netwire | 1dc432ae11129c1f3497710ae3dcf457a3f3b99a71e011992434ecf11103cdeb

General

Target

Quote_PDF.js
Size

457KB
MD5

5d9f9baf3d7c581bc7c9d5ef19dad173
SHA1

f03d9205fa4b1d695079e77e44384a7a1afcf03d
SHA256

1dc432ae11129c1f3497710ae3dcf457a3f3b99a71e011992434ecf11103cdeb
SHA512

0f0bfa0089aec3149508242907835404d099c323c42da901e0a992bf937a087485f7bca6c53fd4ef4556a04f3ebc8fa60e714b28046470c4d10302d646d396e8
SSDEEP

6144:KJm4iMO2wtqrHTt50ONAeFcYf/3XuDZz+NtM67bXoxKF:KJm4iMO2w6HPFcYHXu2yxoF

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 7 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe	netwire
C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe	netwire
\Users\Admin\AppData\Roaming\Googlee\Notepad.exe	netwire
\Users\Admin\AppData\Roaming\Googlee\Notepad.exe	netwire
C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe	netwire
C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe	netwire
\Users\Admin\AppData\Roaming\Googlee\Notepad.exe	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

Host Ip Js StartUp.exeNotepad.exe

pid process

1948 Host Ip Js StartUp.exe
1300 Notepad.exe
Drops startup file 1 IoCs

Processes:

Notepad.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Note.lnk Notepad.exe
Loads dropped DLL 3 IoCs

Processes:

Host Ip Js StartUp.exeNotepad.exe

pid process

1948 Host Ip Js StartUp.exe
1948 Host Ip Js StartUp.exe
1300 Notepad.exe

pid	process
1948	Host Ip Js StartUp.exe
1300	Notepad.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Note.lnk	Notepad.exe

pid	process
1948	Host Ip Js StartUp.exe
1948	Host Ip Js StartUp.exe
1300	Notepad.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Notepad.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\£2ëUíaÊ—KåL¦K®¨æ = "C:\\Users\\Admin\\AppData\\Roaming\\Googlee\\Notepad.exe"	Notepad.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

wscript.exeHost Ip Js StartUp.exe

description	pid	process	target process
PID 1512 wrote to memory of 1756	1512	wscript.exe	wscript.exe
PID 1512 wrote to memory of 1756	1512	wscript.exe	wscript.exe
PID 1512 wrote to memory of 1756	1512	wscript.exe	wscript.exe
PID 1512 wrote to memory of 1948	1512	wscript.exe	Host Ip Js StartUp.exe
PID 1512 wrote to memory of 1948	1512	wscript.exe	Host Ip Js StartUp.exe
PID 1512 wrote to memory of 1948	1512	wscript.exe	Host Ip Js StartUp.exe
PID 1512 wrote to memory of 1948	1512	wscript.exe	Host Ip Js StartUp.exe
PID 1948 wrote to memory of 1300	1948	Host Ip Js StartUp.exe	Notepad.exe
PID 1948 wrote to memory of 1300	1948	Host Ip Js StartUp.exe	Notepad.exe
PID 1948 wrote to memory of 1300	1948	Host Ip Js StartUp.exe	Notepad.exe
PID 1948 wrote to memory of 1300	1948	Host Ip Js StartUp.exe	Notepad.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Quote_PDF.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\GJesmMedJL.js"
  2⤵
  PID:1756
- C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe
  "C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe
    "C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe"
    3⤵
    - Executes dropped EXE
    - Drops startup file
    - Loads dropped DLL
    - Adds Run key to start application
    PID:1300

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\GJesmMedJL.js

Filesize
18KB

MD5
99b66296ee0fe8afb57b407e6f9b33af

SHA1
20712ad4446efc63f564e2bc6ea582cc70a12368

SHA256
2bddbe3031cdf97a6533cd55a88093fc670ab438a69ac8f8684a5564dfb8acb7

SHA512
a8ccbf88ac1a8f05eebade7b73f302571a7dc16fd42a332ee6a6b44d88cc0e6fc1c11efefb341aed25e8267d7935bcc82fe205d5be97b2c2dfebe9ec80a64651

Download Submit
C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe

Filesize
227KB

MD5
fc6330d62ae89347dddf9e98d6dc2533

SHA1
b2a3104e8178e25b6b40cf8b19d60c1a4e03e969

SHA256
72c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7

SHA512
1cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c

Download Submit
C:\Users\Admin\AppData\Roaming\Googlee\Notepad.exe

Filesize
227KB

MD5
fc6330d62ae89347dddf9e98d6dc2533

SHA1
b2a3104e8178e25b6b40cf8b19d60c1a4e03e969

SHA256
72c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7

SHA512
1cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c

Download Submit
C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe

Filesize
227KB

MD5
fc6330d62ae89347dddf9e98d6dc2533

SHA1
b2a3104e8178e25b6b40cf8b19d60c1a4e03e969

SHA256
72c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7

SHA512
1cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c

Download Submit
C:\Users\Admin\AppData\Roaming\Host Ip Js StartUp.exe

Filesize
227KB

MD5
fc6330d62ae89347dddf9e98d6dc2533

SHA1
b2a3104e8178e25b6b40cf8b19d60c1a4e03e969

SHA256
72c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7

SHA512
1cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c

Download Submit
\Users\Admin\AppData\Roaming\Googlee\Notepad.exe

Filesize
227KB

MD5
fc6330d62ae89347dddf9e98d6dc2533

SHA1
b2a3104e8178e25b6b40cf8b19d60c1a4e03e969

SHA256
72c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7

SHA512
1cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c

Download Submit
\Users\Admin\AppData\Roaming\Googlee\Notepad.exe

Filesize
227KB

MD5
fc6330d62ae89347dddf9e98d6dc2533

SHA1
b2a3104e8178e25b6b40cf8b19d60c1a4e03e969

SHA256
72c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7

SHA512
1cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c

Download Submit
\Users\Admin\AppData\Roaming\Googlee\Notepad.exe

Filesize
227KB

MD5
fc6330d62ae89347dddf9e98d6dc2533

SHA1
b2a3104e8178e25b6b40cf8b19d60c1a4e03e969

SHA256
72c15ab989fb449e62d6a560bdad1c9c39d61c21345322b8c1331235adf484a7

SHA512
1cf0e356a72a525b585533adab9c2abe1cfef9127ef96fedefe840bf33248bb85752fd92ca447cc6ac2b0654b497c07e3e3d0f0e064958f0f17b3e79424d6a4c

Download Submit
memory/1300-63-0x0000000000000000-mapping.dmp

Download
memory/1512-54-0x000007FEFC181000-0x000007FEFC183000-memory.dmp

Filesize
8KB

Download
memory/1756-55-0x0000000000000000-mapping.dmp

Download
memory/1948-59-0x00000000756A1000-0x00000000756A3000-memory.dmp

Filesize
8KB

Download
memory/1948-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads