netwire | db52ba4813ac23846ecc76bd0702b5ed62b01e5ef4ec0793ee3684f1de3b8cef

Analysis

max time kernel
129s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
19-10-2022 13:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Specification.js
Size

258KB
MD5

316e2984cf71459a417eaddbf6e7b5d2
SHA1

566186bf8a192f59e8e1203cc9aeb9386e96e1b8
SHA256

db52ba4813ac23846ecc76bd0702b5ed62b01e5ef4ec0793ee3684f1de3b8cef
SHA512

ae4791848556a77794b7d305b535c5eae17de31debe3e49344a0476e1ffb7930e02f76fc0b9370c1f2d1ce8fd9ce49d322c7b31480c083186ccf476cb2928264
SSDEEP

3072:Klg0lyRcJXN48AWrp1eixPCrC/C8UyCCyCC6CCYCCRCqC6xdAe4q8fiMQJw+FRU:ag0lyRcpN418xP5yxJNJw+Y

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

Note.exeSpecification.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Google\\Chrome.exe\","	Note.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Google\\Chrome.exe\","	Specification.exe

NetWire RAT payload 7 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1140-146-0x0000000000400000-0x0000000000444000-memory.dmp	netwire
behavioral2/memory/1140-149-0x0000000000400000-0x0000000000444000-memory.dmp	netwire
behavioral2/memory/1140-150-0x0000000000400000-0x0000000000444000-memory.dmp	netwire
behavioral2/memory/1140-154-0x0000000000400000-0x0000000000444000-memory.dmp	netwire
behavioral2/memory/3336-164-0x0000000000400000-0x0000000000444000-memory.dmp	netwire
behavioral2/memory/3336-165-0x0000000000400000-0x0000000000444000-memory.dmp	netwire
behavioral2/memory/3336-166-0x0000000000400000-0x0000000000444000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 4 IoCs

Processes:

Specification.exeSpecification.exeNote.exeNote.exe

pid process

1588 Specification.exe
1140 Specification.exe
4236 Note.exe
3336 Note.exe

pid	process
1588	Specification.exe
1140	Specification.exe
4236	Note.exe
3336	Note.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exeSpecification.exeSpecification.exeNote.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Specification.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Specification.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Note.exe

Drops startup file 1 IoCs

Processes:

Note.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Notepad.lnk Note.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Notepad.lnk	Note.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Note.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Note.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\)Ô‡OûPN»t@÷áh = "C:\\Users\\Admin\\AppData\\Roaming\\Gooogle\\Note.exe"	Note.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Specification.exeNote.exe

description	pid	process	target process
PID 1588 set thread context of 1140	1588	Specification.exe	Specification.exe
PID 4236 set thread context of 3336	4236	Note.exe	Note.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

1996 powershell.exe
1996 powershell.exe
4280 powershell.exe
4280 powershell.exe

pid	process
1996	powershell.exe
1996	powershell.exe
4280	powershell.exe
4280	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Specification.exepowershell.exeNote.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1588	Specification.exe
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	4236	Note.exe
Token: SeDebugPrivilege	4280	powershell.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

wscript.exeSpecification.exeSpecification.exeNote.exe

description	pid	process	target process
PID 360 wrote to memory of 1588	360	wscript.exe	Specification.exe
PID 360 wrote to memory of 1588	360	wscript.exe	Specification.exe
PID 360 wrote to memory of 1588	360	wscript.exe	Specification.exe
PID 1588 wrote to memory of 1996	1588	Specification.exe	powershell.exe
PID 1588 wrote to memory of 1996	1588	Specification.exe	powershell.exe
PID 1588 wrote to memory of 1996	1588	Specification.exe	powershell.exe
PID 1588 wrote to memory of 1140	1588	Specification.exe	Specification.exe
PID 1588 wrote to memory of 1140	1588	Specification.exe	Specification.exe
PID 1588 wrote to memory of 1140	1588	Specification.exe	Specification.exe
PID 1588 wrote to memory of 1140	1588	Specification.exe	Specification.exe
PID 1588 wrote to memory of 1140	1588	Specification.exe	Specification.exe
PID 1588 wrote to memory of 1140	1588	Specification.exe	Specification.exe
PID 1588 wrote to memory of 1140	1588	Specification.exe	Specification.exe
PID 1588 wrote to memory of 1140	1588	Specification.exe	Specification.exe
PID 1588 wrote to memory of 1140	1588	Specification.exe	Specification.exe
PID 1588 wrote to memory of 1140	1588	Specification.exe	Specification.exe
PID 1588 wrote to memory of 1140	1588	Specification.exe	Specification.exe
PID 1588 wrote to memory of 1140	1588	Specification.exe	Specification.exe
PID 1140 wrote to memory of 4236	1140	Specification.exe	Note.exe
PID 1140 wrote to memory of 4236	1140	Specification.exe	Note.exe
PID 1140 wrote to memory of 4236	1140	Specification.exe	Note.exe
PID 4236 wrote to memory of 4280	4236	Note.exe	powershell.exe
PID 4236 wrote to memory of 4280	4236	Note.exe	powershell.exe
PID 4236 wrote to memory of 4280	4236	Note.exe	powershell.exe
PID 4236 wrote to memory of 3336	4236	Note.exe	Note.exe
PID 4236 wrote to memory of 3336	4236	Note.exe	Note.exe
PID 4236 wrote to memory of 3336	4236	Note.exe	Note.exe
PID 4236 wrote to memory of 3336	4236	Note.exe	Note.exe
PID 4236 wrote to memory of 3336	4236	Note.exe	Note.exe
PID 4236 wrote to memory of 3336	4236	Note.exe	Note.exe
PID 4236 wrote to memory of 3336	4236	Note.exe	Note.exe
PID 4236 wrote to memory of 3336	4236	Note.exe	Note.exe
PID 4236 wrote to memory of 3336	4236	Note.exe	Note.exe
PID 4236 wrote to memory of 3336	4236	Note.exe	Note.exe
PID 4236 wrote to memory of 3336	4236	Note.exe	Note.exe
PID 4236 wrote to memory of 3336	4236	Note.exe	Note.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Specification.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:360

C:\Users\Admin\AppData\Roaming\Specification.exe
"C:\Users\Admin\AppData\Roaming\Specification.exe"
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1996

C:\Users\Admin\AppData\Roaming\Specification.exe
C:\Users\Admin\AppData\Roaming\Specification.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1140

C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe
"C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe"
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4236

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4280

C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe
C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe
5⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
PID:3336

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
57e338f40f6882c0cf3cc2072df000fc

SHA1
ceeb75d51cdaac0f0c1c8723580dd40e3b4cbeac

SHA256
be57c458b44bfcd55c929aa3970d81ad793424024f89cd4b67de0fb7cda6f665

SHA512
b2a10471fa687aaebff78f475a7933cc5cc35e47c488c29584a2a600fc879a0622fc6a8690d0b60092ef23e72b7884e8acc1ab01960395d928072b61d220bdc6

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Chrome.exe

Filesize
193KB

MD5
21df14ff478164ccca8bbe85cd9c42ce

SHA1
210f8d66672b4ebf77e7fd276360a2187f0bbb2f

SHA256
c28e38cbd899c5d2cadc6faf6c155483bea63519dd282da4a40ba925a76b64b5

SHA512
7978e1316733b057f008dae8b4b9d63a1ec49d92dbe4282381b24d23b0a8d8cd0224ae1f2a6a2233b6624865c599182c06982a195733a706cc6da4e674a5a66c

Download Submit
C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe

Filesize
193KB

MD5
21df14ff478164ccca8bbe85cd9c42ce

SHA1
210f8d66672b4ebf77e7fd276360a2187f0bbb2f

SHA256
c28e38cbd899c5d2cadc6faf6c155483bea63519dd282da4a40ba925a76b64b5

SHA512
7978e1316733b057f008dae8b4b9d63a1ec49d92dbe4282381b24d23b0a8d8cd0224ae1f2a6a2233b6624865c599182c06982a195733a706cc6da4e674a5a66c

Download Submit
C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe

Filesize
193KB

MD5
21df14ff478164ccca8bbe85cd9c42ce

SHA1
210f8d66672b4ebf77e7fd276360a2187f0bbb2f

SHA256
c28e38cbd899c5d2cadc6faf6c155483bea63519dd282da4a40ba925a76b64b5

SHA512
7978e1316733b057f008dae8b4b9d63a1ec49d92dbe4282381b24d23b0a8d8cd0224ae1f2a6a2233b6624865c599182c06982a195733a706cc6da4e674a5a66c

Download Submit
C:\Users\Admin\AppData\Roaming\Gooogle\Note.exe

Filesize
193KB

MD5
21df14ff478164ccca8bbe85cd9c42ce

SHA1
210f8d66672b4ebf77e7fd276360a2187f0bbb2f

SHA256
c28e38cbd899c5d2cadc6faf6c155483bea63519dd282da4a40ba925a76b64b5

SHA512
7978e1316733b057f008dae8b4b9d63a1ec49d92dbe4282381b24d23b0a8d8cd0224ae1f2a6a2233b6624865c599182c06982a195733a706cc6da4e674a5a66c

Download Submit
C:\Users\Admin\AppData\Roaming\Specification.exe

Filesize
193KB

MD5
21df14ff478164ccca8bbe85cd9c42ce

SHA1
210f8d66672b4ebf77e7fd276360a2187f0bbb2f

SHA256
c28e38cbd899c5d2cadc6faf6c155483bea63519dd282da4a40ba925a76b64b5

SHA512
7978e1316733b057f008dae8b4b9d63a1ec49d92dbe4282381b24d23b0a8d8cd0224ae1f2a6a2233b6624865c599182c06982a195733a706cc6da4e674a5a66c

Download Submit
C:\Users\Admin\AppData\Roaming\Specification.exe

Filesize
193KB

MD5
21df14ff478164ccca8bbe85cd9c42ce

SHA1
210f8d66672b4ebf77e7fd276360a2187f0bbb2f

SHA256
c28e38cbd899c5d2cadc6faf6c155483bea63519dd282da4a40ba925a76b64b5

SHA512
7978e1316733b057f008dae8b4b9d63a1ec49d92dbe4282381b24d23b0a8d8cd0224ae1f2a6a2233b6624865c599182c06982a195733a706cc6da4e674a5a66c

Download Submit
C:\Users\Admin\AppData\Roaming\Specification.exe

Filesize
193KB

MD5
21df14ff478164ccca8bbe85cd9c42ce

SHA1
210f8d66672b4ebf77e7fd276360a2187f0bbb2f

SHA256
c28e38cbd899c5d2cadc6faf6c155483bea63519dd282da4a40ba925a76b64b5

SHA512
7978e1316733b057f008dae8b4b9d63a1ec49d92dbe4282381b24d23b0a8d8cd0224ae1f2a6a2233b6624865c599182c06982a195733a706cc6da4e674a5a66c

Download Submit
memory/1140-149-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1140-150-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1140-154-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1140-145-0x0000000000000000-mapping.dmp

Download
memory/1140-146-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1588-136-0x00000000059C0000-0x00000000059E2000-memory.dmp

Filesize
136KB

Download
memory/1588-132-0x0000000000000000-mapping.dmp

Download
memory/1588-135-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download
memory/1996-144-0x0000000006400000-0x000000000641A000-memory.dmp

Filesize
104KB

Download
memory/1996-142-0x0000000005F10000-0x0000000005F2E000-memory.dmp

Filesize
120KB

Download
memory/1996-141-0x00000000058C0000-0x0000000005926000-memory.dmp

Filesize
408KB

Download
memory/1996-140-0x0000000005850000-0x00000000058B6000-memory.dmp

Filesize
408KB

Download
memory/1996-143-0x0000000007570000-0x0000000007BEA000-memory.dmp

Filesize
6.5MB

Download
memory/1996-139-0x0000000005100000-0x0000000005728000-memory.dmp

Filesize
6.2MB

Download
memory/1996-138-0x0000000002910000-0x0000000002946000-memory.dmp

Filesize
216KB

Download
memory/1996-137-0x0000000000000000-mapping.dmp

Download
memory/3336-160-0x0000000000000000-mapping.dmp

Download
memory/3336-164-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3336-165-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3336-166-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4236-151-0x0000000000000000-mapping.dmp

Download
memory/4280-155-0x0000000000000000-mapping.dmp

Download