netwire | 9dd709cb989d985a6cfee4a254f894a3b878a03962dbf253cb09a24ece455d58

General

Target

9dd709cb989d985a6cfee4a254f894a3b878a03962dbf253cb09a24ece455d58.doc
Size

4.5MB
MD5

3170f2327759079f7c8b609f14c89741
SHA1

f5e92833c79073ee5c3a764492dc40ce8fd0c244
SHA256

9dd709cb989d985a6cfee4a254f894a3b878a03962dbf253cb09a24ece455d58
SHA512

5028416e4d65c4ff507f2b9ad68dc3977232fb1fcdad383d379d1abdd3610187eb545a28b9780927658a0b8e1124982e3513a7f07e062bfce41d07e700bc9309

Score

10^/10

netwire botnet rat stealer

Malware Config

Signatures

NetWire RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1640-148-0x0000000005E90000-0x0000000005ED0000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Blocklisted process makes network request 2 IoCs

Processes:

cmd.exe

flow pid process

37 3636 cmd.exe
66 3636 cmd.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

MsiDb.exe

pid process

364 MsiDb.exe
Loads dropped DLL 1 IoCs

Processes:

MsiDb.exe

pid process

364 MsiDb.exe
Drops file in Windows directory 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Windows\Tasks\MsiDb.job cmd.exe

flow	pid	process
37	3636	cmd.exe
66	3636	cmd.exe

pid	process
364	MsiDb.exe

pid	process
364	MsiDb.exe

description	ioc	process
File created	C:\Windows\Tasks\MsiDb.job	cmd.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 15 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

3932 WINWORD.EXE
3932 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

MsiDb.execmd.exe

pid process

364 MsiDb.exe
1640 cmd.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

cmd.exe

pid process

1640 cmd.exe
Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

WINWORD.EXE

pid process

3932 WINWORD.EXE
3932 WINWORD.EXE
3932 WINWORD.EXE
3932 WINWORD.EXE
3932 WINWORD.EXE
3932 WINWORD.EXE
3932 WINWORD.EXE
3932 WINWORD.EXE
3932 WINWORD.EXE

description	flow	ioc
HTTP User-Agent header	15	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
3932	WINWORD.EXE
3932	WINWORD.EXE

pid	process
364	MsiDb.exe
1640	cmd.exe

pid	process
1640	cmd.exe

pid	process
3932	WINWORD.EXE
3932	WINWORD.EXE
3932	WINWORD.EXE
3932	WINWORD.EXE
3932	WINWORD.EXE
3932	WINWORD.EXE
3932	WINWORD.EXE
3932	WINWORD.EXE
3932	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WINWORD.EXEMsiDb.exe

description	pid	process	target process
PID 3932 wrote to memory of 364	3932	WINWORD.EXE	MsiDb.exe
PID 3932 wrote to memory of 364	3932	WINWORD.EXE	MsiDb.exe
PID 3932 wrote to memory of 364	3932	WINWORD.EXE	MsiDb.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe
PID 364 wrote to memory of 1640	364	MsiDb.exe	cmd.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9dd709cb989d985a6cfee4a254f894a3b878a03962dbf253cb09a24ece455d58.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3932

C:\Users\Admin\AppData\Roaming\MsiDb.exe
C:\Users\Admin\AppData\Roaming\MsiDb.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:364

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1640

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
4⤵
- Blocklisted process makes network request
- Drops file in Windows directory
PID:3636

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\MsiDb.exe
Filesize
150KB

MD5
88f4af07ca066060abc8db7e838f2feb

SHA1
d292822e4119a5a73a8b3cea7ac4beac6cf21829

SHA256
bd231d6b6559ba2d6cf33b7ee55ac038f8007544775e3864d4423aa5773346ef

SHA512
e8a940379b0ecf2d192eec3880b4685c19ff672f9c3c022eac9549dc8ded136c5760ac9e210747bec60fabe98a48d547940c508a70367d8a6e91717c8acbb07b

Download Submit
C:\Users\Admin\AppData\Roaming\MsiDb.exe
Filesize
150KB

MD5
88f4af07ca066060abc8db7e838f2feb

SHA1
d292822e4119a5a73a8b3cea7ac4beac6cf21829

SHA256
bd231d6b6559ba2d6cf33b7ee55ac038f8007544775e3864d4423aa5773346ef

SHA512
e8a940379b0ecf2d192eec3880b4685c19ff672f9c3c022eac9549dc8ded136c5760ac9e210747bec60fabe98a48d547940c508a70367d8a6e91717c8acbb07b

Download Submit
C:\Users\Admin\AppData\Roaming\cs16.cfg
Filesize
1KB

MD5
5e978b9b90817186ade0e1460dd96cc2

SHA1
441ac328c8ba907f16b49a310bb0a137c29537e6

SHA256
6ed65beb692301af5296ba6751063ae40e91c4e69ced43560c67ce58165c36b5

SHA512
dfa9d4112273f607830d044ef6eae7215ecd2dfd5a9cdaffc498753dee66438b5d2fd46eedcc55c02334ab3f07af89d6d785ee4f9ca3076fb3ffb59793068353

Download Submit
C:\Users\Admin\AppData\Roaming\cs16.wav
Filesize
36KB

MD5
0bd497e905a9ebd04eb0ec6adaf27a23

SHA1
3b116c5ad39439994245e1a0b64d1fe7ff156ab9

SHA256
0c8c431a1f589fdcf453c7afada63c2e2e2a887e49abdbb222983fa6044fdf66

SHA512
96b42ee35b122b06e03c484e30752987e70e914badf931f66a43cc8eb5c807835c09e2ae8164edc311f2985341acd601996e3d81e8f0a699272fda9a157028b4

Download Submit
C:\Users\Admin\AppData\Roaming\msi.dll
Filesize
3.7MB

MD5
798dc380c028f41fd22b80236dd431dc

SHA1
287f7c9a75a62a90268890d671202b10bcf8bfa2

SHA256
16227f50bbe42a13a2abf0bf0e146f356863de59525c54909ea8ccc2db448f77

SHA512
6666a9e3553bc42a091194499009cbff3ce06fe78b64b49f34b02d324bfb4d9b09d029aa664e402507cb5fbc27517ab8fe47677d9d84f0b4516936047e443bfa

Download Submit
C:\Users\Admin\AppData\Roaming\msi.dll
Filesize
3.7MB

MD5
798dc380c028f41fd22b80236dd431dc

SHA1
287f7c9a75a62a90268890d671202b10bcf8bfa2

SHA256
16227f50bbe42a13a2abf0bf0e146f356863de59525c54909ea8ccc2db448f77

SHA512
6666a9e3553bc42a091194499009cbff3ce06fe78b64b49f34b02d324bfb4d9b09d029aa664e402507cb5fbc27517ab8fe47677d9d84f0b4516936047e443bfa

Download Submit
C:\Users\Admin\AppData\Roaming\paper.png
Filesize
455KB

MD5
7f475e0a758f41e48645282ed799e29d

SHA1
43a85c79f63fc33e2062a45b2ec333c58130a752

SHA256
09f26f3776c630337688c765ad554c1b817c8c920c8afbd6607a0e56b50b2841

SHA512
a43c556a73838d4438ec50c1b7fbbe0cc23641f0e45afc7be63a861d2882a81505861d347110557e90c862fc45749c59683c768b7c04015396095a7c2e6ca0b9

Download Submit
memory/364-158-0x0000000000F3F000-0x0000000000F49000-memory.dmp

Filesize
40KB

Download
memory/364-144-0x0000000000F3F000-0x0000000000F49000-memory.dmp

Filesize
40KB

Download
memory/364-137-0x0000000000000000-mapping.dmp

Download
memory/1640-148-0x0000000005E90000-0x0000000005ED0000-memory.dmp

Filesize
256KB

Download
memory/1640-150-0x0000000005E98000-0x0000000005EA8000-memory.dmp

Filesize
64KB

Download
memory/1640-149-0x00007FF82C290000-0x00007FF82C485000-memory.dmp

Filesize
2.0MB

Download
memory/1640-147-0x00000000008E0000-0x00000000008E8000-memory.dmp

Filesize
32KB

Download
memory/1640-145-0x0000000000000000-mapping.dmp

Download
memory/3636-151-0x0000000000000000-mapping.dmp

Download
memory/3636-152-0x00007FF82C290000-0x00007FF82C485000-memory.dmp

Filesize
2.0MB

Download
memory/3636-153-0x0000000000A40000-0x0000000000A49000-memory.dmp

Filesize
36KB

Download
memory/3932-133-0x00007FF7EC310000-0x00007FF7EC320000-memory.dmp

Filesize
64KB

Download
memory/3932-132-0x00007FF7EC310000-0x00007FF7EC320000-memory.dmp

Filesize
64KB

Download
memory/3932-134-0x00007FF7EC310000-0x00007FF7EC320000-memory.dmp

Filesize
64KB

Download
memory/3932-130-0x00007FF7EC310000-0x00007FF7EC320000-memory.dmp

Filesize
64KB

Download
memory/3932-135-0x00007FF7E9F60000-0x00007FF7E9F70000-memory.dmp

Filesize
64KB

Download
memory/3932-136-0x00007FF7E9F60000-0x00007FF7E9F70000-memory.dmp

Filesize
64KB

Download
memory/3932-131-0x00007FF7EC310000-0x00007FF7EC320000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads