netwire | bc7663c89073cebc93986a508b544590df0d10658fe349e8504490101fc7e5cd

Analysis

max time kernel
152s
max time network
39s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11-10-2022 10:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe
Size

1.2MB
MD5

29b108e40acb05c3c9c2fa8c19b166e3
SHA1

892c676275a723822d2d47dc1a48defec8bde643
SHA256

4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5
SHA512

9cee10259615c90ea51710fd119dc9c8899b8bf4363513ecbc79aa3a69351c68625f5ca5e7c521d2346a54640358eb2deba0fd6db08a7ade5d2970304ad5beb2
SSDEEP

24576:peW/uHyRLqHJ/wAmDZtRauPvqz6WQ5YQ9kXRGjr:peW/uSRLeJ4AmDZtPPvqzs5Y+kXRG

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

37.0.14.206:3384

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
lock_executable
false
offline_keylogger
false
password
Password234
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 7 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/840-66-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/840-68-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/840-69-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/840-71-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/840-72-0x000000000041AD7B-mapping.dmp	netwire
behavioral1/memory/840-75-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/840-80-0x0000000000400000-0x000000000044F000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

Host.exeHost.exe

pid process

968 Host.exe
972 Host.exe
Loads dropped DLL 1 IoCs

Processes:

4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe

pid process

840 4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe

pid	process
968	Host.exe
972	Host.exe

pid	process
840	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe

description	pid	process	target process
PID 836 set thread context of 840	836	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1080 schtasks.exe
1072 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exeHost.exe

pid process

836 4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe
968 Host.exe
968 Host.exe

pid	process
1080	schtasks.exe
1072	schtasks.exe

pid	process
836	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe
968	Host.exe
968	Host.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exeHost.exe

description	pid	process
Token: SeDebugPrivilege	836	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe
Token: SeDebugPrivilege	968	Host.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exeHost.exe

description	pid	process	target process
PID 836 wrote to memory of 1080	836	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe	schtasks.exe
PID 836 wrote to memory of 1080	836	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe	schtasks.exe
PID 836 wrote to memory of 1080	836	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe	schtasks.exe
PID 836 wrote to memory of 1080	836	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe	schtasks.exe
PID 836 wrote to memory of 840	836	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe
PID 836 wrote to memory of 840	836	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe
PID 836 wrote to memory of 840	836	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe
PID 836 wrote to memory of 840	836	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe
PID 836 wrote to memory of 840	836	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe
PID 836 wrote to memory of 840	836	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe
PID 836 wrote to memory of 840	836	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe
PID 836 wrote to memory of 840	836	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe
PID 836 wrote to memory of 840	836	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe
PID 836 wrote to memory of 840	836	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe
PID 836 wrote to memory of 840	836	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe
PID 840 wrote to memory of 968	840	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe	Host.exe
PID 840 wrote to memory of 968	840	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe	Host.exe
PID 840 wrote to memory of 968	840	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe	Host.exe
PID 840 wrote to memory of 968	840	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe	Host.exe
PID 968 wrote to memory of 1072	968	Host.exe	schtasks.exe
PID 968 wrote to memory of 1072	968	Host.exe	schtasks.exe
PID 968 wrote to memory of 1072	968	Host.exe	schtasks.exe
PID 968 wrote to memory of 1072	968	Host.exe	schtasks.exe
PID 968 wrote to memory of 972	968	Host.exe	Host.exe
PID 968 wrote to memory of 972	968	Host.exe	Host.exe
PID 968 wrote to memory of 972	968	Host.exe	Host.exe
PID 968 wrote to memory of 972	968	Host.exe	Host.exe
PID 968 wrote to memory of 1176	968	Host.exe	Host.exe
PID 968 wrote to memory of 1176	968	Host.exe	Host.exe
PID 968 wrote to memory of 1176	968	Host.exe	Host.exe
PID 968 wrote to memory of 1176	968	Host.exe	Host.exe
PID 968 wrote to memory of 284	968	Host.exe	Host.exe
PID 968 wrote to memory of 284	968	Host.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe
"C:\Users\Admin\AppData\Local\Temp\4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NSopOOoiUVq" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE457.tmp"
2⤵
- Creates scheduled task(s)
PID:1080

C:\Users\Admin\AppData\Local\Temp\4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe
"{path}"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:840

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NSopOOoiUVq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp91E4.tmp"
4⤵
- Creates scheduled task(s)
PID:1072

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"{path}"
4⤵
- Executes dropped EXE
PID:972

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"{path}"
4⤵
PID:1176

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"{path}"
4⤵
PID:284

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"{path}"
4⤵
PID:856

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"{path}"
4⤵
PID:1448

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp91E4.tmp
Filesize
1KB

MD5
072be49a24fe03fad7cb846e165bb119

SHA1
4db457998d3ab36a96a08841baf93d5773d5eb10

SHA256
3fcce62a3d06b9689487760717cfba7a047fd386d56528bbeba87116489d633c

SHA512
7f831d85ab346b91822726056e8705a532c5bc23d523757e470345382969cd3ed8209b595475c6f4eab33bd10bb9180367b3cde0df4bb38a0e53ab28b53a98bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE457.tmp
Filesize
1KB

MD5
072be49a24fe03fad7cb846e165bb119

SHA1
4db457998d3ab36a96a08841baf93d5773d5eb10

SHA256
3fcce62a3d06b9689487760717cfba7a047fd386d56528bbeba87116489d633c

SHA512
7f831d85ab346b91822726056e8705a532c5bc23d523757e470345382969cd3ed8209b595475c6f4eab33bd10bb9180367b3cde0df4bb38a0e53ab28b53a98bc

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
1.2MB

MD5
29b108e40acb05c3c9c2fa8c19b166e3

SHA1
892c676275a723822d2d47dc1a48defec8bde643

SHA256
4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5

SHA512
9cee10259615c90ea51710fd119dc9c8899b8bf4363513ecbc79aa3a69351c68625f5ca5e7c521d2346a54640358eb2deba0fd6db08a7ade5d2970304ad5beb2

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
1.2MB

MD5
29b108e40acb05c3c9c2fa8c19b166e3

SHA1
892c676275a723822d2d47dc1a48defec8bde643

SHA256
4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5

SHA512
9cee10259615c90ea51710fd119dc9c8899b8bf4363513ecbc79aa3a69351c68625f5ca5e7c521d2346a54640358eb2deba0fd6db08a7ade5d2970304ad5beb2

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
640KB

MD5
155156e49bd71f7381249aa1a8517c6f

SHA1
19df742d190a93b47ca81deb7dfc1e8017c25b7f

SHA256
c08ddfb296e344c43469357074bb6d7b51a7c305810c4bc3ce559efce9ce457d

SHA512
e42cbbe246522f9b68bda644ac304438d9c9f3e2e8d99c328f20b3860d0524a30f53916e73b3e5ae70141f4e27eb125bf7b0185b234555ce21b8fb29edc15baa

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
64KB

MD5
7ebbeb1f5d1bcb0e52080aef06ae12c9

SHA1
bc9635a60bebe8aac6e3cb640068358680e6d05c

SHA256
edabe47c3c2fe87cca69e57e6cd829f25e2a57fba092ff6ce208e398feeb63a0

SHA512
47e53217974ece240df148bfb699909fe91e44393cd230e5e5237ecd725b26071ac4a1be26179311bd89aa58c221381de8c005c695c9b577ea60f7838db6a64c

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
576KB

MD5
51fcc1b410c4d964daf733c0a3f843da

SHA1
c3db1ff0791515d43cc0970ece595f48cc6555a2

SHA256
9c3d95ebcaa559b26707cb5ad979062f7e356793ee99de6a58091639723deace

SHA512
f6f7a9941e43c5a0a2c4c66c37d5fa26a9c615d70440a23f89a8a06ca0c6982164b0565a43ee82fc57318135916e515e29f7104135dbd3773d77ce513d315ebd

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
539KB

MD5
d9519a76e1ef86e00b116ea263f47921

SHA1
b6dba3fa5cf499addf3843599fd316e216583adc

SHA256
459b958a8ad43345278a5ab940e18e42c286eea9f551821b430a993ea07bf173

SHA512
3507c45c9fe807796dcf5cf51bf5287116d1fba8f289129bd164ab3b1ac288794a3bf4dfcc1c591a957671424d7cb4fd0afae920b03049602e8222c9a7601a0e

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
1.2MB

MD5
29b108e40acb05c3c9c2fa8c19b166e3

SHA1
892c676275a723822d2d47dc1a48defec8bde643

SHA256
4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5

SHA512
9cee10259615c90ea51710fd119dc9c8899b8bf4363513ecbc79aa3a69351c68625f5ca5e7c521d2346a54640358eb2deba0fd6db08a7ade5d2970304ad5beb2

Download Submit
memory/836-58-0x0000000004960000-0x00000000049EC000-memory.dmp

Filesize
560KB

Download
memory/836-54-0x0000000000AB0000-0x0000000000BDE000-memory.dmp

Filesize
1.2MB

Download
memory/836-57-0x00000000050D0000-0x00000000051A6000-memory.dmp

Filesize
856KB

Download
memory/836-56-0x0000000000530000-0x0000000000550000-memory.dmp

Filesize
128KB

Download
memory/836-55-0x0000000075AD1000-0x0000000075AD3000-memory.dmp

Filesize
8KB

Download
memory/840-72-0x000000000041AD7B-mapping.dmp

Download
memory/840-64-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/840-71-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/840-61-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/840-69-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/840-80-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/840-68-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/840-62-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/840-75-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/840-66-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/968-81-0x0000000000390000-0x00000000004BE000-memory.dmp

Filesize
1.2MB

Download
memory/968-77-0x0000000000000000-mapping.dmp

Download
memory/1072-83-0x0000000000000000-mapping.dmp

Download
memory/1080-59-0x0000000000000000-mapping.dmp

Download