netwire | b2ce1a55a4d829224862ad9d27025343ccc882bf1709520c703a99b3955868a9

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19-10-2022 13:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b2ce1a55a4d829224862ad9d27025343ccc882bf1709520c703a99b3955868a9.exe
Size

340KB
MD5

91e6944aad1a3767e2e3e18a01910950
SHA1

0eb4cd38f8663fe7ca5fafdc778041fe62ef42cc
SHA256

b2ce1a55a4d829224862ad9d27025343ccc882bf1709520c703a99b3955868a9
SHA512

7f7d75292b37dc46d1c184605125ee5ce75246f8508f0a75e6f942494bf5dd86e2585a20ceaf34999e48f329bb49e1beeedb2b302abcb3cb84c1441b821383cf
SSDEEP

6144:7phs/DuvJ/3vrx4bsk3LzHx3fXYrhypfFpvNlx077eVCKxaaw0sRHXHfm:dhOKh/rWzbzZQrA1L5s0COzsRXf

Score

10^/10

netwire botnet persistence rat stealer upx

Malware Config

Signatures

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3124-148-0x0000000000000000-mapping.dmp	netwire
behavioral2/memory/3124-151-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/3124-152-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/3124-154-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\dup2patcher.dll	acprotect

Executes dropped EXE 3 IoCs

Processes:

nero.15.platinum.build.16.0.02900-patch.exeUpdate.exeUpdate.exe

pid process

3456 nero.15.platinum.build.16.0.02900-patch.exe
3600 Update.exe
3124 Update.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\dup2patcher.dll	upx
behavioral2/memory/3456-147-0x0000000074280000-0x00000000742D4000-memory.dmp	upx
behavioral2/memory/3456-153-0x0000000074280000-0x00000000742D4000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b2ce1a55a4d829224862ad9d27025343ccc882bf1709520c703a99b3955868a9.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	b2ce1a55a4d829224862ad9d27025343ccc882bf1709520c703a99b3955868a9.exe

Loads dropped DLL 4 IoCs

Processes:

nero.15.platinum.build.16.0.02900-patch.exe

pid	process
3456	nero.15.platinum.build.16.0.02900-patch.exe
3456	nero.15.platinum.build.16.0.02900-patch.exe
3456	nero.15.platinum.build.16.0.02900-patch.exe
3456	nero.15.platinum.build.16.0.02900-patch.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b2ce1a55a4d829224862ad9d27025343ccc882bf1709520c703a99b3955868a9.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry Key Name = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\Update.exe"	b2ce1a55a4d829224862ad9d27025343ccc882bf1709520c703a99b3955868a9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description pid process

Token: 33 3044 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 3044 AUDIODG.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

b2ce1a55a4d829224862ad9d27025343ccc882bf1709520c703a99b3955868a9.exeUpdate.exe

pid process

4804 b2ce1a55a4d829224862ad9d27025343ccc882bf1709520c703a99b3955868a9.exe
3600 Update.exe

description	pid	process
Token: 33	3044	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3044	AUDIODG.EXE

pid	process
4804	b2ce1a55a4d829224862ad9d27025343ccc882bf1709520c703a99b3955868a9.exe
3600	Update.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

b2ce1a55a4d829224862ad9d27025343ccc882bf1709520c703a99b3955868a9.exeUpdate.exe

description	pid	process	target process
PID 4804 wrote to memory of 3456	4804	b2ce1a55a4d829224862ad9d27025343ccc882bf1709520c703a99b3955868a9.exe	nero.15.platinum.build.16.0.02900-patch.exe
PID 4804 wrote to memory of 3456	4804	b2ce1a55a4d829224862ad9d27025343ccc882bf1709520c703a99b3955868a9.exe	nero.15.platinum.build.16.0.02900-patch.exe
PID 4804 wrote to memory of 3456	4804	b2ce1a55a4d829224862ad9d27025343ccc882bf1709520c703a99b3955868a9.exe	nero.15.platinum.build.16.0.02900-patch.exe
PID 4804 wrote to memory of 3600	4804	b2ce1a55a4d829224862ad9d27025343ccc882bf1709520c703a99b3955868a9.exe	Update.exe
PID 4804 wrote to memory of 3600	4804	b2ce1a55a4d829224862ad9d27025343ccc882bf1709520c703a99b3955868a9.exe	Update.exe
PID 4804 wrote to memory of 3600	4804	b2ce1a55a4d829224862ad9d27025343ccc882bf1709520c703a99b3955868a9.exe	Update.exe
PID 3600 wrote to memory of 3124	3600	Update.exe	Update.exe
PID 3600 wrote to memory of 3124	3600	Update.exe	Update.exe
PID 3600 wrote to memory of 3124	3600	Update.exe	Update.exe
PID 3600 wrote to memory of 3124	3600	Update.exe	Update.exe
PID 3600 wrote to memory of 3124	3600	Update.exe	Update.exe
PID 3600 wrote to memory of 3124	3600	Update.exe	Update.exe
PID 3600 wrote to memory of 3124	3600	Update.exe	Update.exe
PID 3600 wrote to memory of 3124	3600	Update.exe	Update.exe
PID 3600 wrote to memory of 3124	3600	Update.exe	Update.exe
PID 3600 wrote to memory of 3124	3600	Update.exe	Update.exe
PID 3600 wrote to memory of 3124	3600	Update.exe	Update.exe
PID 3600 wrote to memory of 3124	3600	Update.exe	Update.exe
PID 3600 wrote to memory of 3124	3600	Update.exe	Update.exe
PID 3600 wrote to memory of 3124	3600	Update.exe	Update.exe
PID 3600 wrote to memory of 3124	3600	Update.exe	Update.exe

C:\Users\Admin\AppData\Local\Temp\b2ce1a55a4d829224862ad9d27025343ccc882bf1709520c703a99b3955868a9.exe
"C:\Users\Admin\AppData\Local\Temp\b2ce1a55a4d829224862ad9d27025343ccc882bf1709520c703a99b3955868a9.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4804

C:\Users\Admin\AppData\Local\Temp\nero.15.platinum.build.16.0.02900-patch.exe
"C:\Users\Admin\AppData\Local\Temp\nero.15.platinum.build.16.0.02900-patch.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3456

C:\Users\Admin\AppData\Roaming\subfolder\Update.exe
"C:\Users\Admin\AppData\Roaming\subfolder\Update.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3600

C:\Users\Admin\AppData\Roaming\subfolder\Update.exe
"C:\Users\Admin\AppData\Roaming\subfolder\Update.exe"
3⤵
- Executes dropped EXE
PID:3124

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x308 0x300
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\64F4EA4C8142CAC73E06647D59A699D1.dll

Filesize
4KB

MD5
14dd1f05c6bd3ce4acab3ebdb9f0903b

SHA1
2dbdebf59a5bf398cb73d930e9f9796a888e93e8

SHA256
9a9296a1cc6c243e166b301346c4cd9dec45028bbc80fde3903b6c3740c6a239

SHA512
2db28bd0b610290d5b028429a19dedb1ed90a4564ead3b14d20f5677a308a1eafa1dac737cfd2b4c9b614b81e4747cde61f8cc9cba654d22ad5aff435f987155

Download Submit
C:\Users\Admin\AppData\Local\Temp\A0C27A8189581ABD82FB69B9C23501DB.dll

Filesize
83KB

MD5
abde562f3a6754582f14a9160fbabe65

SHA1
d79efa8554f5c99782ecc8bf49827c0871c4df93

SHA256
5a6c1b16b665590dee961e1826d46b2666a349cded498e0b71a071f6b8caf582

SHA512
6f42008d23cd7ab7cc61ba3cc071af74ccf5b3d979ad5932668242f8ac4b535ea29699d84135065838a6fce7c025b6362c786f6458b4b7959a9122fca1662970

Download Submit
C:\Users\Admin\AppData\Local\Temp\C5E3399ED9A072FE864748D49BA96094.dll

Filesize
2KB

MD5
13249bc6aa781475cde4a1c90f95efd4

SHA1
0d8698befd283ca69d87ce44dad225ef792b06da

SHA256
3922a8c1b0f58b74fc3d89d7eec3fe5c5b0e8bda6b36491d2380431dd8e8284a

SHA512
aec8b793c4a1c9789af70fdaad3aa473a581585e8b76669d187cabe6c88363bacbed28200dd8f243f9dd50fc8fc27339f0e687341024d466a4d5078c28a768d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\dup2patcher.dll

Filesize
116KB

MD5
e5f32fb345b565710002b1c3a4d38149

SHA1
0a427f42401700bcaa56ab272da296579f9edbd0

SHA256
77571ace47ad07222926b424fed1479d77cea556a523649637ebad038a36deb7

SHA512
e17393f87005939c8ba2ba8ac9b4ac623b6a8bdb7c5130aa6d13f09d1c43a1ab321fc46ca70466dd4d83269151222cd54b7decd1b28c1e8876932a8876f6505c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nero.15.platinum.build.16.0.02900-patch.exe

Filesize
124KB

MD5
6361751c82f6b7e4fdc59db5d5f5d90d

SHA1
1126ffb37c931106924cdd79884605cff190bf38

SHA256
c87447e8f3dc87f58a5a62d08051ac3b9ccbb1d3156677906439fc14f173d0e1

SHA512
af3659ddfaa6be101e9b0b09e8ec38063d02d8e0787e5ad8ab4d3fbfbed926ba247d583c9498b97fd9e311366b336850c428d58a37b462dd10c1cbf52ffb3139

Download Submit
C:\Users\Admin\AppData\Local\Temp\nero.15.platinum.build.16.0.02900-patch.exe

Filesize
124KB

MD5
6361751c82f6b7e4fdc59db5d5f5d90d

SHA1
1126ffb37c931106924cdd79884605cff190bf38

SHA256
c87447e8f3dc87f58a5a62d08051ac3b9ccbb1d3156677906439fc14f173d0e1

SHA512
af3659ddfaa6be101e9b0b09e8ec38063d02d8e0787e5ad8ab4d3fbfbed926ba247d583c9498b97fd9e311366b336850c428d58a37b462dd10c1cbf52ffb3139

Download Submit
C:\Users\Admin\AppData\Roaming\subfolder\Update.exe

Filesize
340KB

MD5
91e6944aad1a3767e2e3e18a01910950

SHA1
0eb4cd38f8663fe7ca5fafdc778041fe62ef42cc

SHA256
b2ce1a55a4d829224862ad9d27025343ccc882bf1709520c703a99b3955868a9

SHA512
7f7d75292b37dc46d1c184605125ee5ce75246f8508f0a75e6f942494bf5dd86e2585a20ceaf34999e48f329bb49e1beeedb2b302abcb3cb84c1441b821383cf

Download Submit
C:\Users\Admin\AppData\Roaming\subfolder\Update.exe

Filesize
340KB

MD5
91e6944aad1a3767e2e3e18a01910950

SHA1
0eb4cd38f8663fe7ca5fafdc778041fe62ef42cc

SHA256
b2ce1a55a4d829224862ad9d27025343ccc882bf1709520c703a99b3955868a9

SHA512
7f7d75292b37dc46d1c184605125ee5ce75246f8508f0a75e6f942494bf5dd86e2585a20ceaf34999e48f329bb49e1beeedb2b302abcb3cb84c1441b821383cf

Download Submit
C:\Users\Admin\AppData\Roaming\subfolder\Update.exe

Filesize
340KB

MD5
91e6944aad1a3767e2e3e18a01910950

SHA1
0eb4cd38f8663fe7ca5fafdc778041fe62ef42cc

SHA256
b2ce1a55a4d829224862ad9d27025343ccc882bf1709520c703a99b3955868a9

SHA512
7f7d75292b37dc46d1c184605125ee5ce75246f8508f0a75e6f942494bf5dd86e2585a20ceaf34999e48f329bb49e1beeedb2b302abcb3cb84c1441b821383cf

Download Submit
memory/3124-148-0x0000000000000000-mapping.dmp

Download
memory/3124-151-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3124-152-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3124-154-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3456-147-0x0000000074280000-0x00000000742D4000-memory.dmp

Filesize
336KB

Download
memory/3456-134-0x0000000000000000-mapping.dmp

Download
memory/3456-153-0x0000000074280000-0x00000000742D4000-memory.dmp

Filesize
336KB

Download
memory/3600-138-0x0000000000000000-mapping.dmp

Download
memory/3600-150-0x00000000021B0000-0x00000000021B6000-memory.dmp

Filesize
24KB

Download
memory/4804-140-0x0000000002250000-0x0000000002256000-memory.dmp

Filesize
24KB

Download