netwire | 89186eaf46c92a3e8db381a239e54a77e214276b8bb0afb17f34c329ad71a495

General

Target

Payment_pdf.js
Size

411KB
MD5

86ce1b0b23b154994c211e323a0e809f
SHA1

54eac40a919784f9b6321a009c050f8504b4783d
SHA256

89186eaf46c92a3e8db381a239e54a77e214276b8bb0afb17f34c329ad71a495
SHA512

6389e55db118e718a3f605d2abcd718ba870ceca89dfe18e24005d3bf0ac00f632287cadcd0cff0569cade33e7a65a313a6b953d0a64ef32e304bf2e1630080c

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe	netwire
C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe	netwire
C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe	netwire
C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

Host Ip Js StartUp.exeNotepad.exe

pid process

5008 Host Ip Js StartUp.exe
2248 Notepad.exe

pid	process
5008	Host Ip Js StartUp.exe
2248	Notepad.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exeHost Ip Js StartUp.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Host Ip Js StartUp.exe

Drops startup file 1 IoCs

Processes:

Notepad.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Note.lnk Notepad.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Note.lnk	Notepad.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Notepad.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\£2ëUíaÊ—KåL¦K®¨æ = "C:\\Users\\Admin\\AppData\\Roaming\\Googlee\\Notepad.exe"	Notepad.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

wscript.exeHost Ip Js StartUp.exe

description	pid	process	target process
PID 1580 wrote to memory of 4728	1580	wscript.exe	wscript.exe
PID 1580 wrote to memory of 4728	1580	wscript.exe	wscript.exe
PID 1580 wrote to memory of 5008	1580	wscript.exe	Host Ip Js StartUp.exe
PID 1580 wrote to memory of 5008	1580	wscript.exe	Host Ip Js StartUp.exe
PID 1580 wrote to memory of 5008	1580	wscript.exe	Host Ip Js StartUp.exe
PID 5008 wrote to memory of 2248	5008	Host Ip Js StartUp.exe	Notepad.exe
PID 5008 wrote to memory of 2248	5008	Host Ip Js StartUp.exe	Notepad.exe
PID 5008 wrote to memory of 2248	5008	Host Ip Js StartUp.exe	Notepad.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Payment_pdf.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\PnzlGrTgWm.js"
  2⤵
  PID:4728
- C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe
  "C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe
    "C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe"
    3⤵
    - Executes dropped EXE
    - Drops startup file
    - Adds Run key to start application
    PID:2248

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe

Filesize
227KB

MD5
fc6330d62ae89347dddf9e98d6dc2533

SHA1
b2a3104e8178e25b6b40cf8b19d60c1a4e03e969

SHA256
72c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7

SHA512
1cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c

Download Submit
C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe

Filesize
227KB

MD5
fc6330d62ae89347dddf9e98d6dc2533

SHA1
b2a3104e8178e25b6b40cf8b19d60c1a4e03e969

SHA256
72c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7

SHA512
1cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c

Download Submit
C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe

Filesize
227KB

MD5
fc6330d62ae89347dddf9e98d6dc2533

SHA1
b2a3104e8178e25b6b40cf8b19d60c1a4e03e969

SHA256
72c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7

SHA512
1cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c

Download Submit
C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe

Filesize
227KB

MD5
fc6330d62ae89347dddf9e98d6dc2533

SHA1
b2a3104e8178e25b6b40cf8b19d60c1a4e03e969

SHA256
72c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7

SHA512
1cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c

Download Submit
C:\Users\Admin\AppData\Roaming\PnzlGrTgWm.js

Filesize
1KB

MD5
1b76658fbca30c67b79d825d480a2e9c

SHA1
1610c73de356adac0d6c7175c88973a00ad35f2a

SHA256
75cf22e2317229dcc94257b3d3592d8ae606ab24ad98a51fd4870d2c32fe192f

SHA512
6de4916fd374a0f09ca2a0a007801bb40c5e3f5c0bceb3a787468236e4630c14d71b81bc98c577e88a9bde07c5a768563f90e27ead9a305aa7493462fdaf1bb8

Download Submit
memory/2248-137-0x0000000000000000-mapping.dmp

Download
memory/4728-132-0x0000000000000000-mapping.dmp

Download
memory/5008-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads