netwire | 3788a03e4c4f4ceb8ef566ea2659ebe141fc679b97f4a1fda3f4a4f52541adc2

General

Target

Request Quote_PDF.js
Size

427KB
MD5

e28f128487db3254400a7544bb4b679b
SHA1

e28482717d27cd0b4f396d6df4d701a973b6d357
SHA256

3788a03e4c4f4ceb8ef566ea2659ebe141fc679b97f4a1fda3f4a4f52541adc2
SHA512

233bbade78b41008faef8a6429eff67275723cb8211da050088f98c364ec798cddc792d2fa6dd70dfc6b6c98f183e6dd80bb7ef3c1b59c07608bd329d5c2bcac
SSDEEP

6144:1aAy6ubR3WGWMkndfTZFTu11LcNbu/RiJITRx5D5P1O8k8+gVelAkD9:1avdcTZFTuPINbcTRvD9W7ge

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 7 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe	netwire
C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe	netwire
\Users\Admin\AppData\Roaming\Googlee\Notepad.exe	netwire
\Users\Admin\AppData\Roaming\Googlee\Notepad.exe	netwire
C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe	netwire
C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe	netwire
\Users\Admin\AppData\Roaming\Googlee\Notepad.exe	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

Host Ip Js StartUp.exeNotepad.exe

pid process

1716 Host Ip Js StartUp.exe
880 Notepad.exe
Drops startup file 1 IoCs

Processes:

Notepad.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Note.lnk Notepad.exe
Loads dropped DLL 3 IoCs

Processes:

Host Ip Js StartUp.exeNotepad.exe

pid process

1716 Host Ip Js StartUp.exe
1716 Host Ip Js StartUp.exe
880 Notepad.exe

pid	process
1716	Host Ip Js StartUp.exe
880	Notepad.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Note.lnk	Notepad.exe

pid	process
1716	Host Ip Js StartUp.exe
1716	Host Ip Js StartUp.exe
880	Notepad.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Notepad.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\£2ëUíaÊ—KåL¦K®¨æ = "C:\\Users\\Admin\\AppData\\Roaming\\Googlee\\Notepad.exe"	Notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Notepad.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

wscript.exeHost Ip Js StartUp.exe

description	pid	process	target process
PID 1684 wrote to memory of 1360	1684	wscript.exe	wscript.exe
PID 1684 wrote to memory of 1360	1684	wscript.exe	wscript.exe
PID 1684 wrote to memory of 1360	1684	wscript.exe	wscript.exe
PID 1684 wrote to memory of 1716	1684	wscript.exe	Host Ip Js StartUp.exe
PID 1684 wrote to memory of 1716	1684	wscript.exe	Host Ip Js StartUp.exe
PID 1684 wrote to memory of 1716	1684	wscript.exe	Host Ip Js StartUp.exe
PID 1684 wrote to memory of 1716	1684	wscript.exe	Host Ip Js StartUp.exe
PID 1716 wrote to memory of 880	1716	Host Ip Js StartUp.exe	Notepad.exe
PID 1716 wrote to memory of 880	1716	Host Ip Js StartUp.exe	Notepad.exe
PID 1716 wrote to memory of 880	1716	Host Ip Js StartUp.exe	Notepad.exe
PID 1716 wrote to memory of 880	1716	Host Ip Js StartUp.exe	Notepad.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Request Quote_PDF.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\MWOUSBLQqc.js"
2⤵
PID:1360

C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe
"C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1716

C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe
"C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
PID:880

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe
Filesize
227KB

MD5
fc6330d62ae89347dddf9e98d6dc2533

SHA1
b2a3104e8178e25b6b40cf8b19d60c1a4e03e969

SHA256
72c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7

SHA512
1cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c

Download Submit
C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe
Filesize
227KB

MD5
fc6330d62ae89347dddf9e98d6dc2533

SHA1
b2a3104e8178e25b6b40cf8b19d60c1a4e03e969

SHA256
72c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7

SHA512
1cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c

Download Submit
C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe
Filesize
227KB

MD5
fc6330d62ae89347dddf9e98d6dc2533

SHA1
b2a3104e8178e25b6b40cf8b19d60c1a4e03e969

SHA256
72c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7

SHA512
1cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c

Download Submit
C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe
Filesize
227KB

MD5
fc6330d62ae89347dddf9e98d6dc2533

SHA1
b2a3104e8178e25b6b40cf8b19d60c1a4e03e969

SHA256
72c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7

SHA512
1cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c

Download Submit
C:\Users\Admin\AppData\Roaming\MWOUSBLQqc.js
Filesize
6KB

MD5
7dfdac8b085ea48e40e4cff53194c3a0

SHA1
c7d8a0b17be3fab76a24380207caee98942776d8

SHA256
640d57cc69797a8b54bf9aa305b1891e5bc927589c135f7033d5e72ca0c38a15

SHA512
73c9429f30b7794933543faa7f18b0457e5a7f71864dbac94533eee4afdeac1f2c4d15a9b43c596a236655beabad3d03c91237482bb9d7afb178bfe40636f0af

Download Submit
\Users\Admin\AppData\Roaming\Googlee\Notepad.exe
Filesize
227KB

MD5
fc6330d62ae89347dddf9e98d6dc2533

SHA1
b2a3104e8178e25b6b40cf8b19d60c1a4e03e969

SHA256
72c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7

SHA512
1cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c

Download Submit
\Users\Admin\AppData\Roaming\Googlee\Notepad.exe
Filesize
227KB

MD5
fc6330d62ae89347dddf9e98d6dc2533

SHA1
b2a3104e8178e25b6b40cf8b19d60c1a4e03e969

SHA256
72c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7

SHA512
1cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c

Download Submit
\Users\Admin\AppData\Roaming\Googlee\Notepad.exe
Filesize
227KB

MD5
fc6330d62ae89347dddf9e98d6dc2533

SHA1
b2a3104e8178e25b6b40cf8b19d60c1a4e03e969

SHA256
72c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7

SHA512
1cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c

Download Submit
memory/880-63-0x0000000000000000-mapping.dmp

Download
memory/1360-55-0x0000000000000000-mapping.dmp

Download
memory/1684-54-0x000007FEFB6D1000-0x000007FEFB6D3000-memory.dmp

Filesize
8KB

Download
memory/1716-59-0x0000000074AB1000-0x0000000074AB3000-memory.dmp

Filesize
8KB

Download
memory/1716-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads