netwire | 783ed74b60bdd963e8b98dd9fd4914945f475dc1da1049a506d26bb0857357b1

General

Target

783ed74b60bdd963e8b98dd9fd4914945f475dc1da1049a506d26bb0857357b1.exe
Size

1.3MB
MD5

39b4b2215fa87ab9817e66c05563f3d6
SHA1

454d37c98ee8ba8966e186e82dda11bec004d3c0
SHA256

783ed74b60bdd963e8b98dd9fd4914945f475dc1da1049a506d26bb0857357b1
SHA512

f6341cfd84f04db032fab87d2dfe71af5148decbc69045b723e4487e39fc1d9b2c55199432fb055b6d135baf15076147458dfb81503eb3bd0562d97415aae77a

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

185.244.31.108:3340

91.189.180.199:3362

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Soweto3000
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1692-67-0x0000000001330000-0x0000000002330000-memory.dmp	netwire
behavioral1/memory/1692-68-0x0000000001332BCB-mapping.dmp	netwire
behavioral1/memory/1692-71-0x0000000001330000-0x0000000002330000-memory.dmp	netwire
behavioral1/memory/1692-72-0x0000000001330000-0x0000000002330000-memory.dmp	netwire
behavioral1/memory/1692-73-0x0000000001330000-0x0000000002330000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 1 IoCs

Processes:

ptv.exe

pid process

1908 ptv.exe
Loads dropped DLL 1 IoCs

Processes:

WScript.exe

pid process

1348 WScript.exe

pid	process
1908	ptv.exe

pid	process
1348	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ptv.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	ptv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\94720686\\ptv.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\94720686\\CHI_HK~1"	ptv.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ptv.exe

description pid process target process

PID 1908 set thread context of 1692 1908 ptv.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1908 set thread context of 1692	1908	ptv.exe	RegSvcs.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

783ed74b60bdd963e8b98dd9fd4914945f475dc1da1049a506d26bb0857357b1.exeWScript.exeptv.exe

description	pid	process	target process
PID 2020 wrote to memory of 1348	2020	783ed74b60bdd963e8b98dd9fd4914945f475dc1da1049a506d26bb0857357b1.exe	WScript.exe
PID 2020 wrote to memory of 1348	2020	783ed74b60bdd963e8b98dd9fd4914945f475dc1da1049a506d26bb0857357b1.exe	WScript.exe
PID 2020 wrote to memory of 1348	2020	783ed74b60bdd963e8b98dd9fd4914945f475dc1da1049a506d26bb0857357b1.exe	WScript.exe
PID 2020 wrote to memory of 1348	2020	783ed74b60bdd963e8b98dd9fd4914945f475dc1da1049a506d26bb0857357b1.exe	WScript.exe
PID 1348 wrote to memory of 1908	1348	WScript.exe	ptv.exe
PID 1348 wrote to memory of 1908	1348	WScript.exe	ptv.exe
PID 1348 wrote to memory of 1908	1348	WScript.exe	ptv.exe
PID 1348 wrote to memory of 1908	1348	WScript.exe	ptv.exe
PID 1908 wrote to memory of 1692	1908	ptv.exe	RegSvcs.exe
PID 1908 wrote to memory of 1692	1908	ptv.exe	RegSvcs.exe
PID 1908 wrote to memory of 1692	1908	ptv.exe	RegSvcs.exe
PID 1908 wrote to memory of 1692	1908	ptv.exe	RegSvcs.exe
PID 1908 wrote to memory of 1692	1908	ptv.exe	RegSvcs.exe
PID 1908 wrote to memory of 1692	1908	ptv.exe	RegSvcs.exe
PID 1908 wrote to memory of 1692	1908	ptv.exe	RegSvcs.exe
PID 1908 wrote to memory of 1692	1908	ptv.exe	RegSvcs.exe
PID 1908 wrote to memory of 1692	1908	ptv.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\783ed74b60bdd963e8b98dd9fd4914945f475dc1da1049a506d26bb0857357b1.exe
"C:\Users\Admin\AppData\Local\Temp\783ed74b60bdd963e8b98dd9fd4914945f475dc1da1049a506d26bb0857357b1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94720686\uds.vbs"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1348

C:\Users\Admin\AppData\Local\Temp\94720686\ptv.exe
"C:\Users\Admin\AppData\Local\Temp\94720686\ptv.exe" chi=hkj
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
PID:1692

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\94720686\chi=hkj
Filesize
266.1MB

MD5
3760f404ef51d01193dbcfe97cc9c972

SHA1
1c41b76373e0501e034a311a6155a54c6d742628

SHA256
13fe49e196649d945cb6bc79b336147e828fa14cad496944b2edabc3a72447e6

SHA512
107f80bf56be2a5ab3f49e9b43d4ddbce8cbaa3b751333ac4a6f394d14581adc600ae73e3e0911d750a6613cdc969559d3d1f23d68f99784af7494e224aa0fae

Download Submit
C:\Users\Admin\AppData\Local\Temp\94720686\ncx.dll
Filesize
309KB

MD5
a9ba463147cec07e70a2d081ecdbd38e

SHA1
ed519d4148c216773b49c914a8d5353ebd41b792

SHA256
b168a5f5b3eca5a807b0cec03e7dc5fed0c141974f2f0e2ddddbf35380cd8450

SHA512
711af800a47689531835c3a1ffd1ef5e0e32fc65017e4c86b064bd45b3b6126989958df9826286aa51aafe5c13bf86690b708b9541340d6d628084104d1f4fd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\94720686\ptv.exe
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\94720686\ptv.exe
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\94720686\uds.vbs
Filesize
83B

MD5
638680bbb481dee10f8dff85cd274437

SHA1
f0fd2266f1ef96156f894aba25932c8d7f513ac0

SHA256
ebede8c3e105053772cb5f3cb4f4a02a9ed2755f8553f2cc9c6efcd572ebd769

SHA512
2119229ccc4eeda5fb3672482e10a6030afed5ac3c76f9b5bcafb7d275ae8d5e90088b740deb7de1208f8a3588f7339f253c6ac57cb401862ecb5073f747b6ce

Download Submit
\Users\Admin\AppData\Local\Temp\94720686\ptv.exe
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/1348-55-0x0000000000000000-mapping.dmp

Download
memory/1692-65-0x0000000001330000-0x0000000002330000-memory.dmp

Filesize
16.0MB

Download
memory/1692-67-0x0000000001330000-0x0000000002330000-memory.dmp

Filesize
16.0MB

Download
memory/1692-68-0x0000000001332BCB-mapping.dmp

Download
memory/1692-71-0x0000000001330000-0x0000000002330000-memory.dmp

Filesize
16.0MB

Download
memory/1692-72-0x0000000001330000-0x0000000002330000-memory.dmp

Filesize
16.0MB

Download
memory/1692-73-0x0000000001330000-0x0000000002330000-memory.dmp

Filesize
16.0MB

Download
memory/1908-60-0x0000000000000000-mapping.dmp

Download
memory/2020-54-0x0000000075BF1000-0x0000000075BF3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads