOXYcEwD.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2616

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lpuqOXYcEwD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9376.tmp"
2⤵
- Creates scheduled task(s)
PID:2380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
PID:2596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3460

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
PID:2620

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9376.tmp

Filesize
1KB

MD5
59be7e650e9bdd52ff742afffd0d9ff7

SHA1
788ee63ccf47510bd534884d9b781a872c607d53

SHA256
65f8a613b80f85e66d604f671c1a3a712f1100d103a20263ca53f01bcc2afb2e

SHA512
4df2eb6e7612916e58f4044baecd7444420a8d354d451f756e9b22795ce4e633443055546d60bd547098528e38d172206c62944781b9c2640467778a2f9a5c53

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
255KB

MD5
9af17c8393f0970ee5136bd3ffa27001

SHA1
4b285b72c1a11285a25f31f2597e090da6bbc049

SHA256
71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

SHA512
b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
255KB

MD5
9af17c8393f0970ee5136bd3ffa27001

SHA1
4b285b72c1a11285a25f31f2597e090da6bbc049

SHA256
71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

SHA512
b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

Download Submit
memory/2380-199-0x0000000000000000-mapping.dmp

Download
memory/2616-393-0x0000000009940000-0x0000000009973000-memory.dmp

Filesize
204KB

Download
memory/2616-329-0x0000000008500000-0x000000000851C000-memory.dmp

Filesize
112KB

Download
memory/2616-195-0x0000000000000000-mapping.dmp

Download
memory/2616-615-0x00000000070A0000-0x00000000070A8000-memory.dmp

Filesize
32KB

Download
memory/2616-610-0x0000000009B70000-0x0000000009B8A000-memory.dmp

Filesize
104KB

Download
memory/2616-250-0x0000000004A00000-0x0000000004A36000-memory.dmp

Filesize
216KB

Download
memory/2616-403-0x0000000009A80000-0x0000000009B25000-memory.dmp

Filesize
660KB

Download
memory/2616-345-0x0000000008900000-0x0000000008976000-memory.dmp

Filesize
472KB

Download
memory/2616-407-0x0000000009C90000-0x0000000009D24000-memory.dmp

Filesize
592KB

Download
memory/2616-258-0x00000000074A0000-0x0000000007AC8000-memory.dmp

Filesize
6.2MB

Download
memory/2616-331-0x0000000008540000-0x000000000858B000-memory.dmp

Filesize
300KB

Download
memory/2616-394-0x0000000009920000-0x000000000993E000-memory.dmp

Filesize
120KB

Download
memory/2616-282-0x0000000007340000-0x0000000007362000-memory.dmp

Filesize
136KB

Download
memory/2616-290-0x0000000007BF0000-0x0000000007F40000-memory.dmp

Filesize
3.3MB

Download
memory/2616-284-0x00000000073E0000-0x0000000007446000-memory.dmp

Filesize
408KB

Download
memory/2620-338-0x0000000000000000-mapping.dmp

Download
memory/2620-378-0x0000000000710000-0x0000000000750000-memory.dmp

Filesize
256KB

Download
memory/2620-384-0x0000000002960000-0x000000000297A000-memory.dmp

Filesize
104KB

Download
memory/2620-385-0x0000000005030000-0x000000000518A000-memory.dmp

Filesize
1.4MB

Download
memory/3460-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3460-260-0x000000000040242D-mapping.dmp

Download
memory/3536-165-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-179-0x0000000004DF0000-0x0000000004E06000-memory.dmp

Filesize
88KB

Download
memory/3536-142-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-146-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-145-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-147-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-148-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-149-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-150-0x0000000000060000-0x00000000000F6000-memory.dmp

Filesize
600KB

Download
memory/3536-151-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-152-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-153-0x0000000004E60000-0x000000000535E000-memory.dmp

Filesize
5.0MB

Download
memory/3536-154-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-155-0x0000000004A50000-0x0000000004AE2000-memory.dmp

Filesize
584KB

Download
memory/3536-156-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-157-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-158-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-159-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-160-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-161-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-162-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-163-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-164-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-117-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-166-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-167-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-168-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-169-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-170-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-171-0x0000000004A30000-0x0000000004A3A000-memory.dmp

Filesize
40KB

Download
memory/3536-172-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-173-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-174-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-175-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-176-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-177-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-178-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-144-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-180-0x00000000001B0000-0x00000000001BA000-memory.dmp

Filesize
40KB

Download
memory/3536-181-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-182-0x0000000002200000-0x000000000227C000-memory.dmp

Filesize
496KB

Download
memory/3536-183-0x000000000A090000-0x000000000A12C000-memory.dmp

Filesize
624KB

Download
memory/3536-184-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-185-0x0000000007840000-0x00000000078A6000-memory.dmp

Filesize
408KB

Download
memory/3536-186-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-187-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-188-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-189-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-143-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-141-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-140-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-139-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-255-0x00000000076D0000-0x00000000076FE000-memory.dmp

Filesize
184KB

Download
memory/3536-138-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-137-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-136-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-135-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-134-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-133-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-132-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-131-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-130-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-127-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-129-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-128-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-126-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-125-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-124-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-123-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-122-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-120-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-121-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-119-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-118-0x0000000077C50000-0x0000000077DDE000-memory.dmp

Filesize
1.6MB

Download