netwire | 5c49bfd97ea20083080e81c025dbbc5bafdeadf692de79cba059442a2c0bf8b6

Analysis

max time kernel
261s
max time network
273s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
29-08-2022 02:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c49bfd97ea20083080e81c025dbbc5bafdeadf692de79cba059442a2c0bf8b6.exe
Size

720KB
MD5

dde1d2bff5076a07a34a3d079eb42603
SHA1

5255caf6bc8aa67a7b5c22fbe15b1dff34155905
SHA256

5c49bfd97ea20083080e81c025dbbc5bafdeadf692de79cba059442a2c0bf8b6
SHA512

53ffed18d0f2a6efdb567d60ef6cd81189bd319cfb6cd0929d603914b7c00674b75c793e92311d6bc9e14116cf5814a3e0e3805a52f95ad3fabc8e947684be05
SSDEEP

12288:UbpM2Tgxl6b6JBAdDz7/VFbxJxBsIfL+3wFtmTAnPmJDOLxAyIFmki9bF3:UbfggDDb7xFK3w9nPm5Zk3

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

212.193.30.230:4000

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
Okonkwo
lock_executable
true
mutex
ltpFhccL
offline_keylogger
false
password
4QR5EtvOH9
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2588-254-0x000000000040242D-mapping.dmp	netwire
behavioral2/memory/2588-326-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/2588-597-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Suspicious use of SetThreadContext 1 IoCs

Processes:

5c49bfd97ea20083080e81c025dbbc5bafdeadf692de79cba059442a2c0bf8b6.exe

description	pid	process	target process
PID 2432 set thread context of 2588	2432	5c49bfd97ea20083080e81c025dbbc5bafdeadf692de79cba059442a2c0bf8b6.exe	5c49bfd97ea20083080e81c025dbbc5bafdeadf692de79cba059442a2c0bf8b6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1484 schtasks.exe

pid	process
1484	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

5c49bfd97ea20083080e81c025dbbc5bafdeadf692de79cba059442a2c0bf8b6.exepowershell.exe

pid	process
2432	5c49bfd97ea20083080e81c025dbbc5bafdeadf692de79cba059442a2c0bf8b6.exe
2432	5c49bfd97ea20083080e81c025dbbc5bafdeadf692de79cba059442a2c0bf8b6.exe
2432	5c49bfd97ea20083080e81c025dbbc5bafdeadf692de79cba059442a2c0bf8b6.exe
2432	5c49bfd97ea20083080e81c025dbbc5bafdeadf692de79cba059442a2c0bf8b6.exe
2432	5c49bfd97ea20083080e81c025dbbc5bafdeadf692de79cba059442a2c0bf8b6.exe
2432	5c49bfd97ea20083080e81c025dbbc5bafdeadf692de79cba059442a2c0bf8b6.exe
2432	5c49bfd97ea20083080e81c025dbbc5bafdeadf692de79cba059442a2c0bf8b6.exe
2432	5c49bfd97ea20083080e81c025dbbc5bafdeadf692de79cba059442a2c0bf8b6.exe
2432	5c49bfd97ea20083080e81c025dbbc5bafdeadf692de79cba059442a2c0bf8b6.exe
2432	5c49bfd97ea20083080e81c025dbbc5bafdeadf692de79cba059442a2c0bf8b6.exe
1300	powershell.exe
1300	powershell.exe
1300	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

5c49bfd97ea20083080e81c025dbbc5bafdeadf692de79cba059442a2c0bf8b6.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2432	5c49bfd97ea20083080e81c025dbbc5bafdeadf692de79cba059442a2c0bf8b6.exe
Token: SeDebugPrivilege	1300	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

5c49bfd97ea20083080e81c025dbbc5bafdeadf692de79cba059442a2c0bf8b6.exe

C:\Users\Admin\AppData\Local\Temp\5c49bfd97ea20083080e81c025dbbc5bafdeadf692de79cba059442a2c0bf8b6.exe
"C:\Users\Admin\AppData\Local\Temp\5c49bfd97ea20083080e81c025dbbc5bafdeadf692de79cba059442a2c0bf8b6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2432

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vZDxGCJn" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6457.tmp"
2⤵
- Creates scheduled task(s)
PID:1484

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vZDxGCJn.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1300

C:\Users\Admin\AppData\Local\Temp\5c49bfd97ea20083080e81c025dbbc5bafdeadf692de79cba059442a2c0bf8b6.exe
"C:\Users\Admin\AppData\Local\Temp\5c49bfd97ea20083080e81c025dbbc5bafdeadf692de79cba059442a2c0bf8b6.exe"
2⤵
PID:2588

C:\Users\Admin\AppData\Local\Temp\5c49bfd97ea20083080e81c025dbbc5bafdeadf692de79cba059442a2c0bf8b6.exe
"C:\Users\Admin\AppData\Local\Temp\5c49bfd97ea20083080e81c025dbbc5bafdeadf692de79cba059442a2c0bf8b6.exe"
2⤵
PID:4844

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6457.tmp
Filesize
1KB

MD5
8543a4d03e600aef6d0c1eea1ac374e6

SHA1
40057a590805ea95fbf7f243fc05dae9bf189d3d

SHA256
0434d5e2e28d1b33b6588fece1cd7753ee8482142c8e1074f6c5604f7eeb183b

SHA512
c480dffdeb94a1527d8b9a49cb747e449c4b0ae73d9351bfe3fdd0beec93afbd06db0f7cdc15a170a2da65121d98331d570a9f1fd6f06df156a3f251a6e546fb

Download Submit
memory/1300-358-0x0000000009070000-0x000000000908E000-memory.dmp

Filesize
120KB

Download
memory/1300-574-0x0000000009340000-0x000000000935A000-memory.dmp

Filesize
104KB

Download
memory/1300-357-0x00000000090B0000-0x00000000090E3000-memory.dmp

Filesize
204KB

Download
memory/1300-579-0x0000000009330000-0x0000000009338000-memory.dmp

Filesize
32KB

Download
memory/1300-344-0x0000000007F70000-0x0000000007FE6000-memory.dmp

Filesize
472KB

Download
memory/1300-371-0x00000000093B0000-0x0000000009444000-memory.dmp

Filesize
592KB

Download
memory/1300-367-0x00000000091E0000-0x0000000009285000-memory.dmp

Filesize
660KB

Download
memory/1300-340-0x0000000008230000-0x000000000827B000-memory.dmp

Filesize
300KB

Download
memory/1300-266-0x0000000006EC0000-0x00000000074E8000-memory.dmp

Filesize
6.2MB

Download
memory/1300-252-0x0000000006810000-0x0000000006846000-memory.dmp

Filesize
216KB

Download
memory/1300-194-0x0000000000000000-mapping.dmp

Download
memory/1300-338-0x0000000007BC0000-0x0000000007BDC000-memory.dmp

Filesize
112KB

Download
memory/1300-329-0x0000000007850000-0x0000000007BA0000-memory.dmp

Filesize
3.3MB

Download
memory/1300-318-0x00000000077E0000-0x0000000007846000-memory.dmp

Filesize
408KB

Download
memory/1300-316-0x0000000007650000-0x00000000076B6000-memory.dmp

Filesize
408KB

Download
memory/1300-313-0x00000000075B0000-0x00000000075D2000-memory.dmp

Filesize
136KB

Download
memory/1484-197-0x0000000000000000-mapping.dmp

Download
memory/2432-158-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-167-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-132-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-133-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-134-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-135-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-136-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-137-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-139-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-138-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-140-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-141-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-142-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-143-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-144-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-145-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-146-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-147-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-148-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-149-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-150-0x0000000000C30000-0x0000000000CEA000-memory.dmp

Filesize
744KB

Download
memory/2432-151-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-152-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-153-0x0000000005990000-0x0000000005E8E000-memory.dmp

Filesize
5.0MB

Download
memory/2432-154-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-155-0x0000000005530000-0x00000000055C2000-memory.dmp

Filesize
584KB

Download
memory/2432-156-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-157-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-129-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-159-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-160-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-161-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-162-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-163-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-164-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-165-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-166-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-131-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-168-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-169-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-170-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-171-0x0000000005690000-0x000000000569A000-memory.dmp

Filesize
40KB

Download
memory/2432-172-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-173-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-174-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-175-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-176-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-177-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-178-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-179-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-180-0x0000000006050000-0x0000000006068000-memory.dmp

Filesize
96KB

Download
memory/2432-181-0x000000000B380000-0x000000000B38C000-memory.dmp

Filesize
48KB

Download
memory/2432-182-0x000000000B4B0000-0x000000000B524000-memory.dmp

Filesize
464KB

Download
memory/2432-183-0x000000000B5E0000-0x000000000B67C000-memory.dmp

Filesize
624KB

Download
memory/2432-184-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-185-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-186-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-187-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-249-0x0000000001440000-0x000000000146E000-memory.dmp

Filesize
184KB

Download
memory/2432-130-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-127-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-128-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-126-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-116-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-117-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-125-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-124-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-123-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-122-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-121-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-120-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-119-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2432-118-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2588-326-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2588-254-0x000000000040242D-mapping.dmp

Download
memory/2588-597-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

description	pid	process	target process
PID 2432 wrote to memory of 1300	2432	5c49bfd97ea20083080e81c025dbbc5bafdeadf692de79cba059442a2c0bf8b6.exe	powershell.exe
PID 2432 wrote to memory of 1300	2432	5c49bfd97ea20083080e81c025dbbc5bafdeadf692de79cba059442a2c0bf8b6.exe	powershell.exe
PID 2432 wrote to memory of 1300	2432	5c49bfd97ea20083080e81c025dbbc5bafdeadf692de79cba059442a2c0bf8b6.exe	powershell.exe
PID 2432 wrote to memory of 1484	2432	5c49bfd97ea20083080e81c025dbbc5bafdeadf692de79cba059442a2c0bf8b6.exe	schtasks.exe
PID 2432 wrote to memory of 1484	2432	5c49bfd97ea20083080e81c025dbbc5bafdeadf692de79cba059442a2c0bf8b6.exe	schtasks.exe
PID 2432 wrote to memory of 1484	2432	5c49bfd97ea20083080e81c025dbbc5bafdeadf692de79cba059442a2c0bf8b6.exe	schtasks.exe
PID 2432 wrote to memory of 4844	2432	5c49bfd97ea20083080e81c025dbbc5bafdeadf692de79cba059442a2c0bf8b6.exe	5c49bfd97ea20083080e81c025dbbc5bafdeadf692de79cba059442a2c0bf8b6.exe
PID 2432 wrote to memory of 4844	2432	5c49bfd97ea20083080e81c025dbbc5bafdeadf692de79cba059442a2c0bf8b6.exe	5c49bfd97ea20083080e81c025dbbc5bafdeadf692de79cba059442a2c0bf8b6.exe
PID 2432 wrote to memory of 4844	2432	5c49bfd97ea20083080e81c025dbbc5bafdeadf692de79cba059442a2c0bf8b6.exe	5c49bfd97ea20083080e81c025dbbc5bafdeadf692de79cba059442a2c0bf8b6.exe
PID 2432 wrote to memory of 2588	2432	5c49bfd97ea20083080e81c025dbbc5bafdeadf692de79cba059442a2c0bf8b6.exe	5c49bfd97ea20083080e81c025dbbc5bafdeadf692de79cba059442a2c0bf8b6.exe
PID 2432 wrote to memory of 2588	2432	5c49bfd97ea20083080e81c025dbbc5bafdeadf692de79cba059442a2c0bf8b6.exe	5c49bfd97ea20083080e81c025dbbc5bafdeadf692de79cba059442a2c0bf8b6.exe
PID 2432 wrote to memory of 2588	2432	5c49bfd97ea20083080e81c025dbbc5bafdeadf692de79cba059442a2c0bf8b6.exe	5c49bfd97ea20083080e81c025dbbc5bafdeadf692de79cba059442a2c0bf8b6.exe
PID 2432 wrote to memory of 2588	2432	5c49bfd97ea20083080e81c025dbbc5bafdeadf692de79cba059442a2c0bf8b6.exe	5c49bfd97ea20083080e81c025dbbc5bafdeadf692de79cba059442a2c0bf8b6.exe
PID 2432 wrote to memory of 2588	2432	5c49bfd97ea20083080e81c025dbbc5bafdeadf692de79cba059442a2c0bf8b6.exe	5c49bfd97ea20083080e81c025dbbc5bafdeadf692de79cba059442a2c0bf8b6.exe
PID 2432 wrote to memory of 2588	2432	5c49bfd97ea20083080e81c025dbbc5bafdeadf692de79cba059442a2c0bf8b6.exe	5c49bfd97ea20083080e81c025dbbc5bafdeadf692de79cba059442a2c0bf8b6.exe
PID 2432 wrote to memory of 2588	2432	5c49bfd97ea20083080e81c025dbbc5bafdeadf692de79cba059442a2c0bf8b6.exe	5c49bfd97ea20083080e81c025dbbc5bafdeadf692de79cba059442a2c0bf8b6.exe
PID 2432 wrote to memory of 2588	2432	5c49bfd97ea20083080e81c025dbbc5bafdeadf692de79cba059442a2c0bf8b6.exe	5c49bfd97ea20083080e81c025dbbc5bafdeadf692de79cba059442a2c0bf8b6.exe
PID 2432 wrote to memory of 2588	2432	5c49bfd97ea20083080e81c025dbbc5bafdeadf692de79cba059442a2c0bf8b6.exe	5c49bfd97ea20083080e81c025dbbc5bafdeadf692de79cba059442a2c0bf8b6.exe
PID 2432 wrote to memory of 2588	2432	5c49bfd97ea20083080e81c025dbbc5bafdeadf692de79cba059442a2c0bf8b6.exe	5c49bfd97ea20083080e81c025dbbc5bafdeadf692de79cba059442a2c0bf8b6.exe
PID 2432 wrote to memory of 2588	2432	5c49bfd97ea20083080e81c025dbbc5bafdeadf692de79cba059442a2c0bf8b6.exe	5c49bfd97ea20083080e81c025dbbc5bafdeadf692de79cba059442a2c0bf8b6.exe