netwire | 6153ddd8d5c3eaeabde96c6acea9aeeb4359fb8b3f28fe42cacfcba0a75046b6

General

Target

6153ddd8d5c3eaeabde96c6acea9aeeb4359fb8b3f28fe42cacfcba0a75046b6.exe
Size

476KB
MD5

79560ff6c7a99bca7b7ed5ac7012e84d
SHA1

bfc0349b114560b13d3e33aa5925f0ad3ca4a9f2
SHA256

6153ddd8d5c3eaeabde96c6acea9aeeb4359fb8b3f28fe42cacfcba0a75046b6
SHA512

807076820916a1b3a2c0048a5b502de5b63f6d2f35546fabb605a6d2958adc74fc4ca8c4fad630897bb04f59961945d53bd8e4a21f43aabfba9217378fb7e94f

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

hawla2016.hopto.org:3360

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
monday
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2008-70-0x0000000000000000-mapping.dmp	netwire
behavioral1/memory/2008-73-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2008-75-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2008-76-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

filename.exefilename.exe

pid process

2044 filename.exe
2008 filename.exe
Loads dropped DLL 3 IoCs

Processes:

WScript.exefilename.exe

pid process

1000 WScript.exe
1000 WScript.exe
2044 filename.exe

pid	process
2044	filename.exe
2008	filename.exe

pid	process
1000	WScript.exe
1000	WScript.exe
2044	filename.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Registry Key Name = "C:\\Users\\Admin\\AppData\\Local\\Temp\\subfolder\\filename.vbs"	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

6153ddd8d5c3eaeabde96c6acea9aeeb4359fb8b3f28fe42cacfcba0a75046b6.exefilename.exe

pid process

1448 6153ddd8d5c3eaeabde96c6acea9aeeb4359fb8b3f28fe42cacfcba0a75046b6.exe
2044 filename.exe

pid	process
1448	6153ddd8d5c3eaeabde96c6acea9aeeb4359fb8b3f28fe42cacfcba0a75046b6.exe
2044	filename.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

6153ddd8d5c3eaeabde96c6acea9aeeb4359fb8b3f28fe42cacfcba0a75046b6.exeWScript.exefilename.exe

description	pid	process	target process
PID 1448 wrote to memory of 1000	1448	6153ddd8d5c3eaeabde96c6acea9aeeb4359fb8b3f28fe42cacfcba0a75046b6.exe	WScript.exe
PID 1448 wrote to memory of 1000	1448	6153ddd8d5c3eaeabde96c6acea9aeeb4359fb8b3f28fe42cacfcba0a75046b6.exe	WScript.exe
PID 1448 wrote to memory of 1000	1448	6153ddd8d5c3eaeabde96c6acea9aeeb4359fb8b3f28fe42cacfcba0a75046b6.exe	WScript.exe
PID 1448 wrote to memory of 1000	1448	6153ddd8d5c3eaeabde96c6acea9aeeb4359fb8b3f28fe42cacfcba0a75046b6.exe	WScript.exe
PID 1000 wrote to memory of 2044	1000	WScript.exe	filename.exe
PID 1000 wrote to memory of 2044	1000	WScript.exe	filename.exe
PID 1000 wrote to memory of 2044	1000	WScript.exe	filename.exe
PID 1000 wrote to memory of 2044	1000	WScript.exe	filename.exe
PID 2044 wrote to memory of 2008	2044	filename.exe	filename.exe
PID 2044 wrote to memory of 2008	2044	filename.exe	filename.exe
PID 2044 wrote to memory of 2008	2044	filename.exe	filename.exe
PID 2044 wrote to memory of 2008	2044	filename.exe	filename.exe
PID 2044 wrote to memory of 2008	2044	filename.exe	filename.exe
PID 2044 wrote to memory of 2008	2044	filename.exe	filename.exe
PID 2044 wrote to memory of 2008	2044	filename.exe	filename.exe
PID 2044 wrote to memory of 2008	2044	filename.exe	filename.exe
PID 2044 wrote to memory of 2008	2044	filename.exe	filename.exe
PID 2044 wrote to memory of 2008	2044	filename.exe	filename.exe
PID 2044 wrote to memory of 2008	2044	filename.exe	filename.exe
PID 2044 wrote to memory of 2008	2044	filename.exe	filename.exe
PID 2044 wrote to memory of 2008	2044	filename.exe	filename.exe
PID 2044 wrote to memory of 2008	2044	filename.exe	filename.exe
PID 2044 wrote to memory of 2008	2044	filename.exe	filename.exe
PID 2044 wrote to memory of 2008	2044	filename.exe	filename.exe
PID 2044 wrote to memory of 2008	2044	filename.exe	filename.exe
PID 2044 wrote to memory of 2008	2044	filename.exe	filename.exe

C:\Users\Admin\AppData\Local\Temp\6153ddd8d5c3eaeabde96c6acea9aeeb4359fb8b3f28fe42cacfcba0a75046b6.exe
"C:\Users\Admin\AppData\Local\Temp\6153ddd8d5c3eaeabde96c6acea9aeeb4359fb8b3f28fe42cacfcba0a75046b6.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\subfolder\filename.vbs"
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1000

C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe
"C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2044

C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe
"C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe"
4⤵
- Executes dropped EXE
PID:2008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe

Filesize
476KB

MD5
a045df05669c6c74245150e312ffe017

SHA1
948326650867970b6411e62adf0c63d4c057c8f2

SHA256
ac73672a14c1ff60cc44452eea01a09fe9d4496a2a73327ee55ba09ac5e95152

SHA512
364d49f6e1c400e3542aaa5a8b016b8b6657af814631909616836154a67f39d69f4529dd3bb0947590e865b8ad8528f9a80e7000ce207c4d6c118fcebf81838f

Download Submit
C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe

Filesize
476KB

MD5
a045df05669c6c74245150e312ffe017

SHA1
948326650867970b6411e62adf0c63d4c057c8f2

SHA256
ac73672a14c1ff60cc44452eea01a09fe9d4496a2a73327ee55ba09ac5e95152

SHA512
364d49f6e1c400e3542aaa5a8b016b8b6657af814631909616836154a67f39d69f4529dd3bb0947590e865b8ad8528f9a80e7000ce207c4d6c118fcebf81838f

Download Submit
C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe

Filesize
476KB

MD5
a045df05669c6c74245150e312ffe017

SHA1
948326650867970b6411e62adf0c63d4c057c8f2

SHA256
ac73672a14c1ff60cc44452eea01a09fe9d4496a2a73327ee55ba09ac5e95152

SHA512
364d49f6e1c400e3542aaa5a8b016b8b6657af814631909616836154a67f39d69f4529dd3bb0947590e865b8ad8528f9a80e7000ce207c4d6c118fcebf81838f

Download Submit
C:\Users\Admin\AppData\Local\Temp\subfolder\filename.vbs

Filesize
1024B

MD5
61303679134d10e8f1f35236fec661e6

SHA1
ed31726523d21be75c47e699eec4b76aeaa376d5

SHA256
047c78d7dbb5709dc8eee29b69d2a42aebe9249723105a56b8689c4657cb5331

SHA512
8fe11c1e624fbbc600f0402514b67f1b61c5123eba826bb50113858b96f283792cc9defdf1aa5c101c64e8ef65c0dd9ed6032debcb6f94dcbf8fcde90f2c3610

Download Submit
\Users\Admin\AppData\Local\Temp\subfolder\filename.exe

Filesize
476KB

MD5
a045df05669c6c74245150e312ffe017

SHA1
948326650867970b6411e62adf0c63d4c057c8f2

SHA256
ac73672a14c1ff60cc44452eea01a09fe9d4496a2a73327ee55ba09ac5e95152

SHA512
364d49f6e1c400e3542aaa5a8b016b8b6657af814631909616836154a67f39d69f4529dd3bb0947590e865b8ad8528f9a80e7000ce207c4d6c118fcebf81838f

Download Submit
\Users\Admin\AppData\Local\Temp\subfolder\filename.exe

Filesize
476KB

MD5
a045df05669c6c74245150e312ffe017

SHA1
948326650867970b6411e62adf0c63d4c057c8f2

SHA256
ac73672a14c1ff60cc44452eea01a09fe9d4496a2a73327ee55ba09ac5e95152

SHA512
364d49f6e1c400e3542aaa5a8b016b8b6657af814631909616836154a67f39d69f4529dd3bb0947590e865b8ad8528f9a80e7000ce207c4d6c118fcebf81838f

Download Submit
\Users\Admin\AppData\Local\Temp\subfolder\filename.exe

Filesize
476KB

MD5
a045df05669c6c74245150e312ffe017

SHA1
948326650867970b6411e62adf0c63d4c057c8f2

SHA256
ac73672a14c1ff60cc44452eea01a09fe9d4496a2a73327ee55ba09ac5e95152

SHA512
364d49f6e1c400e3542aaa5a8b016b8b6657af814631909616836154a67f39d69f4529dd3bb0947590e865b8ad8528f9a80e7000ce207c4d6c118fcebf81838f

Download Submit
memory/1000-58-0x0000000000000000-mapping.dmp

Download
memory/1448-56-0x0000000000260000-0x0000000000266000-memory.dmp

Filesize
24KB

Download
memory/1448-57-0x0000000076601000-0x0000000076603000-memory.dmp

Filesize
8KB

Download
memory/2008-70-0x0000000000000000-mapping.dmp

Download
memory/2008-73-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2008-75-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2008-76-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2044-71-0x00000000001F0000-0x00000000001F6000-memory.dmp

Filesize
24KB

Download
memory/2044-64-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads