netwire | 5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695

General

Target

5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe
Size

328KB
MD5

fa60eb0549da2b5b9213a237ea46d9f1
SHA1

a11a6f76acd193f5e9b3634db3847e7aba7d3e4b
SHA256

5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695
SHA512

2b3d2e0ce4c9537b6e02e4ec36b9a4be2d6f0559ad08c4b93640dadf5234bce839987d5a8f7f4f3d4694fbd4f1e8d54ab45f7e1e69f98453d9c163e11b37716e

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

91.192.100.34:7008

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
BST
lock_executable
false
offline_keylogger
false
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 10 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\tmp.exe	netwire
\Users\Admin\AppData\Local\Temp\tmp.exe	netwire
\Users\Admin\AppData\Local\Temp\tmp.exe	netwire
behavioral1/memory/1612-70-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1612-71-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1612-73-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1612-74-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1612-75-0x0000000000402BCB-mapping.dmp	netwire
behavioral1/memory/1612-79-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1612-81-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

tmp.exesvhost.exe

pid process

1604 tmp.exe
1612 svhost.exe

pid	process
1604	tmp.exe
1612	svhost.exe

Loads dropped DLL 4 IoCs

Processes:

5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe

pid	process
1976	5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe
1976	5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe
1976	5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe
1976	5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe

description	pid	process	target process
PID 1976 set thread context of 1612	1976	5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe	svhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
NTFS ADS 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe

pid	process
1976	5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe
1976	5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe

description pid process

Token: SeDebugPrivilege 1976 5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe

description	pid	process
Token: SeDebugPrivilege	1976	5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.execmd.exe

description	pid	process	target process
PID 1976 wrote to memory of 1724	1976	5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe	cmd.exe
PID 1976 wrote to memory of 1724	1976	5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe	cmd.exe
PID 1976 wrote to memory of 1724	1976	5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe	cmd.exe
PID 1976 wrote to memory of 1724	1976	5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe	cmd.exe
PID 1724 wrote to memory of 944	1724	cmd.exe	reg.exe
PID 1724 wrote to memory of 944	1724	cmd.exe	reg.exe
PID 1724 wrote to memory of 944	1724	cmd.exe	reg.exe
PID 1724 wrote to memory of 944	1724	cmd.exe	reg.exe
PID 1976 wrote to memory of 1604	1976	5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe	tmp.exe
PID 1976 wrote to memory of 1604	1976	5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe	tmp.exe
PID 1976 wrote to memory of 1604	1976	5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe	tmp.exe
PID 1976 wrote to memory of 1604	1976	5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe	tmp.exe
PID 1976 wrote to memory of 1612	1976	5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe	svhost.exe
PID 1976 wrote to memory of 1612	1976	5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe	svhost.exe
PID 1976 wrote to memory of 1612	1976	5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe	svhost.exe
PID 1976 wrote to memory of 1612	1976	5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe	svhost.exe
PID 1976 wrote to memory of 1612	1976	5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe	svhost.exe
PID 1976 wrote to memory of 1612	1976	5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe	svhost.exe
PID 1976 wrote to memory of 1612	1976	5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe	svhost.exe
PID 1976 wrote to memory of 1612	1976	5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe	svhost.exe
PID 1976 wrote to memory of 1612	1976	5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe	svhost.exe
PID 1976 wrote to memory of 1612	1976	5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe	svhost.exe
PID 1976 wrote to memory of 1612	1976	5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe	svhost.exe

C:\Users\Admin\AppData\Local\Temp\5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe
"C:\Users\Admin\AppData\Local\Temp\5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
2⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
3⤵
PID:944

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Executes dropped EXE
PID:1604

C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
2⤵
- Executes dropped EXE
PID:1612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe

Filesize
328KB

MD5
fa60eb0549da2b5b9213a237ea46d9f1

SHA1
a11a6f76acd193f5e9b3634db3847e7aba7d3e4b

SHA256
5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695

SHA512
2b3d2e0ce4c9537b6e02e4ec36b9a4be2d6f0559ad08c4b93640dadf5234bce839987d5a8f7f4f3d4694fbd4f1e8d54ab45f7e1e69f98453d9c163e11b37716e

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
85KB

MD5
2e5f1cf69f92392f8829fc9c9263ae9b

SHA1
97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5

SHA256
51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b

SHA512
f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
132KB

MD5
2afc8dc897074e5d76004b1ff6f949de

SHA1
7e9402d4c652b2ec8721273af9f7cb65b56fd3f9

SHA256
0aa93c8240a9c593d6a8d5c226d4f0b7ac033cef70b39524281c52d92a97fb0a

SHA512
6a0782eaeb0a2fb709d4cf5fdc6fe81185eb0cd54ba2f54f4de94b1b48dc96adb588a741f6514f9e38ffc7ca116666261c73e1c7709b1bf6a55e2bc89b7a70ea

Download Submit
\Users\Admin\AppData\Local\Temp\FolderN\name.exe

Filesize
328KB

MD5
fa60eb0549da2b5b9213a237ea46d9f1

SHA1
a11a6f76acd193f5e9b3634db3847e7aba7d3e4b

SHA256
5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695

SHA512
2b3d2e0ce4c9537b6e02e4ec36b9a4be2d6f0559ad08c4b93640dadf5234bce839987d5a8f7f4f3d4694fbd4f1e8d54ab45f7e1e69f98453d9c163e11b37716e

Download Submit
\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
85KB

MD5
2e5f1cf69f92392f8829fc9c9263ae9b

SHA1
97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5

SHA256
51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b

SHA512
f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

Download Submit
\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
132KB

MD5
2afc8dc897074e5d76004b1ff6f949de

SHA1
7e9402d4c652b2ec8721273af9f7cb65b56fd3f9

SHA256
0aa93c8240a9c593d6a8d5c226d4f0b7ac033cef70b39524281c52d92a97fb0a

SHA512
6a0782eaeb0a2fb709d4cf5fdc6fe81185eb0cd54ba2f54f4de94b1b48dc96adb588a741f6514f9e38ffc7ca116666261c73e1c7709b1bf6a55e2bc89b7a70ea

Download Submit
\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
132KB

MD5
2afc8dc897074e5d76004b1ff6f949de

SHA1
7e9402d4c652b2ec8721273af9f7cb65b56fd3f9

SHA256
0aa93c8240a9c593d6a8d5c226d4f0b7ac033cef70b39524281c52d92a97fb0a

SHA512
6a0782eaeb0a2fb709d4cf5fdc6fe81185eb0cd54ba2f54f4de94b1b48dc96adb588a741f6514f9e38ffc7ca116666261c73e1c7709b1bf6a55e2bc89b7a70ea

Download Submit
memory/944-56-0x0000000000000000-mapping.dmp

Download
memory/1604-61-0x0000000000000000-mapping.dmp

Download
memory/1612-65-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1612-74-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1612-66-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1612-68-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1612-70-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1612-71-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1612-73-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1612-81-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1612-79-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1612-75-0x0000000000402BCB-mapping.dmp

Download
memory/1724-55-0x0000000000000000-mapping.dmp

Download
memory/1976-80-0x0000000074C20000-0x00000000751CB000-memory.dmp

Filesize
5.7MB

Download
memory/1976-54-0x0000000076901000-0x0000000076903000-memory.dmp

Filesize
8KB

Download
memory/1976-82-0x0000000074C20000-0x00000000751CB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads