netwire | 5d7b005b25fc4042bf4306cb81f0e332ff10a61ead6744d4dae14da8f08b7db5

General

Target

SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe
Size

578KB
MD5

a3add136bad0055382516c28b2d98ed6
SHA1

bb218fb9cbb76d9c4e0f4d44f3745f3405957a02
SHA256

5d7b005b25fc4042bf4306cb81f0e332ff10a61ead6744d4dae14da8f08b7db5
SHA512

0c204063f19b2603ec8bff61547d17b14ae01329a4a587c53a37ba37c0aa9122d3fead68138f10ad18788aae00aec580122c7ddc54a3e10b012ab7f5284587a0
SSDEEP

12288:hc0FHAlmHX2zbro5A97xpbMlylSx1LHoY/dlBKr9:ZAlmHAgA9QLW

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

37.0.14.206:3384

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
true
offline_keylogger
true
password
Password234
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2860-141-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/2860-143-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/2860-144-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/4980-154-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/4980-155-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

Host.exeHost.exe

pid process

4696 Host.exe
4980 Host.exe

pid	process
4696	Host.exe
4980	Host.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exeSecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exeHost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation	SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation	SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation	Host.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exeHost.exe

description	pid	process	target process
PID 4468 set thread context of 2860	4468	SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe	SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe
PID 4696 set thread context of 4980	4696	Host.exe	Host.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2364 schtasks.exe
4052 schtasks.exe

pid	process
2364	schtasks.exe
4052	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exeHost.exe

pid	process
4468	SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe
4468	SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe
4468	SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe
4696	Host.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exeHost.exe

description pid process

Token: SeDebugPrivilege 4468 SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe
Token: SeDebugPrivilege 4696 Host.exe

description	pid	process
Token: SeDebugPrivilege	4468	SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe
Token: SeDebugPrivilege	4696	Host.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exeSecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exeHost.exe

description	pid	process	target process
PID 4468 wrote to memory of 2364	4468	SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe	schtasks.exe
PID 4468 wrote to memory of 2364	4468	SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe	schtasks.exe
PID 4468 wrote to memory of 2364	4468	SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe	schtasks.exe
PID 4468 wrote to memory of 3888	4468	SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe	SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe
PID 4468 wrote to memory of 3888	4468	SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe	SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe
PID 4468 wrote to memory of 3888	4468	SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe	SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe
PID 4468 wrote to memory of 2860	4468	SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe	SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe
PID 4468 wrote to memory of 2860	4468	SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe	SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe
PID 4468 wrote to memory of 2860	4468	SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe	SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe
PID 4468 wrote to memory of 2860	4468	SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe	SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe
PID 4468 wrote to memory of 2860	4468	SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe	SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe
PID 4468 wrote to memory of 2860	4468	SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe	SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe
PID 4468 wrote to memory of 2860	4468	SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe	SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe
PID 4468 wrote to memory of 2860	4468	SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe	SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe
PID 4468 wrote to memory of 2860	4468	SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe	SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe
PID 4468 wrote to memory of 2860	4468	SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe	SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe
PID 4468 wrote to memory of 2860	4468	SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe	SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe
PID 2860 wrote to memory of 4696	2860	SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe	Host.exe
PID 2860 wrote to memory of 4696	2860	SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe	Host.exe
PID 2860 wrote to memory of 4696	2860	SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe	Host.exe
PID 4696 wrote to memory of 4052	4696	Host.exe	schtasks.exe
PID 4696 wrote to memory of 4052	4696	Host.exe	schtasks.exe
PID 4696 wrote to memory of 4052	4696	Host.exe	schtasks.exe
PID 4696 wrote to memory of 4980	4696	Host.exe	Host.exe
PID 4696 wrote to memory of 4980	4696	Host.exe	Host.exe
PID 4696 wrote to memory of 4980	4696	Host.exe	Host.exe
PID 4696 wrote to memory of 4980	4696	Host.exe	Host.exe
PID 4696 wrote to memory of 4980	4696	Host.exe	Host.exe
PID 4696 wrote to memory of 4980	4696	Host.exe	Host.exe
PID 4696 wrote to memory of 4980	4696	Host.exe	Host.exe
PID 4696 wrote to memory of 4980	4696	Host.exe	Host.exe
PID 4696 wrote to memory of 4980	4696	Host.exe	Host.exe
PID 4696 wrote to memory of 4980	4696	Host.exe	Host.exe
PID 4696 wrote to memory of 4980	4696	Host.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4468

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VqaJbkwvcY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4AF3.tmp"
2⤵
- Creates scheduled task(s)
PID:2364

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe
"{path}"
2⤵
PID:3888

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.1417.25539.exe
"{path}"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2860

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4696

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VqaJbkwvcY" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCE9A.tmp"
4⤵
- Creates scheduled task(s)
PID:4052

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"{path}"
4⤵
- Executes dropped EXE
PID:4980

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4AF3.tmp
Filesize
1KB

MD5
86d17d63cdc7f62b8763a932301ce7bd

SHA1
61d6d2aefdc812374e921195adac4758051bb600

SHA256
8ebb4083b4b4b08a4495737a77953d34894a72b3163c22a67a2ad33494f8f37f

SHA512
2b47a3e3433a99f893f038fe0636b790bc900cffe92dfabf671f0d1c9a6c0c571f6e02b82d4e3a77c0f230691779c9307e40f875fd336ea6d979fa8f88eab0d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCE9A.tmp
Filesize
1KB

MD5
86d17d63cdc7f62b8763a932301ce7bd

SHA1
61d6d2aefdc812374e921195adac4758051bb600

SHA256
8ebb4083b4b4b08a4495737a77953d34894a72b3163c22a67a2ad33494f8f37f

SHA512
2b47a3e3433a99f893f038fe0636b790bc900cffe92dfabf671f0d1c9a6c0c571f6e02b82d4e3a77c0f230691779c9307e40f875fd336ea6d979fa8f88eab0d5

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
578KB

MD5
a3add136bad0055382516c28b2d98ed6

SHA1
bb218fb9cbb76d9c4e0f4d44f3745f3405957a02

SHA256
5d7b005b25fc4042bf4306cb81f0e332ff10a61ead6744d4dae14da8f08b7db5

SHA512
0c204063f19b2603ec8bff61547d17b14ae01329a4a587c53a37ba37c0aa9122d3fead68138f10ad18788aae00aec580122c7ddc54a3e10b012ab7f5284587a0

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
578KB

MD5
a3add136bad0055382516c28b2d98ed6

SHA1
bb218fb9cbb76d9c4e0f4d44f3745f3405957a02

SHA256
5d7b005b25fc4042bf4306cb81f0e332ff10a61ead6744d4dae14da8f08b7db5

SHA512
0c204063f19b2603ec8bff61547d17b14ae01329a4a587c53a37ba37c0aa9122d3fead68138f10ad18788aae00aec580122c7ddc54a3e10b012ab7f5284587a0

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
578KB

MD5
a3add136bad0055382516c28b2d98ed6

SHA1
bb218fb9cbb76d9c4e0f4d44f3745f3405957a02

SHA256
5d7b005b25fc4042bf4306cb81f0e332ff10a61ead6744d4dae14da8f08b7db5

SHA512
0c204063f19b2603ec8bff61547d17b14ae01329a4a587c53a37ba37c0aa9122d3fead68138f10ad18788aae00aec580122c7ddc54a3e10b012ab7f5284587a0

Download Submit
memory/2364-137-0x0000000000000000-mapping.dmp

Download
memory/2860-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2860-140-0x0000000000000000-mapping.dmp

Download
memory/2860-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2860-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3888-139-0x0000000000000000-mapping.dmp

Download
memory/4052-148-0x0000000000000000-mapping.dmp

Download
memory/4468-135-0x0000000005060000-0x00000000050FC000-memory.dmp

Filesize
624KB

Download
memory/4468-136-0x0000000002AA0000-0x0000000002AAA000-memory.dmp

Filesize
40KB

Download
memory/4468-132-0x00000000004C0000-0x0000000000556000-memory.dmp

Filesize
600KB

Download
memory/4468-134-0x0000000004FC0000-0x0000000005052000-memory.dmp

Filesize
584KB

Download
memory/4468-133-0x00000000054D0000-0x0000000005A74000-memory.dmp

Filesize
5.6MB

Download
memory/4696-145-0x0000000000000000-mapping.dmp

Download
memory/4980-150-0x0000000000000000-mapping.dmp

Download
memory/4980-154-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-155-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads