netwire | a6578231df36154107b54eb95b8db6b1f3e2d6477b163eda527bf8a5c57a9bab

Analysis

max time kernel
123s
max time network
124s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
12-10-2022 08:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6578231df36154107b54eb95b8db6b1f3e2d6477b163eda527bf8a5c57a9bab.exe
Size

850KB
MD5

aef8d5e34f59619e683cef00565d370d
SHA1

575ecec60ed88bd83e53ea4f42cc0e5c301635f6
SHA256

a6578231df36154107b54eb95b8db6b1f3e2d6477b163eda527bf8a5c57a9bab
SHA512

102478813cc56d174d57c730a5c8279a1950191d21528bb21c0da914b9154daa87fb1c30003baf3f051cab1bc9e528106be19a310bb133debadc5ab70b16d76b
SSDEEP

12288:AIbZLA7wcpdbdbdbdbduM2M29kVnCcDS3e/jMeQ695FADfphnulDX+bZuS04TXdg:LZHKBBBBf2O0OmLxhYr8GmC

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

37.0.14.206:3384

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
lock_executable
false
offline_keylogger
false
password
Password234
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/4608-217-0x000000000041AD7B-mapping.dmp	netwire
behavioral1/memory/4608-270-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/1420-359-0x000000000041AD7B-mapping.dmp	netwire
behavioral1/memory/1420-398-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/1420-412-0x0000000000400000-0x000000000044F000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

Host.exeHost.exe

pid process

4828 Host.exe
1420 Host.exe

pid	process
4828	Host.exe
1420	Host.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

a6578231df36154107b54eb95b8db6b1f3e2d6477b163eda527bf8a5c57a9bab.exeHost.exe

description	pid	process	target process
PID 2180 set thread context of 4608	2180	a6578231df36154107b54eb95b8db6b1f3e2d6477b163eda527bf8a5c57a9bab.exe	a6578231df36154107b54eb95b8db6b1f3e2d6477b163eda527bf8a5c57a9bab.exe
PID 4828 set thread context of 1420	4828	Host.exe	Host.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3988 schtasks.exe
4636 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a6578231df36154107b54eb95b8db6b1f3e2d6477b163eda527bf8a5c57a9bab.exeHost.exe

pid process

2180 a6578231df36154107b54eb95b8db6b1f3e2d6477b163eda527bf8a5c57a9bab.exe
4828 Host.exe

pid	process
3988	schtasks.exe
4636	schtasks.exe

pid	process
2180	a6578231df36154107b54eb95b8db6b1f3e2d6477b163eda527bf8a5c57a9bab.exe
4828	Host.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a6578231df36154107b54eb95b8db6b1f3e2d6477b163eda527bf8a5c57a9bab.exeHost.exe

description	pid	process
Token: SeDebugPrivilege	2180	a6578231df36154107b54eb95b8db6b1f3e2d6477b163eda527bf8a5c57a9bab.exe
Token: SeDebugPrivilege	4828	Host.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

a6578231df36154107b54eb95b8db6b1f3e2d6477b163eda527bf8a5c57a9bab.exea6578231df36154107b54eb95b8db6b1f3e2d6477b163eda527bf8a5c57a9bab.exeHost.exe

description	pid	process	target process
PID 2180 wrote to memory of 3988	2180	a6578231df36154107b54eb95b8db6b1f3e2d6477b163eda527bf8a5c57a9bab.exe	schtasks.exe
PID 2180 wrote to memory of 3988	2180	a6578231df36154107b54eb95b8db6b1f3e2d6477b163eda527bf8a5c57a9bab.exe	schtasks.exe
PID 2180 wrote to memory of 3988	2180	a6578231df36154107b54eb95b8db6b1f3e2d6477b163eda527bf8a5c57a9bab.exe	schtasks.exe
PID 2180 wrote to memory of 4608	2180	a6578231df36154107b54eb95b8db6b1f3e2d6477b163eda527bf8a5c57a9bab.exe	a6578231df36154107b54eb95b8db6b1f3e2d6477b163eda527bf8a5c57a9bab.exe
PID 2180 wrote to memory of 4608	2180	a6578231df36154107b54eb95b8db6b1f3e2d6477b163eda527bf8a5c57a9bab.exe	a6578231df36154107b54eb95b8db6b1f3e2d6477b163eda527bf8a5c57a9bab.exe
PID 2180 wrote to memory of 4608	2180	a6578231df36154107b54eb95b8db6b1f3e2d6477b163eda527bf8a5c57a9bab.exe	a6578231df36154107b54eb95b8db6b1f3e2d6477b163eda527bf8a5c57a9bab.exe
PID 2180 wrote to memory of 4608	2180	a6578231df36154107b54eb95b8db6b1f3e2d6477b163eda527bf8a5c57a9bab.exe	a6578231df36154107b54eb95b8db6b1f3e2d6477b163eda527bf8a5c57a9bab.exe
PID 2180 wrote to memory of 4608	2180	a6578231df36154107b54eb95b8db6b1f3e2d6477b163eda527bf8a5c57a9bab.exe	a6578231df36154107b54eb95b8db6b1f3e2d6477b163eda527bf8a5c57a9bab.exe
PID 2180 wrote to memory of 4608	2180	a6578231df36154107b54eb95b8db6b1f3e2d6477b163eda527bf8a5c57a9bab.exe	a6578231df36154107b54eb95b8db6b1f3e2d6477b163eda527bf8a5c57a9bab.exe
PID 2180 wrote to memory of 4608	2180	a6578231df36154107b54eb95b8db6b1f3e2d6477b163eda527bf8a5c57a9bab.exe	a6578231df36154107b54eb95b8db6b1f3e2d6477b163eda527bf8a5c57a9bab.exe
PID 2180 wrote to memory of 4608	2180	a6578231df36154107b54eb95b8db6b1f3e2d6477b163eda527bf8a5c57a9bab.exe	a6578231df36154107b54eb95b8db6b1f3e2d6477b163eda527bf8a5c57a9bab.exe
PID 2180 wrote to memory of 4608	2180	a6578231df36154107b54eb95b8db6b1f3e2d6477b163eda527bf8a5c57a9bab.exe	a6578231df36154107b54eb95b8db6b1f3e2d6477b163eda527bf8a5c57a9bab.exe
PID 2180 wrote to memory of 4608	2180	a6578231df36154107b54eb95b8db6b1f3e2d6477b163eda527bf8a5c57a9bab.exe	a6578231df36154107b54eb95b8db6b1f3e2d6477b163eda527bf8a5c57a9bab.exe
PID 4608 wrote to memory of 4828	4608	a6578231df36154107b54eb95b8db6b1f3e2d6477b163eda527bf8a5c57a9bab.exe	Host.exe
PID 4608 wrote to memory of 4828	4608	a6578231df36154107b54eb95b8db6b1f3e2d6477b163eda527bf8a5c57a9bab.exe	Host.exe
PID 4608 wrote to memory of 4828	4608	a6578231df36154107b54eb95b8db6b1f3e2d6477b163eda527bf8a5c57a9bab.exe	Host.exe
PID 4828 wrote to memory of 4636	4828	Host.exe	schtasks.exe
PID 4828 wrote to memory of 4636	4828	Host.exe	schtasks.exe
PID 4828 wrote to memory of 4636	4828	Host.exe	schtasks.exe
PID 4828 wrote to memory of 1420	4828	Host.exe	Host.exe
PID 4828 wrote to memory of 1420	4828	Host.exe	Host.exe
PID 4828 wrote to memory of 1420	4828	Host.exe	Host.exe
PID 4828 wrote to memory of 1420	4828	Host.exe	Host.exe
PID 4828 wrote to memory of 1420	4828	Host.exe	Host.exe
PID 4828 wrote to memory of 1420	4828	Host.exe	Host.exe
PID 4828 wrote to memory of 1420	4828	Host.exe	Host.exe
PID 4828 wrote to memory of 1420	4828	Host.exe	Host.exe
PID 4828 wrote to memory of 1420	4828	Host.exe	Host.exe
PID 4828 wrote to memory of 1420	4828	Host.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\a6578231df36154107b54eb95b8db6b1f3e2d6477b163eda527bf8a5c57a9bab.exe
"C:\Users\Admin\AppData\Local\Temp\a6578231df36154107b54eb95b8db6b1f3e2d6477b163eda527bf8a5c57a9bab.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ragCcuTTl" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC498.tmp"
2⤵
- Creates scheduled task(s)
PID:3988

C:\Users\Admin\AppData\Local\Temp\a6578231df36154107b54eb95b8db6b1f3e2d6477b163eda527bf8a5c57a9bab.exe
"{path}"
2⤵
- Suspicious use of WriteProcessMemory
PID:4608

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4828

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ragCcuTTl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6FFB.tmp"
4⤵
- Creates scheduled task(s)
PID:4636

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"{path}"
4⤵
- Executes dropped EXE
PID:1420

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6FFB.tmp

Filesize
1KB

MD5
2b766473938fd180352efe5e16355ac7

SHA1
d3f4e2ff6faef492cf0dd1dde3ec8c126da90916

SHA256
5f56460b784074bbe495ba16e8a6534dabed5220100fcb4b8d9369f13fce09bc

SHA512
6755f7b29b26efaa8afad07331c5691c85919d735d85c6883c6131e7865cd5e3c726cef827f30cbcf9afea3fd4cdcbe0c6a6cdf5d75329f5e864d14423dfedb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC498.tmp

Filesize
1KB

MD5
2b766473938fd180352efe5e16355ac7

SHA1
d3f4e2ff6faef492cf0dd1dde3ec8c126da90916

SHA256
5f56460b784074bbe495ba16e8a6534dabed5220100fcb4b8d9369f13fce09bc

SHA512
6755f7b29b26efaa8afad07331c5691c85919d735d85c6883c6131e7865cd5e3c726cef827f30cbcf9afea3fd4cdcbe0c6a6cdf5d75329f5e864d14423dfedb5

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
850KB

MD5
aef8d5e34f59619e683cef00565d370d

SHA1
575ecec60ed88bd83e53ea4f42cc0e5c301635f6

SHA256
a6578231df36154107b54eb95b8db6b1f3e2d6477b163eda527bf8a5c57a9bab

SHA512
102478813cc56d174d57c730a5c8279a1950191d21528bb21c0da914b9154daa87fb1c30003baf3f051cab1bc9e528106be19a310bb133debadc5ab70b16d76b

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
850KB

MD5
aef8d5e34f59619e683cef00565d370d

SHA1
575ecec60ed88bd83e53ea4f42cc0e5c301635f6

SHA256
a6578231df36154107b54eb95b8db6b1f3e2d6477b163eda527bf8a5c57a9bab

SHA512
102478813cc56d174d57c730a5c8279a1950191d21528bb21c0da914b9154daa87fb1c30003baf3f051cab1bc9e528106be19a310bb133debadc5ab70b16d76b

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
850KB

MD5
aef8d5e34f59619e683cef00565d370d

SHA1
575ecec60ed88bd83e53ea4f42cc0e5c301635f6

SHA256
a6578231df36154107b54eb95b8db6b1f3e2d6477b163eda527bf8a5c57a9bab

SHA512
102478813cc56d174d57c730a5c8279a1950191d21528bb21c0da914b9154daa87fb1c30003baf3f051cab1bc9e528106be19a310bb133debadc5ab70b16d76b

Download Submit
memory/1420-412-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1420-398-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1420-359-0x000000000041AD7B-mapping.dmp

Download
memory/2180-158-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-189-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-126-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-127-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-128-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-129-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-130-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-131-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-132-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-133-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-134-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-135-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-136-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-137-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-138-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-139-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-140-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-141-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-142-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-143-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-144-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-145-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-146-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-147-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-148-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-164-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-150-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-151-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-152-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-153-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-154-0x0000000000930000-0x0000000000A0A000-memory.dmp

Filesize
872KB

Download
memory/2180-155-0x0000000005830000-0x0000000005D2E000-memory.dmp

Filesize
5.0MB

Download
memory/2180-156-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-157-0x0000000005280000-0x0000000005312000-memory.dmp

Filesize
584KB

Download
memory/2180-124-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-159-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-160-0x0000000005330000-0x00000000053CC000-memory.dmp

Filesize
624KB

Download
memory/2180-161-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-121-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-125-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-149-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-165-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-166-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-167-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-168-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-169-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-170-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-171-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-172-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-173-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-174-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-175-0x0000000005220000-0x000000000522A000-memory.dmp

Filesize
40KB

Download
memory/2180-176-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-177-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-178-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-179-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-180-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-181-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-182-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-183-0x0000000002CC0000-0x0000000002CE0000-memory.dmp

Filesize
128KB

Download
memory/2180-184-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-185-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-186-0x0000000008DD0000-0x0000000008E6A000-memory.dmp

Filesize
616KB

Download
memory/2180-187-0x0000000007830000-0x000000000788A000-memory.dmp

Filesize
360KB

Download
memory/2180-188-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-163-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-190-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-191-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-120-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-162-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-122-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-123-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3988-197-0x0000000000000000-mapping.dmp

Download
memory/4608-270-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4608-217-0x000000000041AD7B-mapping.dmp

Download
memory/4636-339-0x0000000000000000-mapping.dmp

Download
memory/4828-266-0x0000000000000000-mapping.dmp

Download