netwire | 6b4dd13ea6241a6c8ad2c967d88f3336798dc1e30dd24cfa3377f9b363d70b2e

Analysis

max time kernel
104s
max time network
138s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
31-07-2022 05:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DDllsystem.exe
Size

339KB
MD5

959be976070ea4820a2e24dcce3d0bdf
SHA1

7ec0c6d7d9b75ef8f078383a15d977b45dc434c1
SHA256

6b4dd13ea6241a6c8ad2c967d88f3336798dc1e30dd24cfa3377f9b363d70b2e
SHA512

de3ed25149af67a28cd5659bfeb895e323bbd9e79bb791bfbe972f448ca1012d4872b4478bd321a8baefd5813dd69fb19d73ff02d078f5b99ab6618946d4455e

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

finerthings.duckdns.org:3021

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
H23053OIGS
lock_executable
false
offline_keylogger
false
password
finerthings@963
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1320-59-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Loads dropped DLL 1 IoCs

Processes:

DDllsystem.exe

pid process

756 DDllsystem.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

DDllsystem.exe

description pid process target process

PID 756 set thread context of 1320 756 DDllsystem.exe DDllsystem.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

DDllsystem.exe

pid process

756 DDllsystem.exe

pid	process
756	DDllsystem.exe

description	pid	process	target process
PID 756 set thread context of 1320	756	DDllsystem.exe	DDllsystem.exe

pid	process
756	DDllsystem.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

DDllsystem.exe

description	pid	process	target process
PID 756 wrote to memory of 1320	756	DDllsystem.exe	DDllsystem.exe
PID 756 wrote to memory of 1320	756	DDllsystem.exe	DDllsystem.exe
PID 756 wrote to memory of 1320	756	DDllsystem.exe	DDllsystem.exe
PID 756 wrote to memory of 1320	756	DDllsystem.exe	DDllsystem.exe
PID 756 wrote to memory of 1320	756	DDllsystem.exe	DDllsystem.exe

C:\Users\Admin\AppData\Local\Temp\DDllsystem.exe
"C:\Users\Admin\AppData\Local\Temp\DDllsystem.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:756

C:\Users\Admin\AppData\Local\Temp\DDllsystem.exe
"C:\Users\Admin\AppData\Local\Temp\DDllsystem.exe"
2⤵
PID:1320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\kxtmnugf.dll

Filesize
9KB

MD5
c6740f343d8777430307336fcb50d504

SHA1
54e4bafc84ab18dab87731ee3b3647d923af7fd7

SHA256
03d53a25652bbf853ab65f0428ebc68db0497654206b95bb86f0d45f0b0ebd70

SHA512
ae4e1919d94a23d522996ac86c920aaf7d05b1aa7d3596521c9b7fcfcee5a890249ab825b0cc5d4a3dc75ac54db5248500c1c11b676caebf49811f6eed887ff2

Download Submit
memory/756-54-0x0000000076291000-0x0000000076293000-memory.dmp

Filesize
8KB

Download
memory/756-56-0x00000000749E0000-0x00000000749E6000-memory.dmp

Filesize
24KB

Download
memory/1320-57-0x000000000040242D-mapping.dmp

Download
memory/1320-59-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download