netwire | 09893a238f6a7dc6bcf685f566dd57f6a968b08d244e6e56e677a8070a4b595a

Analysis

max time kernel
136s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2022 08:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Invoice No.000733487303.js
Size

496KB
MD5

7b76b56837fad8241f10604c44de493f
SHA1

b8575dc549f905dd9fddecc254232914abaaffe2
SHA256

09893a238f6a7dc6bcf685f566dd57f6a968b08d244e6e56e677a8070a4b595a
SHA512

b37eed33098fb2c85b7cd1a14c77b2d77d8f34ed480f00e5491e0479798e46ec5f2de22b9299ff9c0882c0fc60e494e7dc9cb966562bc2af39c9d642a2b42c45
SSDEEP

12288:n19SpUzm9WbccaebiM2fQ/ihctOe0prNzhKWyKQSg9y:n1QB9BeIzgWyO

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

whiteking.giize.com:4040

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
DEGRACE
lock_executable
false
offline_keylogger
false
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\netwireserver.exe	netwire
C:\Users\Admin\AppData\Roaming\netwireserver.exe	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 1 IoCs

Processes:

netwireserver.exe

pid process

4892 netwireserver.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

wscript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation wscript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
4892	netwireserver.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	wscript.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 2472 wrote to memory of 2828	2472	wscript.exe	wscript.exe
PID 2472 wrote to memory of 2828	2472	wscript.exe	wscript.exe
PID 2472 wrote to memory of 4892	2472	wscript.exe	netwireserver.exe
PID 2472 wrote to memory of 4892	2472	wscript.exe	netwireserver.exe
PID 2472 wrote to memory of 4892	2472	wscript.exe	netwireserver.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Invoice No.000733487303.js"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2472

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\ExbOvJypFy.js"
2⤵
PID:2828

C:\Users\Admin\AppData\Roaming\netwireserver.exe
"C:\Users\Admin\AppData\Roaming\netwireserver.exe"
2⤵
- Executes dropped EXE
PID:4892

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ExbOvJypFy.js
Filesize
2KB

MD5
b77d47c39e0c9fe59cc7df2c14a87df2

SHA1
26e6ca612d84f38d1dbd5272d81c055f53d6997b

SHA256
149c4919415370e2026d9e27236da259ae8323b96b6137e40a09887407fe06c9

SHA512
024174fd2b4c5dbc14f639dc5504290ec69ad2a4c4abcae20f27b7e6a14ede82142a7b62048513def6bdd4b2cb8c3776b02e870c5d30df22fc7a12303db0a55f

Download Submit
C:\Users\Admin\AppData\Roaming\netwireserver.exe
Filesize
273KB

MD5
223b394e981299efbe848a1f9cba4703

SHA1
20f0c01df17630641aeb9d85410c98b5a77e06b1

SHA256
86d278bf55d25df08ce3b1c46513c6e38da84bf143a059bdbb53c91c564ae211

SHA512
fe2e25335de2a99ae203aeafb217578e86a4962d35dcd0500b538383a4a4621ce0eb9726d837d5a39d45f841486eaac29a8f28af88bbfd91382254dc09f366f0

Download Submit
C:\Users\Admin\AppData\Roaming\netwireserver.exe
Filesize
273KB

MD5
223b394e981299efbe848a1f9cba4703

SHA1
20f0c01df17630641aeb9d85410c98b5a77e06b1

SHA256
86d278bf55d25df08ce3b1c46513c6e38da84bf143a059bdbb53c91c564ae211

SHA512
fe2e25335de2a99ae203aeafb217578e86a4962d35dcd0500b538383a4a4621ce0eb9726d837d5a39d45f841486eaac29a8f28af88bbfd91382254dc09f366f0

Download Submit
memory/2828-132-0x0000000000000000-mapping.dmp

Download
memory/4892-134-0x0000000000000000-mapping.dmp

Download