netwire | 7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d

General

Target

7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exe
Size

877KB
MD5

b9f12014018438f46d4a7e668919b370
SHA1

5265ef447a377aeb380bfaa16835f9e8d1ed162a
SHA256

7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d
SHA512

35e024cf309ecf8190ae4b0fc8309e04554aec5fceb7d368db85b9cc5d9a089e2f566068b2de79107002fa1a72e8d68259805c55a30b4823983512b7807126d7

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

194.5.98.188:3364

194.5.98.188:3366

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
j5m52xuc
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2992-146-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/2992-148-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/2992-151-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/2992-163-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation	7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exe

description	pid	process	target process
PID 4808 set thread context of 2992	4808	7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exe	7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3212 schtasks.exe

pid	process
3212	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exepowershell.exe

pid	process
4808	7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exe
4808	7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exe
4808	7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exe
4808	7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exe
4728	powershell.exe
4728	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4808	7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exe
Token: SeDebugPrivilege	4728	powershell.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exe

C:\Users\Admin\AppData\Local\Temp\7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exe
"C:\Users\Admin\AppData\Local\Temp\7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4808

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GCwwHNZZQllj.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4728

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GCwwHNZZQllj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp114.tmp"
2⤵
- Creates scheduled task(s)
PID:3212

C:\Users\Admin\AppData\Local\Temp\7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exe
"C:\Users\Admin\AppData\Local\Temp\7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exe"
2⤵
PID:936

C:\Users\Admin\AppData\Local\Temp\7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exe
"C:\Users\Admin\AppData\Local\Temp\7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exe"
2⤵
PID:4484

C:\Users\Admin\AppData\Local\Temp\7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exe
"C:\Users\Admin\AppData\Local\Temp\7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exe"
2⤵
PID:2992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp114.tmp

Filesize
1KB

MD5
2be9de33a5376d299e3027c6f291add6

SHA1
15935a3a5d91bb22e78f6c62f47869998df4122b

SHA256
0ed25dbf90e31df54a5053c1d0c4d9b5472c44b2e9e088cd8873fd29f5a5cca4

SHA512
e012b0f3cdb30bb9dd8bff02060fbbab782f482fb6b7af38cbde17b796ac83878dfe8a7649bc846b8059854e66799c01c25936d0cc8909f8169a0670cb057cea

Download Submit
memory/936-143-0x0000000000000000-mapping.dmp

Download
memory/2992-163-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2992-151-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2992-148-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2992-146-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2992-145-0x0000000000000000-mapping.dmp

Download
memory/3212-139-0x0000000000000000-mapping.dmp

Download
memory/4484-144-0x0000000000000000-mapping.dmp

Download
memory/4728-149-0x0000000005110000-0x0000000005132000-memory.dmp

Filesize
136KB

Download
memory/4728-160-0x0000000007590000-0x000000000759E000-memory.dmp

Filesize
56KB

Download
memory/4728-138-0x0000000000000000-mapping.dmp

Download
memory/4728-162-0x0000000007680000-0x0000000007688000-memory.dmp

Filesize
32KB

Download
memory/4728-150-0x0000000005990000-0x00000000059F6000-memory.dmp

Filesize
408KB

Download
memory/4728-161-0x00000000076A0000-0x00000000076BA000-memory.dmp

Filesize
104KB

Download
memory/4728-142-0x00000000051F0000-0x0000000005818000-memory.dmp

Filesize
6.2MB

Download
memory/4728-158-0x00000000073D0000-0x00000000073DA000-memory.dmp

Filesize
40KB

Download
memory/4728-140-0x0000000004A80000-0x0000000004AB6000-memory.dmp

Filesize
216KB

Download
memory/4728-159-0x00000000075E0000-0x0000000007676000-memory.dmp

Filesize
600KB

Download
memory/4728-152-0x0000000006050000-0x000000000606E000-memory.dmp

Filesize
120KB

Download
memory/4728-153-0x0000000006610000-0x0000000006642000-memory.dmp

Filesize
200KB

Download
memory/4728-154-0x0000000070270000-0x00000000702BC000-memory.dmp

Filesize
304KB

Download
memory/4728-155-0x0000000007010000-0x000000000702E000-memory.dmp

Filesize
120KB

Download
memory/4728-156-0x00000000079A0000-0x000000000801A000-memory.dmp

Filesize
6.5MB

Download
memory/4728-157-0x0000000007360000-0x000000000737A000-memory.dmp

Filesize
104KB

Download
memory/4808-137-0x0000000008FC0000-0x0000000009026000-memory.dmp

Filesize
408KB

Download
memory/4808-134-0x0000000005490000-0x0000000005522000-memory.dmp

Filesize
584KB

Download
memory/4808-135-0x0000000005640000-0x000000000564A000-memory.dmp

Filesize
40KB

Download
memory/4808-136-0x0000000008F20000-0x0000000008FBC000-memory.dmp

Filesize
624KB

Download
memory/4808-132-0x00000000009F0000-0x0000000000AD2000-memory.dmp

Filesize
904KB

Download
memory/4808-133-0x0000000005A40000-0x0000000005FE4000-memory.dmp

Filesize
5.6MB

Download

description	pid	process	target process
PID 4808 wrote to memory of 4728	4808	7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exe	powershell.exe
PID 4808 wrote to memory of 4728	4808	7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exe	powershell.exe
PID 4808 wrote to memory of 4728	4808	7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exe	powershell.exe
PID 4808 wrote to memory of 3212	4808	7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exe	schtasks.exe
PID 4808 wrote to memory of 3212	4808	7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exe	schtasks.exe
PID 4808 wrote to memory of 3212	4808	7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exe	schtasks.exe
PID 4808 wrote to memory of 936	4808	7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exe	7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exe
PID 4808 wrote to memory of 936	4808	7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exe	7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exe
PID 4808 wrote to memory of 936	4808	7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exe	7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exe
PID 4808 wrote to memory of 4484	4808	7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exe	7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exe
PID 4808 wrote to memory of 4484	4808	7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exe	7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exe
PID 4808 wrote to memory of 4484	4808	7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exe	7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exe
PID 4808 wrote to memory of 2992	4808	7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exe	7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exe
PID 4808 wrote to memory of 2992	4808	7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exe	7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exe
PID 4808 wrote to memory of 2992	4808	7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exe	7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exe
PID 4808 wrote to memory of 2992	4808	7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exe	7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exe
PID 4808 wrote to memory of 2992	4808	7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exe	7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exe
PID 4808 wrote to memory of 2992	4808	7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exe	7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exe
PID 4808 wrote to memory of 2992	4808	7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exe	7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exe
PID 4808 wrote to memory of 2992	4808	7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exe	7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exe
PID 4808 wrote to memory of 2992	4808	7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exe	7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exe
PID 4808 wrote to memory of 2992	4808	7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exe	7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exe
PID 4808 wrote to memory of 2992	4808	7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exe	7d8baae21bcb552ebcd990c0f242ad47aea319b8f3b88b6f50b3d11e65b00e6d.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads