netwire | ddd2f1305efa9e79461ecc7e387fc890bba66326cbf18f760887bd97540ba588

General

Target

SecuriteInfo.com.W32.AIDetectNet.01.2581.exe
Size

1021KB
MD5

b6c18768c7043853fc9879044d10a01e
SHA1

83c8052ab0ee996e96982b3d1b1c5cfc921a0b81
SHA256

ddd2f1305efa9e79461ecc7e387fc890bba66326cbf18f760887bd97540ba588
SHA512

26d2ea0b0b3e1691400bd94add5a3407c12582688411e94592165eba7b236cf91cc8e6108a76d5204866e7cc38f32dd3d17082b4c66d42d323aa97967316ff0c

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

149.102.132.253:3399

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
lock_executable
false
offline_keylogger
false
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 7 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/520-71-0x0000000000400000-0x0000000000450000-memory.dmp	netwire
behavioral1/memory/520-72-0x0000000000400000-0x0000000000450000-memory.dmp	netwire
behavioral1/memory/520-69-0x0000000000400000-0x0000000000450000-memory.dmp	netwire
behavioral1/memory/520-74-0x0000000000400000-0x0000000000450000-memory.dmp	netwire
behavioral1/memory/520-75-0x000000000041AE7B-mapping.dmp	netwire
behavioral1/memory/520-78-0x0000000000400000-0x0000000000450000-memory.dmp	netwire
behavioral1/memory/520-80-0x0000000000400000-0x0000000000450000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.W32.AIDetectNet.01.2581.exe

description	pid	process	target process
PID 1416 set thread context of 520	1416	SecuriteInfo.com.W32.AIDetectNet.01.2581.exe	SecuriteInfo.com.W32.AIDetectNet.01.2581.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1284 schtasks.exe

pid	process
1284	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

SecuriteInfo.com.W32.AIDetectNet.01.2581.exepowershell.exe

pid	process
1416	SecuriteInfo.com.W32.AIDetectNet.01.2581.exe
1416	SecuriteInfo.com.W32.AIDetectNet.01.2581.exe
1416	SecuriteInfo.com.W32.AIDetectNet.01.2581.exe
1416	SecuriteInfo.com.W32.AIDetectNet.01.2581.exe
1416	SecuriteInfo.com.W32.AIDetectNet.01.2581.exe
1416	SecuriteInfo.com.W32.AIDetectNet.01.2581.exe
1416	SecuriteInfo.com.W32.AIDetectNet.01.2581.exe
1416	SecuriteInfo.com.W32.AIDetectNet.01.2581.exe
1416	SecuriteInfo.com.W32.AIDetectNet.01.2581.exe
1416	SecuriteInfo.com.W32.AIDetectNet.01.2581.exe
1416	SecuriteInfo.com.W32.AIDetectNet.01.2581.exe
1416	SecuriteInfo.com.W32.AIDetectNet.01.2581.exe
1416	SecuriteInfo.com.W32.AIDetectNet.01.2581.exe
1244	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

SecuriteInfo.com.W32.AIDetectNet.01.2581.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1416 SecuriteInfo.com.W32.AIDetectNet.01.2581.exe
Token: SeDebugPrivilege 1244 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1416	SecuriteInfo.com.W32.AIDetectNet.01.2581.exe
Token: SeDebugPrivilege	1244	powershell.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

SecuriteInfo.com.W32.AIDetectNet.01.2581.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.2581.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.2581.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1416

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\zLDQIAIFDK.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1244

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zLDQIAIFDK" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFC98.tmp"
2⤵
- Creates scheduled task(s)
PID:1284

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.2581.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.2581.exe"
2⤵
PID:1184

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.2581.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.2581.exe"
2⤵
PID:520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpFC98.tmp

Filesize
1KB

MD5
64e856372f9dc98f7534e6e6c6cdc114

SHA1
5c54cdf1527cb43efaedf4da8b33c7f1685f479b

SHA256
8a028d5b6ec443fbae34b3c2917f4763e04c3f745a2852d3965d7ac9316b8ace

SHA512
97198487c3ffe2bfc17b478c60f738e47540d8d87dac747f31ab9a4d46978bee1b37cd1f6e1e4dc2ee6de77c9ec874942cb3897185044fd390adfcf0545a87d4

Download Submit
memory/520-74-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/520-71-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/520-64-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/520-80-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/520-65-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/520-78-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/520-75-0x000000000041AE7B-mapping.dmp

Download
memory/520-67-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/520-69-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/520-72-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1244-79-0x000000006EBA0000-0x000000006F14B000-memory.dmp

Filesize
5.7MB

Download
memory/1244-81-0x000000006EBA0000-0x000000006F14B000-memory.dmp

Filesize
5.7MB

Download
memory/1244-59-0x0000000000000000-mapping.dmp

Download
memory/1284-60-0x0000000000000000-mapping.dmp

Download
memory/1416-63-0x0000000004F10000-0x0000000004F60000-memory.dmp

Filesize
320KB

Download
memory/1416-56-0x00000000005D0000-0x00000000005E6000-memory.dmp

Filesize
88KB

Download
memory/1416-54-0x0000000000100000-0x0000000000204000-memory.dmp

Filesize
1.0MB

Download
memory/1416-55-0x0000000075761000-0x0000000075763000-memory.dmp

Filesize
8KB

Download
memory/1416-58-0x000000000A240000-0x000000000A2DC000-memory.dmp

Filesize
624KB

Download
memory/1416-57-0x00000000005E0000-0x00000000005EA000-memory.dmp

Filesize
40KB

Download

description	pid	process	target process
PID 1416 wrote to memory of 1244	1416	SecuriteInfo.com.W32.AIDetectNet.01.2581.exe	powershell.exe
PID 1416 wrote to memory of 1244	1416	SecuriteInfo.com.W32.AIDetectNet.01.2581.exe	powershell.exe
PID 1416 wrote to memory of 1244	1416	SecuriteInfo.com.W32.AIDetectNet.01.2581.exe	powershell.exe
PID 1416 wrote to memory of 1244	1416	SecuriteInfo.com.W32.AIDetectNet.01.2581.exe	powershell.exe
PID 1416 wrote to memory of 1284	1416	SecuriteInfo.com.W32.AIDetectNet.01.2581.exe	schtasks.exe
PID 1416 wrote to memory of 1284	1416	SecuriteInfo.com.W32.AIDetectNet.01.2581.exe	schtasks.exe
PID 1416 wrote to memory of 1284	1416	SecuriteInfo.com.W32.AIDetectNet.01.2581.exe	schtasks.exe
PID 1416 wrote to memory of 1284	1416	SecuriteInfo.com.W32.AIDetectNet.01.2581.exe	schtasks.exe
PID 1416 wrote to memory of 1184	1416	SecuriteInfo.com.W32.AIDetectNet.01.2581.exe	SecuriteInfo.com.W32.AIDetectNet.01.2581.exe
PID 1416 wrote to memory of 1184	1416	SecuriteInfo.com.W32.AIDetectNet.01.2581.exe	SecuriteInfo.com.W32.AIDetectNet.01.2581.exe
PID 1416 wrote to memory of 1184	1416	SecuriteInfo.com.W32.AIDetectNet.01.2581.exe	SecuriteInfo.com.W32.AIDetectNet.01.2581.exe
PID 1416 wrote to memory of 1184	1416	SecuriteInfo.com.W32.AIDetectNet.01.2581.exe	SecuriteInfo.com.W32.AIDetectNet.01.2581.exe
PID 1416 wrote to memory of 520	1416	SecuriteInfo.com.W32.AIDetectNet.01.2581.exe	SecuriteInfo.com.W32.AIDetectNet.01.2581.exe
PID 1416 wrote to memory of 520	1416	SecuriteInfo.com.W32.AIDetectNet.01.2581.exe	SecuriteInfo.com.W32.AIDetectNet.01.2581.exe
PID 1416 wrote to memory of 520	1416	SecuriteInfo.com.W32.AIDetectNet.01.2581.exe	SecuriteInfo.com.W32.AIDetectNet.01.2581.exe
PID 1416 wrote to memory of 520	1416	SecuriteInfo.com.W32.AIDetectNet.01.2581.exe	SecuriteInfo.com.W32.AIDetectNet.01.2581.exe
PID 1416 wrote to memory of 520	1416	SecuriteInfo.com.W32.AIDetectNet.01.2581.exe	SecuriteInfo.com.W32.AIDetectNet.01.2581.exe
PID 1416 wrote to memory of 520	1416	SecuriteInfo.com.W32.AIDetectNet.01.2581.exe	SecuriteInfo.com.W32.AIDetectNet.01.2581.exe
PID 1416 wrote to memory of 520	1416	SecuriteInfo.com.W32.AIDetectNet.01.2581.exe	SecuriteInfo.com.W32.AIDetectNet.01.2581.exe
PID 1416 wrote to memory of 520	1416	SecuriteInfo.com.W32.AIDetectNet.01.2581.exe	SecuriteInfo.com.W32.AIDetectNet.01.2581.exe
PID 1416 wrote to memory of 520	1416	SecuriteInfo.com.W32.AIDetectNet.01.2581.exe	SecuriteInfo.com.W32.AIDetectNet.01.2581.exe
PID 1416 wrote to memory of 520	1416	SecuriteInfo.com.W32.AIDetectNet.01.2581.exe	SecuriteInfo.com.W32.AIDetectNet.01.2581.exe
PID 1416 wrote to memory of 520	1416	SecuriteInfo.com.W32.AIDetectNet.01.2581.exe	SecuriteInfo.com.W32.AIDetectNet.01.2581.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads