netwire | 5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695

General

Target

5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe
Size

328KB
MD5

fa60eb0549da2b5b9213a237ea46d9f1
SHA1

a11a6f76acd193f5e9b3634db3847e7aba7d3e4b
SHA256

5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695
SHA512

2b3d2e0ce4c9537b6e02e4ec36b9a4be2d6f0559ad08c4b93640dadf5234bce839987d5a8f7f4f3d4694fbd4f1e8d54ab45f7e1e69f98453d9c163e11b37716e

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

91.192.100.34:7008

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
BST
lock_executable
false
offline_keylogger
false
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\tmp.exe	netwire
C:\Users\Admin\AppData\Local\Temp\tmp.exe	netwire
behavioral2/memory/3240-140-0x0000000000600000-0x000000000062C000-memory.dmp	netwire
behavioral2/memory/3240-143-0x0000000000600000-0x000000000062C000-memory.dmp	netwire
behavioral2/memory/3240-148-0x0000000000600000-0x000000000062C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

tmp.exesvhost.exe

pid process

2344 tmp.exe
3240 svhost.exe

pid	process
2344	tmp.exe
3240	svhost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe

description	ioc	process
File opened for modification	C:\Windows\assembly\Desktop.ini	5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe
File created	C:\Windows\assembly\Desktop.ini	5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe

description	pid	process	target process
PID 3204 set thread context of 3240	3204	5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe	svhost.exe

Drops file in Windows directory 3 IoCs

Processes:

5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe
File opened for modification	C:\Windows\assembly	5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1300 3240 WerFault.exe svhost.exe
NTFS ADS 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier cmd.exe

pid	pid_target	process	target process
1300	3240	WerFault.exe	svhost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe

pid	process
3204	5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe
3204	5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe

description pid process

Token: SeDebugPrivilege 3204 5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe

description	pid	process
Token: SeDebugPrivilege	3204	5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.execmd.exe

description	pid	process	target process
PID 3204 wrote to memory of 4336	3204	5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe	cmd.exe
PID 3204 wrote to memory of 4336	3204	5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe	cmd.exe
PID 3204 wrote to memory of 4336	3204	5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe	cmd.exe
PID 4336 wrote to memory of 1168	4336	cmd.exe	reg.exe
PID 4336 wrote to memory of 1168	4336	cmd.exe	reg.exe
PID 4336 wrote to memory of 1168	4336	cmd.exe	reg.exe
PID 3204 wrote to memory of 2344	3204	5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe	tmp.exe
PID 3204 wrote to memory of 2344	3204	5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe	tmp.exe
PID 3204 wrote to memory of 2344	3204	5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe	tmp.exe
PID 3204 wrote to memory of 3240	3204	5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe	svhost.exe
PID 3204 wrote to memory of 3240	3204	5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe	svhost.exe
PID 3204 wrote to memory of 3240	3204	5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe	svhost.exe
PID 3204 wrote to memory of 3240	3204	5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe	svhost.exe
PID 3204 wrote to memory of 3240	3204	5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe	svhost.exe
PID 3204 wrote to memory of 3240	3204	5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe	svhost.exe
PID 3204 wrote to memory of 3240	3204	5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe	svhost.exe
PID 3204 wrote to memory of 3240	3204	5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe	svhost.exe
PID 3204 wrote to memory of 3240	3204	5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe	svhost.exe
PID 3204 wrote to memory of 3240	3204	5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe	svhost.exe

C:\Users\Admin\AppData\Local\Temp\5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe
"C:\Users\Admin\AppData\Local\Temp\5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3204

C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
2⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:4336

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
3⤵
PID:1168

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Executes dropped EXE
PID:2344

C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
2⤵
- Executes dropped EXE
PID:3240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3240 -s 360
3⤵
- Program crash
PID:1300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3240 -ip 3240
1⤵
PID:1880

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe

Filesize
328KB

MD5
fa60eb0549da2b5b9213a237ea46d9f1

SHA1
a11a6f76acd193f5e9b3634db3847e7aba7d3e4b

SHA256
5bf9a8fbbf53172ab424905d4b33d8d56333016b704423d262cc008e77492695

SHA512
2b3d2e0ce4c9537b6e02e4ec36b9a4be2d6f0559ad08c4b93640dadf5234bce839987d5a8f7f4f3d4694fbd4f1e8d54ab45f7e1e69f98453d9c163e11b37716e

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
89KB

MD5
84c42d0f2c1ae761bef884638bc1eacd

SHA1
4353881e7f4e9c7610f4e0489183b55bb58bb574

SHA256
331487446653875bf1e628b797a5283e40056654f7ff328eafbe39b0304480d3

SHA512
43c307a38faa3a4b311597034cf75035a4434a1024d2a54e867e6a94b53b677898d71a858438d119000e872a7a6e92c5b31d277a8c207a94375ed4fd3c7beb87

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
89KB

MD5
84c42d0f2c1ae761bef884638bc1eacd

SHA1
4353881e7f4e9c7610f4e0489183b55bb58bb574

SHA256
331487446653875bf1e628b797a5283e40056654f7ff328eafbe39b0304480d3

SHA512
43c307a38faa3a4b311597034cf75035a4434a1024d2a54e867e6a94b53b677898d71a858438d119000e872a7a6e92c5b31d277a8c207a94375ed4fd3c7beb87

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
132KB

MD5
2afc8dc897074e5d76004b1ff6f949de

SHA1
7e9402d4c652b2ec8721273af9f7cb65b56fd3f9

SHA256
0aa93c8240a9c593d6a8d5c226d4f0b7ac033cef70b39524281c52d92a97fb0a

SHA512
6a0782eaeb0a2fb709d4cf5fdc6fe81185eb0cd54ba2f54f4de94b1b48dc96adb588a741f6514f9e38ffc7ca116666261c73e1c7709b1bf6a55e2bc89b7a70ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
132KB

MD5
2afc8dc897074e5d76004b1ff6f949de

SHA1
7e9402d4c652b2ec8721273af9f7cb65b56fd3f9

SHA256
0aa93c8240a9c593d6a8d5c226d4f0b7ac033cef70b39524281c52d92a97fb0a

SHA512
6a0782eaeb0a2fb709d4cf5fdc6fe81185eb0cd54ba2f54f4de94b1b48dc96adb588a741f6514f9e38ffc7ca116666261c73e1c7709b1bf6a55e2bc89b7a70ea

Download Submit
memory/1168-132-0x0000000000000000-mapping.dmp

Download
memory/2344-134-0x0000000000000000-mapping.dmp

Download
memory/3204-130-0x0000000074C90000-0x0000000075241000-memory.dmp

Filesize
5.7MB

Download
memory/3204-150-0x0000000074C90000-0x0000000075241000-memory.dmp

Filesize
5.7MB

Download
memory/3204-151-0x0000000074C90000-0x0000000075241000-memory.dmp

Filesize
5.7MB

Download
memory/3240-137-0x0000000000000000-mapping.dmp

Download
memory/3240-140-0x0000000000600000-0x000000000062C000-memory.dmp

Filesize
176KB

Download
memory/3240-143-0x0000000000600000-0x000000000062C000-memory.dmp

Filesize
176KB

Download
memory/3240-148-0x0000000000600000-0x000000000062C000-memory.dmp

Filesize
176KB

Download
memory/4336-131-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads