netwire | d70365481fb4806130743afd199697eb981a0eb2756754ecc548f5b30c2203a5

General

Target

VIRGINIA-TAX-RETURN-2021-US-EXT.doc
Size

4.5MB
MD5

e302ec600c469b71aca2876efe3a81a0
SHA1

da63fbb7f05c213dfb07cb1fe93b92fcf251c8b7
SHA256

d70365481fb4806130743afd199697eb981a0eb2756754ecc548f5b30c2203a5
SHA512

45f8dcb0178398990c9ffe19fc162e4f47b612f119a7e5017749f3570467de7237c7f4cb79992f93e987181b3b2cd42dce50502286184d9269895e2421064a8c

Score

10^/10

netwire botnet rat stealer

Malware Config

Signatures

NetWire RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1400-148-0x00000000067D0000-0x0000000006810000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Blocklisted process makes network request 2 IoCs

Processes:

cmd.exe

flow pid process

46 3416 cmd.exe
78 3416 cmd.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

MsiDb.exe

pid process

2212 MsiDb.exe
Loads dropped DLL 1 IoCs

Processes:

MsiDb.exe

pid process

2212 MsiDb.exe
Drops file in Windows directory 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Windows\Tasks\MsiDb.job cmd.exe

flow	pid	process
46	3416	cmd.exe
78	3416	cmd.exe

pid	process
2212	MsiDb.exe

pid	process
2212	MsiDb.exe

description	ioc	process
File created	C:\Windows\Tasks\MsiDb.job	cmd.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 23 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

3888 WINWORD.EXE
3888 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

MsiDb.execmd.exe

pid process

2212 MsiDb.exe
1400 cmd.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

cmd.exe

pid process

1400 cmd.exe
Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

WINWORD.EXE

pid process

3888 WINWORD.EXE
3888 WINWORD.EXE
3888 WINWORD.EXE
3888 WINWORD.EXE
3888 WINWORD.EXE
3888 WINWORD.EXE
3888 WINWORD.EXE
3888 WINWORD.EXE
3888 WINWORD.EXE

description	flow	ioc
HTTP User-Agent header	23	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
3888	WINWORD.EXE
3888	WINWORD.EXE

pid	process
2212	MsiDb.exe
1400	cmd.exe

pid	process
1400	cmd.exe

pid	process
3888	WINWORD.EXE
3888	WINWORD.EXE
3888	WINWORD.EXE
3888	WINWORD.EXE
3888	WINWORD.EXE
3888	WINWORD.EXE
3888	WINWORD.EXE
3888	WINWORD.EXE
3888	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WINWORD.EXEMsiDb.exe

description	pid	process	target process
PID 3888 wrote to memory of 2212	3888	WINWORD.EXE	MsiDb.exe
PID 3888 wrote to memory of 2212	3888	WINWORD.EXE	MsiDb.exe
PID 3888 wrote to memory of 2212	3888	WINWORD.EXE	MsiDb.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe
PID 2212 wrote to memory of 1400	2212	MsiDb.exe	cmd.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\VIRGINIA-TAX-RETURN-2021-US-EXT.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3888

C:\Users\Admin\AppData\Roaming\MsiDb.exe
C:\Users\Admin\AppData\Roaming\MsiDb.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2212

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1400

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
4⤵
- Blocklisted process makes network request
- Drops file in Windows directory
PID:3416

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\MsiDb.exe
Filesize
150KB

MD5
88f4af07ca066060abc8db7e838f2feb

SHA1
d292822e4119a5a73a8b3cea7ac4beac6cf21829

SHA256
bd231d6b6559ba2d6cf33b7ee55ac038f8007544775e3864d4423aa5773346ef

SHA512
e8a940379b0ecf2d192eec3880b4685c19ff672f9c3c022eac9549dc8ded136c5760ac9e210747bec60fabe98a48d547940c508a70367d8a6e91717c8acbb07b

Download Submit
C:\Users\Admin\AppData\Roaming\MsiDb.exe
Filesize
150KB

MD5
88f4af07ca066060abc8db7e838f2feb

SHA1
d292822e4119a5a73a8b3cea7ac4beac6cf21829

SHA256
bd231d6b6559ba2d6cf33b7ee55ac038f8007544775e3864d4423aa5773346ef

SHA512
e8a940379b0ecf2d192eec3880b4685c19ff672f9c3c022eac9549dc8ded136c5760ac9e210747bec60fabe98a48d547940c508a70367d8a6e91717c8acbb07b

Download Submit
C:\Users\Admin\AppData\Roaming\cs16.cfg
Filesize
1KB

MD5
5e978b9b90817186ade0e1460dd96cc2

SHA1
441ac328c8ba907f16b49a310bb0a137c29537e6

SHA256
6ed65beb692301af5296ba6751063ae40e91c4e69ced43560c67ce58165c36b5

SHA512
dfa9d4112273f607830d044ef6eae7215ecd2dfd5a9cdaffc498753dee66438b5d2fd46eedcc55c02334ab3f07af89d6d785ee4f9ca3076fb3ffb59793068353

Download Submit
C:\Users\Admin\AppData\Roaming\cs16.wav
Filesize
36KB

MD5
0bd497e905a9ebd04eb0ec6adaf27a23

SHA1
3b116c5ad39439994245e1a0b64d1fe7ff156ab9

SHA256
0c8c431a1f589fdcf453c7afada63c2e2e2a887e49abdbb222983fa6044fdf66

SHA512
96b42ee35b122b06e03c484e30752987e70e914badf931f66a43cc8eb5c807835c09e2ae8164edc311f2985341acd601996e3d81e8f0a699272fda9a157028b4

Download Submit
C:\Users\Admin\AppData\Roaming\msi.dll
Filesize
3.7MB

MD5
798dc380c028f41fd22b80236dd431dc

SHA1
287f7c9a75a62a90268890d671202b10bcf8bfa2

SHA256
16227f50bbe42a13a2abf0bf0e146f356863de59525c54909ea8ccc2db448f77

SHA512
6666a9e3553bc42a091194499009cbff3ce06fe78b64b49f34b02d324bfb4d9b09d029aa664e402507cb5fbc27517ab8fe47677d9d84f0b4516936047e443bfa

Download Submit
C:\Users\Admin\AppData\Roaming\msi.dll
Filesize
3.7MB

MD5
798dc380c028f41fd22b80236dd431dc

SHA1
287f7c9a75a62a90268890d671202b10bcf8bfa2

SHA256
16227f50bbe42a13a2abf0bf0e146f356863de59525c54909ea8ccc2db448f77

SHA512
6666a9e3553bc42a091194499009cbff3ce06fe78b64b49f34b02d324bfb4d9b09d029aa664e402507cb5fbc27517ab8fe47677d9d84f0b4516936047e443bfa

Download Submit
C:\Users\Admin\AppData\Roaming\paper.png
Filesize
455KB

MD5
97b922ff7d2eb9e04cfae19c8e1a06fa

SHA1
8fb8bb24bea9291dbcd7fcf38d035245ac07d032

SHA256
058765e488d99527ec94c0172bab153cfcd860e01312c9dedeac55f8a2a1dc17

SHA512
8a512663dbae5b9b99d44933cae29082074bc7fa430f30a41ba6ac39fc71df170f8e15243e7f4d64f1dc06263afb89794be7e756ee058ec4fe3fc9c0faa86f1e

Download Submit
memory/1400-148-0x00000000067D0000-0x0000000006810000-memory.dmp

Filesize
256KB

Download
memory/1400-144-0x0000000000000000-mapping.dmp

Download
memory/1400-151-0x00000000067D8000-0x00000000067E8000-memory.dmp

Filesize
64KB

Download
memory/1400-149-0x00007FFA73630000-0x00007FFA73825000-memory.dmp

Filesize
2.0MB

Download
memory/1400-147-0x0000000000F20000-0x0000000000F28000-memory.dmp

Filesize
32KB

Download
memory/2212-137-0x0000000000000000-mapping.dmp

Download
memory/2212-146-0x0000000000DFF000-0x0000000000E09000-memory.dmp

Filesize
40KB

Download
memory/3416-150-0x0000000000000000-mapping.dmp

Download
memory/3416-152-0x0000000000970000-0x0000000000979000-memory.dmp

Filesize
36KB

Download
memory/3416-153-0x00007FFA73630000-0x00007FFA73825000-memory.dmp

Filesize
2.0MB

Download
memory/3888-131-0x00007FFA336B0000-0x00007FFA336C0000-memory.dmp

Filesize
64KB

Download
memory/3888-132-0x00007FFA336B0000-0x00007FFA336C0000-memory.dmp

Filesize
64KB

Download
memory/3888-133-0x00007FFA336B0000-0x00007FFA336C0000-memory.dmp

Filesize
64KB

Download
memory/3888-130-0x00007FFA336B0000-0x00007FFA336C0000-memory.dmp

Filesize
64KB

Download
memory/3888-134-0x00007FFA336B0000-0x00007FFA336C0000-memory.dmp

Filesize
64KB

Download
memory/3888-135-0x00007FFA31520000-0x00007FFA31530000-memory.dmp

Filesize
64KB

Download
memory/3888-136-0x00007FFA31520000-0x00007FFA31530000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads