netwire | bc7663c89073cebc93986a508b544590df0d10658fe349e8504490101fc7e5cd

General

Target

4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe
Size

1.2MB
MD5

29b108e40acb05c3c9c2fa8c19b166e3
SHA1

892c676275a723822d2d47dc1a48defec8bde643
SHA256

4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5
SHA512

9cee10259615c90ea51710fd119dc9c8899b8bf4363513ecbc79aa3a69351c68625f5ca5e7c521d2346a54640358eb2deba0fd6db08a7ade5d2970304ad5beb2
SSDEEP

24576:peW/uHyRLqHJ/wAmDZtRauPvqz6WQ5YQ9kXRGjr:peW/uSRLeJ4AmDZtPPvqzs5Y+kXRG

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

37.0.14.206:3384

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
lock_executable
false
offline_keylogger
false
password
Password234
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3572-141-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral2/memory/3572-142-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral2/memory/3572-143-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral2/memory/3572-147-0x0000000000400000-0x000000000044F000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 1 IoCs

Processes:

Host.exe

pid process

1220 Host.exe

pid	process
1220	Host.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe

description	pid	process	target process
PID 4372 set thread context of 3572	4372	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3508 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe

pid process

4372 4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe

description pid process

Token: SeDebugPrivilege 4372 4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe

pid	process
3508	schtasks.exe

pid	process
4372	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe

description	pid	process
Token: SeDebugPrivilege	4372	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe

C:\Users\Admin\AppData\Local\Temp\4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe
"C:\Users\Admin\AppData\Local\Temp\4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4372

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NSopOOoiUVq" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD10B.tmp"
2⤵
- Creates scheduled task(s)
PID:3508

C:\Users\Admin\AppData\Local\Temp\4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe
"{path}"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3572

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
PID:1220

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD10B.tmp
Filesize
1KB

MD5
9e980e8c6a427a5d1ba45ee3c804fb48

SHA1
5c9141846d267f61fa9e64d4608267bebf86097b

SHA256
450f7ce105773705eab23b5d37485b3e8ff0b67619c775b0c4ccf480d48fc3d1

SHA512
f8ab6da73ba8b7a6d7e40597123c03b59daf8a679bcc194a4d38efd971ca891fab1928bb9c98fc410a5aa5ca6138b6be9cec6129bb19e42934b9d3e5cabc351a

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
1.2MB

MD5
29b108e40acb05c3c9c2fa8c19b166e3

SHA1
892c676275a723822d2d47dc1a48defec8bde643

SHA256
4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5

SHA512
9cee10259615c90ea51710fd119dc9c8899b8bf4363513ecbc79aa3a69351c68625f5ca5e7c521d2346a54640358eb2deba0fd6db08a7ade5d2970304ad5beb2

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
1.2MB

MD5
29b108e40acb05c3c9c2fa8c19b166e3

SHA1
892c676275a723822d2d47dc1a48defec8bde643

SHA256
4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5

SHA512
9cee10259615c90ea51710fd119dc9c8899b8bf4363513ecbc79aa3a69351c68625f5ca5e7c521d2346a54640358eb2deba0fd6db08a7ade5d2970304ad5beb2

Download Submit
memory/1220-144-0x0000000000000000-mapping.dmp

Download
memory/3508-138-0x0000000000000000-mapping.dmp

Download
memory/3572-140-0x0000000000000000-mapping.dmp

Download
memory/3572-141-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3572-142-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3572-143-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3572-147-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4372-137-0x0000000005100000-0x0000000005156000-memory.dmp

Filesize
344KB

Download
memory/4372-136-0x0000000004E40000-0x0000000004E4A000-memory.dmp

Filesize
40KB

Download
memory/4372-132-0x00000000002D0000-0x00000000003FE000-memory.dmp

Filesize
1.2MB

Download
memory/4372-135-0x0000000004EB0000-0x0000000004F42000-memory.dmp

Filesize
584KB

Download
memory/4372-134-0x00000000053C0000-0x0000000005964000-memory.dmp

Filesize
5.6MB

Download
memory/4372-133-0x0000000004D70000-0x0000000004E0C000-memory.dmp

Filesize
624KB

Download

description	pid	process	target process
PID 4372 wrote to memory of 3508	4372	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe	schtasks.exe
PID 4372 wrote to memory of 3508	4372	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe	schtasks.exe
PID 4372 wrote to memory of 3508	4372	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe	schtasks.exe
PID 4372 wrote to memory of 3572	4372	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe
PID 4372 wrote to memory of 3572	4372	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe
PID 4372 wrote to memory of 3572	4372	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe
PID 4372 wrote to memory of 3572	4372	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe
PID 4372 wrote to memory of 3572	4372	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe
PID 4372 wrote to memory of 3572	4372	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe
PID 4372 wrote to memory of 3572	4372	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe
PID 4372 wrote to memory of 3572	4372	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe
PID 4372 wrote to memory of 3572	4372	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe
PID 4372 wrote to memory of 3572	4372	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe
PID 3572 wrote to memory of 1220	3572	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe	Host.exe
PID 3572 wrote to memory of 1220	3572	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe	Host.exe
PID 3572 wrote to memory of 1220	3572	4fa7679f4f0241ed1e5d63fbae526ff506dd45c350badb0cbb02f7aca61e0ad5.exe	Host.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads