netwire | 30f0b1b4f04adbac7201528c1fa4a1e78f41e243b1da2332d57e662448282155

Analysis

max time kernel
100s
max time network
46s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
06-08-2022 07:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

91f5a7d8b8ba508f8e6999e7ddb8e902.exe
Size

749KB
MD5

91f5a7d8b8ba508f8e6999e7ddb8e902
SHA1

3aae5bd6075319c5ff54279c3d5ebfd9ec8d4c59
SHA256

30f0b1b4f04adbac7201528c1fa4a1e78f41e243b1da2332d57e662448282155
SHA512

0391ee953d85455365c110a537ddcdb40d9060ba630329f6c10eb012e78af2d16426367c496a013fdca00d01b2c044768bca6a7a7e9002caaa8d95cbb950da27

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

37.0.14.206:3384

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
true
offline_keylogger
true
password
Password234
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 9 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/604-69-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/604-70-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/604-71-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/604-73-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/604-75-0x000000000040242D-mapping.dmp	netwire
behavioral1/memory/604-74-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/604-78-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/604-84-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1720-106-0x000000000040242D-mapping.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 3 IoCs

Processes:

Host.exeHost.exeHost.exe

pid process

816 Host.exe
1012 Host.exe
1720 Host.exe
Loads dropped DLL 2 IoCs

Processes:

91f5a7d8b8ba508f8e6999e7ddb8e902.exe

pid process

604 91f5a7d8b8ba508f8e6999e7ddb8e902.exe
604 91f5a7d8b8ba508f8e6999e7ddb8e902.exe

pid	process
816	Host.exe
1012	Host.exe
1720	Host.exe

pid	process
604	91f5a7d8b8ba508f8e6999e7ddb8e902.exe
604	91f5a7d8b8ba508f8e6999e7ddb8e902.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

91f5a7d8b8ba508f8e6999e7ddb8e902.exeHost.exe

description	pid	process	target process
PID 2040 set thread context of 604	2040	91f5a7d8b8ba508f8e6999e7ddb8e902.exe	91f5a7d8b8ba508f8e6999e7ddb8e902.exe
PID 816 set thread context of 1720	816	Host.exe	Host.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1564 schtasks.exe
844 schtasks.exe

pid	process
1564	schtasks.exe
844	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

91f5a7d8b8ba508f8e6999e7ddb8e902.exepowershell.exeHost.exepowershell.exe

pid	process
2040	91f5a7d8b8ba508f8e6999e7ddb8e902.exe
2040	91f5a7d8b8ba508f8e6999e7ddb8e902.exe
1184	powershell.exe
816	Host.exe
816	Host.exe
1728	powershell.exe
816	Host.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

91f5a7d8b8ba508f8e6999e7ddb8e902.exepowershell.exeHost.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2040	91f5a7d8b8ba508f8e6999e7ddb8e902.exe
Token: SeDebugPrivilege	1184	powershell.exe
Token: SeDebugPrivilege	816	Host.exe
Token: SeDebugPrivilege	1728	powershell.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

91f5a7d8b8ba508f8e6999e7ddb8e902.exe91f5a7d8b8ba508f8e6999e7ddb8e902.exeHost.exe

description	pid	process	target process
PID 2040 wrote to memory of 1184	2040	91f5a7d8b8ba508f8e6999e7ddb8e902.exe	powershell.exe
PID 2040 wrote to memory of 1184	2040	91f5a7d8b8ba508f8e6999e7ddb8e902.exe	powershell.exe
PID 2040 wrote to memory of 1184	2040	91f5a7d8b8ba508f8e6999e7ddb8e902.exe	powershell.exe
PID 2040 wrote to memory of 1184	2040	91f5a7d8b8ba508f8e6999e7ddb8e902.exe	powershell.exe
PID 2040 wrote to memory of 1564	2040	91f5a7d8b8ba508f8e6999e7ddb8e902.exe	schtasks.exe
PID 2040 wrote to memory of 1564	2040	91f5a7d8b8ba508f8e6999e7ddb8e902.exe	schtasks.exe
PID 2040 wrote to memory of 1564	2040	91f5a7d8b8ba508f8e6999e7ddb8e902.exe	schtasks.exe
PID 2040 wrote to memory of 1564	2040	91f5a7d8b8ba508f8e6999e7ddb8e902.exe	schtasks.exe
PID 2040 wrote to memory of 604	2040	91f5a7d8b8ba508f8e6999e7ddb8e902.exe	91f5a7d8b8ba508f8e6999e7ddb8e902.exe
PID 2040 wrote to memory of 604	2040	91f5a7d8b8ba508f8e6999e7ddb8e902.exe	91f5a7d8b8ba508f8e6999e7ddb8e902.exe
PID 2040 wrote to memory of 604	2040	91f5a7d8b8ba508f8e6999e7ddb8e902.exe	91f5a7d8b8ba508f8e6999e7ddb8e902.exe
PID 2040 wrote to memory of 604	2040	91f5a7d8b8ba508f8e6999e7ddb8e902.exe	91f5a7d8b8ba508f8e6999e7ddb8e902.exe
PID 2040 wrote to memory of 604	2040	91f5a7d8b8ba508f8e6999e7ddb8e902.exe	91f5a7d8b8ba508f8e6999e7ddb8e902.exe
PID 2040 wrote to memory of 604	2040	91f5a7d8b8ba508f8e6999e7ddb8e902.exe	91f5a7d8b8ba508f8e6999e7ddb8e902.exe
PID 2040 wrote to memory of 604	2040	91f5a7d8b8ba508f8e6999e7ddb8e902.exe	91f5a7d8b8ba508f8e6999e7ddb8e902.exe
PID 2040 wrote to memory of 604	2040	91f5a7d8b8ba508f8e6999e7ddb8e902.exe	91f5a7d8b8ba508f8e6999e7ddb8e902.exe
PID 2040 wrote to memory of 604	2040	91f5a7d8b8ba508f8e6999e7ddb8e902.exe	91f5a7d8b8ba508f8e6999e7ddb8e902.exe
PID 2040 wrote to memory of 604	2040	91f5a7d8b8ba508f8e6999e7ddb8e902.exe	91f5a7d8b8ba508f8e6999e7ddb8e902.exe
PID 2040 wrote to memory of 604	2040	91f5a7d8b8ba508f8e6999e7ddb8e902.exe	91f5a7d8b8ba508f8e6999e7ddb8e902.exe
PID 2040 wrote to memory of 604	2040	91f5a7d8b8ba508f8e6999e7ddb8e902.exe	91f5a7d8b8ba508f8e6999e7ddb8e902.exe
PID 604 wrote to memory of 816	604	91f5a7d8b8ba508f8e6999e7ddb8e902.exe	Host.exe
PID 604 wrote to memory of 816	604	91f5a7d8b8ba508f8e6999e7ddb8e902.exe	Host.exe
PID 604 wrote to memory of 816	604	91f5a7d8b8ba508f8e6999e7ddb8e902.exe	Host.exe
PID 604 wrote to memory of 816	604	91f5a7d8b8ba508f8e6999e7ddb8e902.exe	Host.exe
PID 816 wrote to memory of 1728	816	Host.exe	powershell.exe
PID 816 wrote to memory of 1728	816	Host.exe	powershell.exe
PID 816 wrote to memory of 1728	816	Host.exe	powershell.exe
PID 816 wrote to memory of 1728	816	Host.exe	powershell.exe
PID 816 wrote to memory of 844	816	Host.exe	schtasks.exe
PID 816 wrote to memory of 844	816	Host.exe	schtasks.exe
PID 816 wrote to memory of 844	816	Host.exe	schtasks.exe
PID 816 wrote to memory of 844	816	Host.exe	schtasks.exe
PID 816 wrote to memory of 1012	816	Host.exe	Host.exe
PID 816 wrote to memory of 1012	816	Host.exe	Host.exe
PID 816 wrote to memory of 1012	816	Host.exe	Host.exe
PID 816 wrote to memory of 1012	816	Host.exe	Host.exe
PID 816 wrote to memory of 1720	816	Host.exe	Host.exe
PID 816 wrote to memory of 1720	816	Host.exe	Host.exe
PID 816 wrote to memory of 1720	816	Host.exe	Host.exe
PID 816 wrote to memory of 1720	816	Host.exe	Host.exe
PID 816 wrote to memory of 1720	816	Host.exe	Host.exe
PID 816 wrote to memory of 1720	816	Host.exe	Host.exe
PID 816 wrote to memory of 1720	816	Host.exe	Host.exe
PID 816 wrote to memory of 1720	816	Host.exe	Host.exe
PID 816 wrote to memory of 1720	816	Host.exe	Host.exe
PID 816 wrote to memory of 1720	816	Host.exe	Host.exe
PID 816 wrote to memory of 1720	816	Host.exe	Host.exe
PID 816 wrote to memory of 1720	816	Host.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\91f5a7d8b8ba508f8e6999e7ddb8e902.exe
"C:\Users\Admin\AppData\Local\Temp\91f5a7d8b8ba508f8e6999e7ddb8e902.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\fBPIygOi.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1184

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fBPIygOi" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB4EE.tmp"
2⤵
- Creates scheduled task(s)
PID:1564

C:\Users\Admin\AppData\Local\Temp\91f5a7d8b8ba508f8e6999e7ddb8e902.exe
"C:\Users\Admin\AppData\Local\Temp\91f5a7d8b8ba508f8e6999e7ddb8e902.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:604

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:816

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\fBPIygOi.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1728

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fBPIygOi" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7244.tmp"
4⤵
- Creates scheduled task(s)
PID:844

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
4⤵
- Executes dropped EXE
PID:1012

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
4⤵
- Executes dropped EXE
PID:1720

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7244.tmp
Filesize
1KB

MD5
f36bd67ba042251b033f96289da33c60

SHA1
bff52b53fec2c8ce3a9aa047c19a9cf7c328f443

SHA256
8e1d57e3dc55ae1f7350b5f3bd8008f3c491a611ae3e1fb36465cba51ba10601

SHA512
23df5bce9978772c0b0263669c7ea3e36a2be54fde5a6e8ec50d7c35f4c3efede73a5fbdeebe48fb6b06b9e4cca631c98e61c0835bab711e7dea54217043c744

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB4EE.tmp
Filesize
1KB

MD5
f36bd67ba042251b033f96289da33c60

SHA1
bff52b53fec2c8ce3a9aa047c19a9cf7c328f443

SHA256
8e1d57e3dc55ae1f7350b5f3bd8008f3c491a611ae3e1fb36465cba51ba10601

SHA512
23df5bce9978772c0b0263669c7ea3e36a2be54fde5a6e8ec50d7c35f4c3efede73a5fbdeebe48fb6b06b9e4cca631c98e61c0835bab711e7dea54217043c744

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
749KB

MD5
91f5a7d8b8ba508f8e6999e7ddb8e902

SHA1
3aae5bd6075319c5ff54279c3d5ebfd9ec8d4c59

SHA256
30f0b1b4f04adbac7201528c1fa4a1e78f41e243b1da2332d57e662448282155

SHA512
0391ee953d85455365c110a537ddcdb40d9060ba630329f6c10eb012e78af2d16426367c496a013fdca00d01b2c044768bca6a7a7e9002caaa8d95cbb950da27

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
749KB

MD5
91f5a7d8b8ba508f8e6999e7ddb8e902

SHA1
3aae5bd6075319c5ff54279c3d5ebfd9ec8d4c59

SHA256
30f0b1b4f04adbac7201528c1fa4a1e78f41e243b1da2332d57e662448282155

SHA512
0391ee953d85455365c110a537ddcdb40d9060ba630329f6c10eb012e78af2d16426367c496a013fdca00d01b2c044768bca6a7a7e9002caaa8d95cbb950da27

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
749KB

MD5
91f5a7d8b8ba508f8e6999e7ddb8e902

SHA1
3aae5bd6075319c5ff54279c3d5ebfd9ec8d4c59

SHA256
30f0b1b4f04adbac7201528c1fa4a1e78f41e243b1da2332d57e662448282155

SHA512
0391ee953d85455365c110a537ddcdb40d9060ba630329f6c10eb012e78af2d16426367c496a013fdca00d01b2c044768bca6a7a7e9002caaa8d95cbb950da27

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
749KB

MD5
91f5a7d8b8ba508f8e6999e7ddb8e902

SHA1
3aae5bd6075319c5ff54279c3d5ebfd9ec8d4c59

SHA256
30f0b1b4f04adbac7201528c1fa4a1e78f41e243b1da2332d57e662448282155

SHA512
0391ee953d85455365c110a537ddcdb40d9060ba630329f6c10eb012e78af2d16426367c496a013fdca00d01b2c044768bca6a7a7e9002caaa8d95cbb950da27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
f8ddd0dce00f411a0fe7fc52a5dc4157

SHA1
849fb0fe1d4463be54905d218708a534126860a3

SHA256
738236e1ec46df341481dc0014a9f0788638bdadf68e53a53449d76c4988ad2e

SHA512
68eb13b3a1d8228621c34862a406c4a4ee5b5c223c10f2f8e77c842b5679289bc81392c731a8884ef26cb9c8d24b5246804f430404edd1c33570994df1ce5746

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
749KB

MD5
91f5a7d8b8ba508f8e6999e7ddb8e902

SHA1
3aae5bd6075319c5ff54279c3d5ebfd9ec8d4c59

SHA256
30f0b1b4f04adbac7201528c1fa4a1e78f41e243b1da2332d57e662448282155

SHA512
0391ee953d85455365c110a537ddcdb40d9060ba630329f6c10eb012e78af2d16426367c496a013fdca00d01b2c044768bca6a7a7e9002caaa8d95cbb950da27

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
749KB

MD5
91f5a7d8b8ba508f8e6999e7ddb8e902

SHA1
3aae5bd6075319c5ff54279c3d5ebfd9ec8d4c59

SHA256
30f0b1b4f04adbac7201528c1fa4a1e78f41e243b1da2332d57e662448282155

SHA512
0391ee953d85455365c110a537ddcdb40d9060ba630329f6c10eb012e78af2d16426367c496a013fdca00d01b2c044768bca6a7a7e9002caaa8d95cbb950da27

Download Submit
memory/604-78-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/604-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/604-67-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/604-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/604-70-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/604-71-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/604-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/604-75-0x000000000040242D-mapping.dmp

Download
memory/604-74-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/604-84-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/604-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/816-81-0x0000000000000000-mapping.dmp

Download
memory/816-87-0x0000000001E30000-0x0000000001E46000-memory.dmp

Filesize
88KB

Download
memory/816-85-0x0000000000270000-0x0000000000332000-memory.dmp

Filesize
776KB

Download
memory/844-90-0x0000000000000000-mapping.dmp

Download
memory/1184-88-0x000000006E5A0000-0x000000006EB4B000-memory.dmp

Filesize
5.7MB

Download
memory/1184-59-0x0000000000000000-mapping.dmp

Download
memory/1564-60-0x0000000000000000-mapping.dmp

Download
memory/1720-106-0x000000000040242D-mapping.dmp

Download
memory/1728-89-0x0000000000000000-mapping.dmp

Download
memory/1728-110-0x0000000073C70000-0x000000007421B000-memory.dmp

Filesize
5.7MB

Download
memory/2040-63-0x0000000004990000-0x00000000049BE000-memory.dmp

Filesize
184KB

Download
memory/2040-54-0x0000000000D90000-0x0000000000E52000-memory.dmp

Filesize
776KB

Download
memory/2040-58-0x0000000005EB0000-0x0000000005F2C000-memory.dmp

Filesize
496KB

Download
memory/2040-57-0x0000000000610000-0x000000000061A000-memory.dmp

Filesize
40KB

Download
memory/2040-56-0x0000000000600000-0x0000000000616000-memory.dmp

Filesize
88KB

Download
memory/2040-55-0x0000000075A81000-0x0000000075A83000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads