netwire | bf6a763be37b940d0ab0ca6d8d5cbba15366861f36acf4e98e4249f92f445e39

General

Target

bf6a763be37b940d0ab0ca6d8d5cbba15366861f36acf4e98e4249f92f445e39.exe
Size

194KB
MD5

668d157ae4a5f12573f9711d5c545c20
SHA1

ad7ff5f2fdb495a21c13656bb6ab8269b37b580e
SHA256

bf6a763be37b940d0ab0ca6d8d5cbba15366861f36acf4e98e4249f92f445e39
SHA512

245cd610ec06f30662b7be887f86b4b75f9c2947240837b7699df1a58301f4d2c6a1c2dbfea30a5df629f48a2eb11445bf0a638e4ad8a603069a8949a7f9735b
SSDEEP

3072:JjQONxHpxhA2H/hegAuhIR/M5eWsJzayw8zcXyNYCQk2eDwXJQ6p:ScHm2Y0hPeWKzayFzvCCvzSJQ

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\csc.exe"	reg.exe

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4456-135-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/4456-137-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/4456-138-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bf6a763be37b940d0ab0ca6d8d5cbba15366861f36acf4e98e4249f92f445e39.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	bf6a763be37b940d0ab0ca6d8d5cbba15366861f36acf4e98e4249f92f445e39.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

bf6a763be37b940d0ab0ca6d8d5cbba15366861f36acf4e98e4249f92f445e39.exe

description	pid	process	target process
PID 4572 set thread context of 4456	4572	bf6a763be37b940d0ab0ca6d8d5cbba15366861f36acf4e98e4249f92f445e39.exe	cvtres.exe

Drops file in Windows directory 2 IoCs

Processes:

cvtres.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\.Identifier	cvtres.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\.Identifier	cvtres.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

bf6a763be37b940d0ab0ca6d8d5cbba15366861f36acf4e98e4249f92f445e39.execmd.exe

description	pid	process	target process
PID 4572 wrote to memory of 4456	4572	bf6a763be37b940d0ab0ca6d8d5cbba15366861f36acf4e98e4249f92f445e39.exe	cvtres.exe
PID 4572 wrote to memory of 4456	4572	bf6a763be37b940d0ab0ca6d8d5cbba15366861f36acf4e98e4249f92f445e39.exe	cvtres.exe
PID 4572 wrote to memory of 4456	4572	bf6a763be37b940d0ab0ca6d8d5cbba15366861f36acf4e98e4249f92f445e39.exe	cvtres.exe
PID 4572 wrote to memory of 4456	4572	bf6a763be37b940d0ab0ca6d8d5cbba15366861f36acf4e98e4249f92f445e39.exe	cvtres.exe
PID 4572 wrote to memory of 4456	4572	bf6a763be37b940d0ab0ca6d8d5cbba15366861f36acf4e98e4249f92f445e39.exe	cvtres.exe
PID 4572 wrote to memory of 4456	4572	bf6a763be37b940d0ab0ca6d8d5cbba15366861f36acf4e98e4249f92f445e39.exe	cvtres.exe
PID 4572 wrote to memory of 4456	4572	bf6a763be37b940d0ab0ca6d8d5cbba15366861f36acf4e98e4249f92f445e39.exe	cvtres.exe
PID 4572 wrote to memory of 4456	4572	bf6a763be37b940d0ab0ca6d8d5cbba15366861f36acf4e98e4249f92f445e39.exe	cvtres.exe
PID 4572 wrote to memory of 4456	4572	bf6a763be37b940d0ab0ca6d8d5cbba15366861f36acf4e98e4249f92f445e39.exe	cvtres.exe
PID 4572 wrote to memory of 3024	4572	bf6a763be37b940d0ab0ca6d8d5cbba15366861f36acf4e98e4249f92f445e39.exe	cmd.exe
PID 4572 wrote to memory of 3024	4572	bf6a763be37b940d0ab0ca6d8d5cbba15366861f36acf4e98e4249f92f445e39.exe	cmd.exe
PID 4572 wrote to memory of 3024	4572	bf6a763be37b940d0ab0ca6d8d5cbba15366861f36acf4e98e4249f92f445e39.exe	cmd.exe
PID 3024 wrote to memory of 788	3024	cmd.exe	reg.exe
PID 3024 wrote to memory of 788	3024	cmd.exe	reg.exe
PID 3024 wrote to memory of 788	3024	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\bf6a763be37b940d0ab0ca6d8d5cbba15366861f36acf4e98e4249f92f445e39.exe
"C:\Users\Admin\AppData\Local\Temp\bf6a763be37b940d0ab0ca6d8d5cbba15366861f36acf4e98e4249f92f445e39.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4572

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
2⤵
- Drops file in Windows directory
PID:4456

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\csc.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3024

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\csc.exe"
3⤵
- Modifies WinLogon for persistence
PID:788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/788-140-0x0000000000000000-mapping.dmp

Download
memory/3024-139-0x0000000000000000-mapping.dmp

Download
memory/4456-134-0x0000000000000000-mapping.dmp

Download
memory/4456-135-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4456-137-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4456-138-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4572-132-0x0000000075440000-0x00000000759F1000-memory.dmp

Filesize
5.7MB

Download
memory/4572-133-0x0000000075440000-0x00000000759F1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads