netwire | 0b069c7e87aeb1802c8a83bf595bdf68040faf36bb5f607f4d1a20b8b8f45403

General

Target

proof of payment.exe
Size

661KB
MD5

af0b6c0b096bc0a9a6c6da19b3340a4c
SHA1

4bc68ca3cd282e9c711c6b9a452a425af4fdf8d8
SHA256

0b069c7e87aeb1802c8a83bf595bdf68040faf36bb5f607f4d1a20b8b8f45403
SHA512

b33da09ded4c519566e9277cc4b10c4f5553246dd587c74c6c212430b45d4c188221d65f4357a6a5ff97202e1429378dd903c7f23217a16acf876c0bf3ab0ba1
SSDEEP

12288:m5VF75e1ZsTyxRM2wfQy/FhucmJcTQJW0OkzKJfhd45/B:KVZ52ZX/OX9hDUcTOW5eAHW

Score

10^/10

netwire botnet rat stealer

Malware Config

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4180-148-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral2/memory/4180-146-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral2/memory/4180-150-0x0000000000400000-0x000000000042B000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

proof of payment.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	proof of payment.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

proof of payment.exe

description pid process target process

PID 5048 set thread context of 4180 5048 proof of payment.exe proof of payment.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1200 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exeproof of payment.exe

pid process

4820 powershell.exe
5048 proof of payment.exe
5048 proof of payment.exe
4820 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exeproof of payment.exe

description pid process

Token: SeDebugPrivilege 4820 powershell.exe
Token: SeDebugPrivilege 5048 proof of payment.exe

description	pid	process	target process
PID 5048 set thread context of 4180	5048	proof of payment.exe	proof of payment.exe

pid	process
1200	schtasks.exe

pid	process
4820	powershell.exe
5048	proof of payment.exe
5048	proof of payment.exe
4820	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4820	powershell.exe
Token: SeDebugPrivilege	5048	proof of payment.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

proof of payment.exe

description	pid	process	target process
PID 5048 wrote to memory of 4820	5048	proof of payment.exe	powershell.exe
PID 5048 wrote to memory of 4820	5048	proof of payment.exe	powershell.exe
PID 5048 wrote to memory of 4820	5048	proof of payment.exe	powershell.exe
PID 5048 wrote to memory of 1200	5048	proof of payment.exe	schtasks.exe
PID 5048 wrote to memory of 1200	5048	proof of payment.exe	schtasks.exe
PID 5048 wrote to memory of 1200	5048	proof of payment.exe	schtasks.exe
PID 5048 wrote to memory of 4804	5048	proof of payment.exe	proof of payment.exe
PID 5048 wrote to memory of 4804	5048	proof of payment.exe	proof of payment.exe
PID 5048 wrote to memory of 4804	5048	proof of payment.exe	proof of payment.exe
PID 5048 wrote to memory of 4180	5048	proof of payment.exe	proof of payment.exe
PID 5048 wrote to memory of 4180	5048	proof of payment.exe	proof of payment.exe
PID 5048 wrote to memory of 4180	5048	proof of payment.exe	proof of payment.exe
PID 5048 wrote to memory of 4180	5048	proof of payment.exe	proof of payment.exe
PID 5048 wrote to memory of 4180	5048	proof of payment.exe	proof of payment.exe
PID 5048 wrote to memory of 4180	5048	proof of payment.exe	proof of payment.exe
PID 5048 wrote to memory of 4180	5048	proof of payment.exe	proof of payment.exe
PID 5048 wrote to memory of 4180	5048	proof of payment.exe	proof of payment.exe
PID 5048 wrote to memory of 4180	5048	proof of payment.exe	proof of payment.exe
PID 5048 wrote to memory of 4180	5048	proof of payment.exe	proof of payment.exe

C:\Users\Admin\AppData\Local\Temp\proof of payment.exe
"C:\Users\Admin\AppData\Local\Temp\proof of payment.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5048

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uVDXDtwcCw.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4820

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uVDXDtwcCw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp21E0.tmp"
2⤵
- Creates scheduled task(s)
PID:1200

C:\Users\Admin\AppData\Local\Temp\proof of payment.exe
"C:\Users\Admin\AppData\Local\Temp\proof of payment.exe"
2⤵
PID:4804

C:\Users\Admin\AppData\Local\Temp\proof of payment.exe
"C:\Users\Admin\AppData\Local\Temp\proof of payment.exe"
2⤵
PID:4180

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp21E0.tmp
Filesize
1KB

MD5
b67549034aeeef8775602f32e61998c0

SHA1
898dd8aea4e711439b9acaa316c9a4e7728aea23

SHA256
fd0ff61376684df68c755c89dd505e7674a70ce91a7cee855799ab483baf0382

SHA512
ec81aadedb895f5a15d758696237ba11b697c9480e28b042027ecd0200866d29538c64354a98ccce192e828cc4f2394ce20ba22ed896088b7ec26539d76fbe60

Download Submit
memory/1200-139-0x0000000000000000-mapping.dmp

Download
memory/4180-150-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4180-146-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4180-148-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4180-145-0x0000000000000000-mapping.dmp

Download
memory/4804-143-0x0000000000000000-mapping.dmp

Download
memory/4820-149-0x0000000006120000-0x0000000006186000-memory.dmp

Filesize
408KB

Download
memory/4820-156-0x0000000007B00000-0x0000000007B1A000-memory.dmp

Filesize
104KB

Download
memory/4820-138-0x0000000000000000-mapping.dmp

Download
memory/4820-142-0x00000000058C0000-0x0000000005EE8000-memory.dmp

Filesize
6.2MB

Download
memory/4820-161-0x0000000007E20000-0x0000000007E28000-memory.dmp

Filesize
32KB

Download
memory/4820-144-0x0000000005850000-0x0000000005872000-memory.dmp

Filesize
136KB

Download
memory/4820-160-0x0000000007E40000-0x0000000007E5A000-memory.dmp

Filesize
104KB

Download
memory/4820-159-0x0000000007D30000-0x0000000007D3E000-memory.dmp

Filesize
56KB

Download
memory/4820-158-0x0000000007D80000-0x0000000007E16000-memory.dmp

Filesize
600KB

Download
memory/4820-157-0x0000000007B70000-0x0000000007B7A000-memory.dmp

Filesize
40KB

Download
memory/4820-140-0x0000000002EE0000-0x0000000002F16000-memory.dmp

Filesize
216KB

Download
memory/4820-151-0x00000000067F0000-0x000000000680E000-memory.dmp

Filesize
120KB

Download
memory/4820-152-0x0000000006DD0000-0x0000000006E02000-memory.dmp

Filesize
200KB

Download
memory/4820-153-0x0000000070AC0000-0x0000000070B0C000-memory.dmp

Filesize
304KB

Download
memory/4820-154-0x0000000006DB0000-0x0000000006DCE000-memory.dmp

Filesize
120KB

Download
memory/4820-155-0x0000000008150000-0x00000000087CA000-memory.dmp

Filesize
6.5MB

Download
memory/5048-133-0x0000000005B70000-0x0000000006114000-memory.dmp

Filesize
5.6MB

Download
memory/5048-134-0x0000000005660000-0x00000000056F2000-memory.dmp

Filesize
584KB

Download
memory/5048-135-0x0000000005640000-0x000000000564A000-memory.dmp

Filesize
40KB

Download
memory/5048-132-0x0000000000C10000-0x0000000000CBA000-memory.dmp

Filesize
680KB

Download
memory/5048-136-0x0000000009590000-0x000000000962C000-memory.dmp

Filesize
624KB

Download
memory/5048-137-0x0000000009630000-0x0000000009696000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads