netwire | bd4754619fc5e08c904356423971e633248aaeed941bcbe924764624a1675181

Analysis

max time kernel
106s
max time network
58s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01-10-2022 18:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd4754619fc5e08c904356423971e633248aaeed941bcbe924764624a1675181.exe
Size

183KB
MD5

7600056accafb4281250bfed98f0630d
SHA1

f61bd219039db28797f8ad62674b029442b7f889
SHA256

bd4754619fc5e08c904356423971e633248aaeed941bcbe924764624a1675181
SHA512

2949a540608b904d909cb8e4a873c3322dbab9a34dbb442c149f05da591ba54b7f2af50620d817560b110b9d1ebd9a6e772a9c70408903cf8e8ade3d35a4cdf0
SSDEEP

3072:bAsj8MBX8s0oXJT45CcDj9XLYjqwYPTIbLGAw5d8LEUYWNHQ+k0m8hPf8kO/92:bAsBZJ1Up78YrImAwQLFZ6+k0m81fv

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 7 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1904-62-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/1904-64-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/1904-65-0x00000000004021DA-mapping.dmp	netwire
behavioral1/memory/1904-68-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/1904-71-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/1700-91-0x00000000004021DA-mapping.dmp	netwire
behavioral1/memory/1700-96-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

Ctfmon.exeCtfmon.exe

pid process

2024 Ctfmon.exe
1700 Ctfmon.exe

pid	process
2024	Ctfmon.exe
1700	Ctfmon.exe

Loads dropped DLL 5 IoCs

Processes:

bd4754619fc5e08c904356423971e633248aaeed941bcbe924764624a1675181.exebd4754619fc5e08c904356423971e633248aaeed941bcbe924764624a1675181.exeCtfmon.exe

pid	process
768	bd4754619fc5e08c904356423971e633248aaeed941bcbe924764624a1675181.exe
768	bd4754619fc5e08c904356423971e633248aaeed941bcbe924764624a1675181.exe
1904	bd4754619fc5e08c904356423971e633248aaeed941bcbe924764624a1675181.exe
2024	Ctfmon.exe
2024	Ctfmon.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Ctfmon.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Ctfmon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ctfmon = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\System32\\Ctfmon.exe"	Ctfmon.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

bd4754619fc5e08c904356423971e633248aaeed941bcbe924764624a1675181.exeCtfmon.exe

description	pid	process	target process
PID 768 set thread context of 1904	768	bd4754619fc5e08c904356423971e633248aaeed941bcbe924764624a1675181.exe	bd4754619fc5e08c904356423971e633248aaeed941bcbe924764624a1675181.exe
PID 2024 set thread context of 1700	2024	Ctfmon.exe	Ctfmon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 8 IoCs

installer

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Microsoft\Windows\System32\Ctfmon.exe	nsis_installer_1
\Users\Admin\AppData\Roaming\Microsoft\Windows\System32\Ctfmon.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\System32\Ctfmon.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\System32\Ctfmon.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\System32\Ctfmon.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\System32\Ctfmon.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\System32\Ctfmon.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\System32\Ctfmon.exe	nsis_installer_2

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

bd4754619fc5e08c904356423971e633248aaeed941bcbe924764624a1675181.exebd4754619fc5e08c904356423971e633248aaeed941bcbe924764624a1675181.exeCtfmon.exe

description	pid	process	target process
PID 768 wrote to memory of 1904	768	bd4754619fc5e08c904356423971e633248aaeed941bcbe924764624a1675181.exe	bd4754619fc5e08c904356423971e633248aaeed941bcbe924764624a1675181.exe
PID 768 wrote to memory of 1904	768	bd4754619fc5e08c904356423971e633248aaeed941bcbe924764624a1675181.exe	bd4754619fc5e08c904356423971e633248aaeed941bcbe924764624a1675181.exe
PID 768 wrote to memory of 1904	768	bd4754619fc5e08c904356423971e633248aaeed941bcbe924764624a1675181.exe	bd4754619fc5e08c904356423971e633248aaeed941bcbe924764624a1675181.exe
PID 768 wrote to memory of 1904	768	bd4754619fc5e08c904356423971e633248aaeed941bcbe924764624a1675181.exe	bd4754619fc5e08c904356423971e633248aaeed941bcbe924764624a1675181.exe
PID 768 wrote to memory of 1904	768	bd4754619fc5e08c904356423971e633248aaeed941bcbe924764624a1675181.exe	bd4754619fc5e08c904356423971e633248aaeed941bcbe924764624a1675181.exe
PID 768 wrote to memory of 1904	768	bd4754619fc5e08c904356423971e633248aaeed941bcbe924764624a1675181.exe	bd4754619fc5e08c904356423971e633248aaeed941bcbe924764624a1675181.exe
PID 768 wrote to memory of 1904	768	bd4754619fc5e08c904356423971e633248aaeed941bcbe924764624a1675181.exe	bd4754619fc5e08c904356423971e633248aaeed941bcbe924764624a1675181.exe
PID 768 wrote to memory of 1904	768	bd4754619fc5e08c904356423971e633248aaeed941bcbe924764624a1675181.exe	bd4754619fc5e08c904356423971e633248aaeed941bcbe924764624a1675181.exe
PID 768 wrote to memory of 1904	768	bd4754619fc5e08c904356423971e633248aaeed941bcbe924764624a1675181.exe	bd4754619fc5e08c904356423971e633248aaeed941bcbe924764624a1675181.exe
PID 1904 wrote to memory of 2024	1904	bd4754619fc5e08c904356423971e633248aaeed941bcbe924764624a1675181.exe	Ctfmon.exe
PID 1904 wrote to memory of 2024	1904	bd4754619fc5e08c904356423971e633248aaeed941bcbe924764624a1675181.exe	Ctfmon.exe
PID 1904 wrote to memory of 2024	1904	bd4754619fc5e08c904356423971e633248aaeed941bcbe924764624a1675181.exe	Ctfmon.exe
PID 1904 wrote to memory of 2024	1904	bd4754619fc5e08c904356423971e633248aaeed941bcbe924764624a1675181.exe	Ctfmon.exe
PID 2024 wrote to memory of 1700	2024	Ctfmon.exe	Ctfmon.exe
PID 2024 wrote to memory of 1700	2024	Ctfmon.exe	Ctfmon.exe
PID 2024 wrote to memory of 1700	2024	Ctfmon.exe	Ctfmon.exe
PID 2024 wrote to memory of 1700	2024	Ctfmon.exe	Ctfmon.exe
PID 2024 wrote to memory of 1700	2024	Ctfmon.exe	Ctfmon.exe
PID 2024 wrote to memory of 1700	2024	Ctfmon.exe	Ctfmon.exe
PID 2024 wrote to memory of 1700	2024	Ctfmon.exe	Ctfmon.exe
PID 2024 wrote to memory of 1700	2024	Ctfmon.exe	Ctfmon.exe
PID 2024 wrote to memory of 1700	2024	Ctfmon.exe	Ctfmon.exe

C:\Users\Admin\AppData\Local\Temp\bd4754619fc5e08c904356423971e633248aaeed941bcbe924764624a1675181.exe
"C:\Users\Admin\AppData\Local\Temp\bd4754619fc5e08c904356423971e633248aaeed941bcbe924764624a1675181.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:768

C:\Users\Admin\AppData\Local\Temp\bd4754619fc5e08c904356423971e633248aaeed941bcbe924764624a1675181.exe
"C:\Users\Admin\AppData\Local\Temp\bd4754619fc5e08c904356423971e633248aaeed941bcbe924764624a1675181.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1904

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\System32\Ctfmon.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\System32\Ctfmon.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2024

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\System32\Ctfmon.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\System32\Ctfmon.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\27_IE6.png

Filesize
4KB

MD5
c6c90363290469c10c1139a1360659f0

SHA1
c54ebd2d9347099253d37db35d8cf2a10172b697

SHA256
b64fa23e5a4fe0f96f8083ddb658e6dc6a5288721dd93765f0c03bebbcb3baf5

SHA512
60638dc657655cec337dc7a90446e873b96513b602871914a3fa44cee0c00c8fd4bd6e9988c999450dc9eb4fb3f45663e88ccb4c5dd5402883d233c1f5bcd2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\74_407845.png

Filesize
3KB

MD5
a0d1600d798ace6dd4103104dd7c80ef

SHA1
29491c40fe407ac5047ee0a0e589166b523fd7e7

SHA256
eb22e5d73a4f915df1e51bb64b604322d60f201d7e89e3dc58032e0734f975a1

SHA512
c946fe7c5bd8430e7e68e426b4a3edceace4fea6e99a93c5734a6660d350fc04f07c25966b096ee8677548829f45c36d36556a80ddc6e903b9076b555e19c9f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Claudine

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\busts.dll

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\havgybdhajk81ygouia

Filesize
476B

MD5
66e71f78e63f639e4a3809b7df07af21

SHA1
53642d0894ff7db0aa4a76f97f8757ca8a5babce

SHA256
115bf31cd54d63ce70f64336b0e8987367fa72fe060caba9446a2c0cdae35655

SHA512
e2069a3faa685ab60e6630f919e1eda777396c370cc1ab06b24a63a379bb45720abcdfa7d918efbe93848eb5a49f52181d04227396c2916b94beca38e0ab1fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\txt_demos.gif

Filesize
186B

MD5
b2f84bf2c8edb65e1b45f7f22b2e58a4

SHA1
52cd124b613bf29302c3ade38b0b45c53e09e31a

SHA256
7e5738d0f82f9408f93d79c7ff98e1fb5e1ffe0bf21476311c96045829fa9aa5

SHA512
05c03052e1ba19c4fbfb2f195217b0f79c126e953946a3c44222aff2b3e9fe3fb268adba2d17359013fff4b38780cffc30763f6910b84be3245f7bdb1762814b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\System32\Ctfmon.exe

Filesize
183KB

MD5
7600056accafb4281250bfed98f0630d

SHA1
f61bd219039db28797f8ad62674b029442b7f889

SHA256
bd4754619fc5e08c904356423971e633248aaeed941bcbe924764624a1675181

SHA512
2949a540608b904d909cb8e4a873c3322dbab9a34dbb442c149f05da591ba54b7f2af50620d817560b110b9d1ebd9a6e772a9c70408903cf8e8ade3d35a4cdf0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\System32\Ctfmon.exe

Filesize
183KB

MD5
7600056accafb4281250bfed98f0630d

SHA1
f61bd219039db28797f8ad62674b029442b7f889

SHA256
bd4754619fc5e08c904356423971e633248aaeed941bcbe924764624a1675181

SHA512
2949a540608b904d909cb8e4a873c3322dbab9a34dbb442c149f05da591ba54b7f2af50620d817560b110b9d1ebd9a6e772a9c70408903cf8e8ade3d35a4cdf0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\System32\Ctfmon.exe

Filesize
183KB

MD5
7600056accafb4281250bfed98f0630d

SHA1
f61bd219039db28797f8ad62674b029442b7f889

SHA256
bd4754619fc5e08c904356423971e633248aaeed941bcbe924764624a1675181

SHA512
2949a540608b904d909cb8e4a873c3322dbab9a34dbb442c149f05da591ba54b7f2af50620d817560b110b9d1ebd9a6e772a9c70408903cf8e8ade3d35a4cdf0

Download Submit
\Users\Admin\AppData\Local\Temp\busts.dll

Filesize
185KB

MD5
24f301e43e381bef32d5212094935705

SHA1
2a097039a799510e01a296101827b964b1dbc4d9

SHA256
4497a8ce2c9aad7b6b0078e526f0e799d6bc225f6e7efa6244efa65cce070c72

SHA512
95e6f0658e45c8f670df22c156b715186abee8423f5097461bac18863fda7468b26aedfd3b9918380bd24715402234db40cabd6ded2c6bfbe4eb2148a8fb0db6

Download Submit
\Users\Admin\AppData\Local\Temp\busts.dll

Filesize
185KB

MD5
24f301e43e381bef32d5212094935705

SHA1
2a097039a799510e01a296101827b964b1dbc4d9

SHA256
4497a8ce2c9aad7b6b0078e526f0e799d6bc225f6e7efa6244efa65cce070c72

SHA512
95e6f0658e45c8f670df22c156b715186abee8423f5097461bac18863fda7468b26aedfd3b9918380bd24715402234db40cabd6ded2c6bfbe4eb2148a8fb0db6

Download Submit
\Users\Admin\AppData\Local\Temp\nse9C71.tmp\System.dll

Filesize
11KB

MD5
883eff06ac96966270731e4e22817e11

SHA1
523c87c98236cbc04430e87ec19b977595092ac8

SHA256
44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82

SHA512
60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390

Download Submit
\Users\Admin\AppData\Local\Temp\nsy11EE.tmp\System.dll

Filesize
11KB

MD5
883eff06ac96966270731e4e22817e11

SHA1
523c87c98236cbc04430e87ec19b977595092ac8

SHA256
44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82

SHA512
60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\System32\Ctfmon.exe

Filesize
183KB

MD5
7600056accafb4281250bfed98f0630d

SHA1
f61bd219039db28797f8ad62674b029442b7f889

SHA256
bd4754619fc5e08c904356423971e633248aaeed941bcbe924764624a1675181

SHA512
2949a540608b904d909cb8e4a873c3322dbab9a34dbb442c149f05da591ba54b7f2af50620d817560b110b9d1ebd9a6e772a9c70408903cf8e8ade3d35a4cdf0

Download Submit
memory/768-54-0x0000000076871000-0x0000000076873000-memory.dmp

Filesize
8KB

Download
memory/1700-91-0x00000000004021DA-mapping.dmp

Download
memory/1700-96-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1904-62-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1904-71-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1904-68-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1904-65-0x00000000004021DA-mapping.dmp

Download
memory/1904-64-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1904-60-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1904-58-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1904-57-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2024-70-0x0000000000000000-mapping.dmp

Download