netwire | 188f5ac1494d6a38e1d18d1ae2ade944461ce8d1988d66bd6868b593ec730c82

General

Target

SV887INV0383288238.exe
Size

1.1MB
MD5

b2699ff02475e362a07a2cbc95b2bbf2
SHA1

b8bccffc99a775d6f26be87fcf4a228c74045f5e
SHA256

188f5ac1494d6a38e1d18d1ae2ade944461ce8d1988d66bd6868b593ec730c82
SHA512

8bce55fe742ecd03787d7df893ea86d7bdef03040c2defb15a854a3f456bb66ba209465a23b042a07cb075e0371d368e5777358125fb6ce6c6c3513bf3a3d588

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

149.102.132.253:3399

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
lock_executable
false
offline_keylogger
false
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 7 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/524-69-0x0000000000400000-0x0000000000450000-memory.dmp	netwire
behavioral1/memory/524-71-0x0000000000400000-0x0000000000450000-memory.dmp	netwire
behavioral1/memory/524-72-0x0000000000400000-0x0000000000450000-memory.dmp	netwire
behavioral1/memory/524-74-0x0000000000400000-0x0000000000450000-memory.dmp	netwire
behavioral1/memory/524-75-0x000000000041AE7B-mapping.dmp	netwire
behavioral1/memory/524-78-0x0000000000400000-0x0000000000450000-memory.dmp	netwire
behavioral1/memory/524-79-0x0000000000400000-0x0000000000450000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

SV887INV0383288238.exe

description pid process target process

PID 2032 set thread context of 524 2032 SV887INV0383288238.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1764 schtasks.exe

description	pid	process	target process
PID 2032 set thread context of 524	2032	SV887INV0383288238.exe	vbc.exe

pid	process
1764	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

SV887INV0383288238.exepowershell.exe

pid	process
2032	SV887INV0383288238.exe
2032	SV887INV0383288238.exe
2032	SV887INV0383288238.exe
2032	SV887INV0383288238.exe
2032	SV887INV0383288238.exe
2032	SV887INV0383288238.exe
2032	SV887INV0383288238.exe
2032	SV887INV0383288238.exe
2032	SV887INV0383288238.exe
2032	SV887INV0383288238.exe
2032	SV887INV0383288238.exe
2032	SV887INV0383288238.exe
1768	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

SV887INV0383288238.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2032 SV887INV0383288238.exe
Token: SeDebugPrivilege 1768 powershell.exe

description	pid	process
Token: SeDebugPrivilege	2032	SV887INV0383288238.exe
Token: SeDebugPrivilege	1768	powershell.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

SV887INV0383288238.exe

description	pid	process	target process
PID 2032 wrote to memory of 1768	2032	SV887INV0383288238.exe	powershell.exe
PID 2032 wrote to memory of 1768	2032	SV887INV0383288238.exe	powershell.exe
PID 2032 wrote to memory of 1768	2032	SV887INV0383288238.exe	powershell.exe
PID 2032 wrote to memory of 1768	2032	SV887INV0383288238.exe	powershell.exe
PID 2032 wrote to memory of 1764	2032	SV887INV0383288238.exe	schtasks.exe
PID 2032 wrote to memory of 1764	2032	SV887INV0383288238.exe	schtasks.exe
PID 2032 wrote to memory of 1764	2032	SV887INV0383288238.exe	schtasks.exe
PID 2032 wrote to memory of 1764	2032	SV887INV0383288238.exe	schtasks.exe
PID 2032 wrote to memory of 524	2032	SV887INV0383288238.exe	vbc.exe
PID 2032 wrote to memory of 524	2032	SV887INV0383288238.exe	vbc.exe
PID 2032 wrote to memory of 524	2032	SV887INV0383288238.exe	vbc.exe
PID 2032 wrote to memory of 524	2032	SV887INV0383288238.exe	vbc.exe
PID 2032 wrote to memory of 524	2032	SV887INV0383288238.exe	vbc.exe
PID 2032 wrote to memory of 524	2032	SV887INV0383288238.exe	vbc.exe
PID 2032 wrote to memory of 524	2032	SV887INV0383288238.exe	vbc.exe
PID 2032 wrote to memory of 524	2032	SV887INV0383288238.exe	vbc.exe
PID 2032 wrote to memory of 524	2032	SV887INV0383288238.exe	vbc.exe
PID 2032 wrote to memory of 524	2032	SV887INV0383288238.exe	vbc.exe
PID 2032 wrote to memory of 524	2032	SV887INV0383288238.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\SV887INV0383288238.exe
"C:\Users\Admin\AppData\Local\Temp\SV887INV0383288238.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\pCGhwFFQJURAgD.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pCGhwFFQJURAgD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp80A5.tmp"
2⤵
- Creates scheduled task(s)
PID:1764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Scripting

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp80A5.tmp

Filesize
1KB

MD5
4304f8b1fe412a3e98ef81c7f7001534

SHA1
6ab0745e83fcd3b98a4fdf2e05f0b0f573e7d63f

SHA256
f7f36c305e63bfbdcf305d8321d1a31c2be7ef8b78b5594bc227e08425970c46

SHA512
63b8d69de4b780c2427b3572ef02e30e2134470f5f145950c0bdd4e68e35e88baaca8fcc81b43d3b64905e24a643c0ddcc01bea325f99410b98e2be203957ef5

Download Submit
memory/524-74-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/524-72-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/524-64-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/524-65-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/524-78-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/524-75-0x000000000041AE7B-mapping.dmp

Download
memory/524-71-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/524-67-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/524-69-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/524-79-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1764-60-0x0000000000000000-mapping.dmp

Download
memory/1768-81-0x000000006E940000-0x000000006EEEB000-memory.dmp

Filesize
5.7MB

Download
memory/1768-59-0x0000000000000000-mapping.dmp

Download
memory/1768-80-0x000000006E940000-0x000000006EEEB000-memory.dmp

Filesize
5.7MB

Download
memory/2032-63-0x0000000004BD0000-0x0000000004C22000-memory.dmp

Filesize
328KB

Download
memory/2032-55-0x0000000076071000-0x0000000076073000-memory.dmp

Filesize
8KB

Download
memory/2032-56-0x0000000000410000-0x0000000000426000-memory.dmp

Filesize
88KB

Download
memory/2032-54-0x0000000000920000-0x0000000000A42000-memory.dmp

Filesize
1.1MB

Download
memory/2032-58-0x0000000004E10000-0x0000000004EAE000-memory.dmp

Filesize
632KB

Download
memory/2032-57-0x00000000003B0000-0x00000000003BA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads