netwire | 7e25b98724cfdea64168e7d4cf3b34d534b43f1fcac3c0eae2a138bcea30344b

General

Target

INV87327328773232.exe
Size

888KB
MD5

018d11d4c98a8eae7cb309dea498dd53
SHA1

a03fc82b8e4131a49ce8d2d89d896e1d872ca76c
SHA256

7e25b98724cfdea64168e7d4cf3b34d534b43f1fcac3c0eae2a138bcea30344b
SHA512

74265062eb6cfe492d5b08faa5b9a52c2f805191cc119644f6cbaa1f2a5dbaffc389d396ae4662ed208501aa5ceced5099a5c907f5b70f9278bbe5931f025714

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

149.102.132.253:3399

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
lock_executable
false
offline_keylogger
false
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 7 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/780-69-0x0000000000400000-0x0000000000450000-memory.dmp	netwire
behavioral1/memory/780-71-0x0000000000400000-0x0000000000450000-memory.dmp	netwire
behavioral1/memory/780-72-0x0000000000400000-0x0000000000450000-memory.dmp	netwire
behavioral1/memory/780-74-0x0000000000400000-0x0000000000450000-memory.dmp	netwire
behavioral1/memory/780-75-0x000000000041AE7B-mapping.dmp	netwire
behavioral1/memory/780-78-0x0000000000400000-0x0000000000450000-memory.dmp	netwire
behavioral1/memory/780-80-0x0000000000400000-0x0000000000450000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

INV87327328773232.exe

description pid process target process

PID 1964 set thread context of 780 1964 INV87327328773232.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

828 schtasks.exe

description	pid	process	target process
PID 1964 set thread context of 780	1964	INV87327328773232.exe	vbc.exe

pid	process
828	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

INV87327328773232.exepowershell.exe

pid	process
1964	INV87327328773232.exe
1964	INV87327328773232.exe
1964	INV87327328773232.exe
1964	INV87327328773232.exe
1964	INV87327328773232.exe
1964	INV87327328773232.exe
1964	INV87327328773232.exe
1708	powershell.exe
1964	INV87327328773232.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

INV87327328773232.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1964 INV87327328773232.exe
Token: SeDebugPrivilege 1708 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1964	INV87327328773232.exe
Token: SeDebugPrivilege	1708	powershell.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

INV87327328773232.exe

description	pid	process	target process
PID 1964 wrote to memory of 1708	1964	INV87327328773232.exe	powershell.exe
PID 1964 wrote to memory of 1708	1964	INV87327328773232.exe	powershell.exe
PID 1964 wrote to memory of 1708	1964	INV87327328773232.exe	powershell.exe
PID 1964 wrote to memory of 1708	1964	INV87327328773232.exe	powershell.exe
PID 1964 wrote to memory of 828	1964	INV87327328773232.exe	schtasks.exe
PID 1964 wrote to memory of 828	1964	INV87327328773232.exe	schtasks.exe
PID 1964 wrote to memory of 828	1964	INV87327328773232.exe	schtasks.exe
PID 1964 wrote to memory of 828	1964	INV87327328773232.exe	schtasks.exe
PID 1964 wrote to memory of 780	1964	INV87327328773232.exe	vbc.exe
PID 1964 wrote to memory of 780	1964	INV87327328773232.exe	vbc.exe
PID 1964 wrote to memory of 780	1964	INV87327328773232.exe	vbc.exe
PID 1964 wrote to memory of 780	1964	INV87327328773232.exe	vbc.exe
PID 1964 wrote to memory of 780	1964	INV87327328773232.exe	vbc.exe
PID 1964 wrote to memory of 780	1964	INV87327328773232.exe	vbc.exe
PID 1964 wrote to memory of 780	1964	INV87327328773232.exe	vbc.exe
PID 1964 wrote to memory of 780	1964	INV87327328773232.exe	vbc.exe
PID 1964 wrote to memory of 780	1964	INV87327328773232.exe	vbc.exe
PID 1964 wrote to memory of 780	1964	INV87327328773232.exe	vbc.exe
PID 1964 wrote to memory of 780	1964	INV87327328773232.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\INV87327328773232.exe
"C:\Users\Admin\AppData\Local\Temp\INV87327328773232.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\WpHPQip.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WpHPQip" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE2E1.tmp"
2⤵
- Creates scheduled task(s)
PID:828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Scripting

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpE2E1.tmp

Filesize
1KB

MD5
95c2f6ea4686f63a55e6d3358821a600

SHA1
0bc652125a9f8e8d61a8e680e1d857bc78e2b1d0

SHA256
eda48c6975406536ffd8b492f4c7e57de7d5a747a1e9bce07d773083695c6b22

SHA512
9b4cf07364e2a9a12e0ef11604e2a4ef62ca850e2633d6f01ce68c10b0f795d75528672a4a06ca1bc3528922aa062c533c2c00bd24b3e7028c16c68dcd5a7bf3

Download Submit
memory/780-74-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/780-69-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/780-64-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/780-80-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/780-65-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/780-78-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/780-75-0x000000000041AE7B-mapping.dmp

Download
memory/780-67-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/780-72-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/780-71-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/828-60-0x0000000000000000-mapping.dmp

Download
memory/1708-79-0x000000006F280000-0x000000006F82B000-memory.dmp

Filesize
5.7MB

Download
memory/1708-81-0x000000006F280000-0x000000006F82B000-memory.dmp

Filesize
5.7MB

Download
memory/1708-59-0x0000000000000000-mapping.dmp

Download
memory/1964-63-0x0000000005AA0000-0x0000000005AEC000-memory.dmp

Filesize
304KB

Download
memory/1964-54-0x0000000000B20000-0x0000000000C04000-memory.dmp

Filesize
912KB

Download
memory/1964-55-0x0000000075271000-0x0000000075273000-memory.dmp

Filesize
8KB

Download
memory/1964-56-0x0000000000370000-0x0000000000386000-memory.dmp

Filesize
88KB

Download
memory/1964-58-0x000000000A450000-0x000000000A4E8000-memory.dmp

Filesize
608KB

Download
memory/1964-57-0x0000000000410000-0x000000000041A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads