netwire | f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721

General

Target

f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe
Size

240KB
MD5

a07fb2ef06380c32ba1c916092576f71
SHA1

3204163ac87633c3dd18e4c6168eecf5014c408e
SHA256

f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721
SHA512

1448295c1775590ecf9c096646e28f91f60b68f098b1f8ffdb40bd8d98b6b50363b1ebcac2fe25217e604e232eda2e9d4b6e4795b141f46008b7d7c14814193f
SSDEEP

3072:CvS8k/Mbsig+Y/zhUGT3PsWJHduQ/HBeCLCXWO7PlSSIyengTNc7WQY3lDQSV54x:fjz1PsguEfCXp7PASDTNcaQilDRv

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/836-77-0x0000000000400000-0x0000000000418000-memory.dmp	netwire
behavioral1/memory/836-85-0x0000000000400000-0x0000000000418000-memory.dmp	netwire
behavioral1/memory/2008-101-0x0000000000400000-0x0000000000418000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

amstream.exesqlsrv32.exe

pid process

1684 amstream.exe
1508 sqlsrv32.exe
Loads dropped DLL 2 IoCs

Processes:

f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exeamstream.exe

pid process

1656 f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe
1684 amstream.exe

pid	process
1684	amstream.exe
1508	sqlsrv32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

amstream.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	amstream.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\MFC Managed Interfaces Library = "C:\\Users\\Admin\\Pictures\\amstream.exe"	amstream.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exesqlsrv32.exe

description	pid	process	target process
PID 1656 set thread context of 836	1656	f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe	AppLaunch.exe
PID 1508 set thread context of 2008	1508	sqlsrv32.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exeamstream.exe

pid	process
1656	f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe
1656	f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe
1656	f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe
1656	f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe
1656	f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe
1656	f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe
1656	f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe
1656	f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe
1656	f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe
1656	f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe
1656	f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe
1656	f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe
1656	f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe
1656	f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe
1656	f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe
1656	f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe
1656	f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe
1656	f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe
1656	f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe
1684	amstream.exe
1656	f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe
1684	amstream.exe
1656	f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe
1684	amstream.exe
1656	f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe
1684	amstream.exe
1656	f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe
1684	amstream.exe
1684	amstream.exe
1684	amstream.exe
1684	amstream.exe
1684	amstream.exe
1684	amstream.exe
1656	f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe
1684	amstream.exe
1656	f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe
1684	amstream.exe
1656	f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe
1684	amstream.exe
1656	f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe
1684	amstream.exe
1656	f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe
1684	amstream.exe
1656	f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe
1684	amstream.exe
1656	f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe
1684	amstream.exe
1656	f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe
1684	amstream.exe
1656	f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe
1684	amstream.exe
1656	f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe
1684	amstream.exe
1656	f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe
1684	amstream.exe
1656	f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe
1684	amstream.exe
1656	f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe
1684	amstream.exe
1656	f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe
1684	amstream.exe
1656	f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe
1656	f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe
1656	f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exeamstream.exesqlsrv32.exe

description	pid	process
Token: SeDebugPrivilege	1656	f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe
Token: SeDebugPrivilege	1684	amstream.exe
Token: SeDebugPrivilege	1508	sqlsrv32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

1996 DllHost.exe

pid	process
1996	DllHost.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exeamstream.exesqlsrv32.exe

description	pid	process	target process
PID 1656 wrote to memory of 836	1656	f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe	AppLaunch.exe
PID 1656 wrote to memory of 836	1656	f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe	AppLaunch.exe
PID 1656 wrote to memory of 836	1656	f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe	AppLaunch.exe
PID 1656 wrote to memory of 836	1656	f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe	AppLaunch.exe
PID 1656 wrote to memory of 836	1656	f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe	AppLaunch.exe
PID 1656 wrote to memory of 836	1656	f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe	AppLaunch.exe
PID 1656 wrote to memory of 836	1656	f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe	AppLaunch.exe
PID 1656 wrote to memory of 836	1656	f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe	AppLaunch.exe
PID 1656 wrote to memory of 836	1656	f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe	AppLaunch.exe
PID 1656 wrote to memory of 836	1656	f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe	AppLaunch.exe
PID 1656 wrote to memory of 836	1656	f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe	AppLaunch.exe
PID 1656 wrote to memory of 836	1656	f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe	AppLaunch.exe
PID 1656 wrote to memory of 1684	1656	f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe	amstream.exe
PID 1656 wrote to memory of 1684	1656	f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe	amstream.exe
PID 1656 wrote to memory of 1684	1656	f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe	amstream.exe
PID 1656 wrote to memory of 1684	1656	f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe	amstream.exe
PID 1684 wrote to memory of 1508	1684	amstream.exe	sqlsrv32.exe
PID 1684 wrote to memory of 1508	1684	amstream.exe	sqlsrv32.exe
PID 1684 wrote to memory of 1508	1684	amstream.exe	sqlsrv32.exe
PID 1684 wrote to memory of 1508	1684	amstream.exe	sqlsrv32.exe
PID 1508 wrote to memory of 2008	1508	sqlsrv32.exe	AppLaunch.exe
PID 1508 wrote to memory of 2008	1508	sqlsrv32.exe	AppLaunch.exe
PID 1508 wrote to memory of 2008	1508	sqlsrv32.exe	AppLaunch.exe
PID 1508 wrote to memory of 2008	1508	sqlsrv32.exe	AppLaunch.exe
PID 1508 wrote to memory of 2008	1508	sqlsrv32.exe	AppLaunch.exe
PID 1508 wrote to memory of 2008	1508	sqlsrv32.exe	AppLaunch.exe
PID 1508 wrote to memory of 2008	1508	sqlsrv32.exe	AppLaunch.exe
PID 1508 wrote to memory of 2008	1508	sqlsrv32.exe	AppLaunch.exe
PID 1508 wrote to memory of 2008	1508	sqlsrv32.exe	AppLaunch.exe
PID 1508 wrote to memory of 2008	1508	sqlsrv32.exe	AppLaunch.exe
PID 1508 wrote to memory of 2008	1508	sqlsrv32.exe	AppLaunch.exe
PID 1508 wrote to memory of 2008	1508	sqlsrv32.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe
"C:\Users\Admin\AppData\Local\Temp\f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
2⤵
PID:836

C:\Users\Admin\Pictures\amstream.exe
"C:\Users\Admin\Pictures\amstream.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684

C:\Users\Admin\Pictures\sqlsrv32.exe
"C:\Users\Admin\Pictures\sqlsrv32.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
4⤵
PID:2008

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1996

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\NJ-IMAGE.jpg
Filesize
51KB

MD5
7a0da2fef70ea4f86cfc27c2dfe29189

SHA1
113059606f8cbc23175f69879330ac8f754042d4

SHA256
5e83aeb82aa1f535a314ad39de947780d3ea7d7d51683a76fb951a13fbbf1e3a

SHA512
2b0e379e938a84a76cc1a086bed6ef1cae6a4db19ea59e513226ab8234ee4d829c7ba6814d36c70bb3b2eae18a15d988c2b82498a73807de195c7384c1f4da9a

Download Submit
C:\Users\Admin\Pictures\amstream.exe
Filesize
16KB

MD5
a0c9de40ec4391b9c7ed29af084c36a8

SHA1
d72a6e0f3703f7ae24febb2c1bf555cf201e73fd

SHA256
d46128dbb366fd5ebda1bed5e4651d346ce23b8753baadc07721981bb441d388

SHA512
21ea33aea75143f15e606b6c365340f6ea5efd3d9fbe964a1a6acf8dcfc9c660aac5fa23c49ebb1caaff02250a4cdbc62d496198328d513ce3ca280299d78a0e

Download Submit
C:\Users\Admin\Pictures\amstream.exe
Filesize
16KB

MD5
a0c9de40ec4391b9c7ed29af084c36a8

SHA1
d72a6e0f3703f7ae24febb2c1bf555cf201e73fd

SHA256
d46128dbb366fd5ebda1bed5e4651d346ce23b8753baadc07721981bb441d388

SHA512
21ea33aea75143f15e606b6c365340f6ea5efd3d9fbe964a1a6acf8dcfc9c660aac5fa23c49ebb1caaff02250a4cdbc62d496198328d513ce3ca280299d78a0e

Download Submit
C:\Users\Admin\Pictures\sqlsrv32.exe
Filesize
240KB

MD5
a07fb2ef06380c32ba1c916092576f71

SHA1
3204163ac87633c3dd18e4c6168eecf5014c408e

SHA256
f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721

SHA512
1448295c1775590ecf9c096646e28f91f60b68f098b1f8ffdb40bd8d98b6b50363b1ebcac2fe25217e604e232eda2e9d4b6e4795b141f46008b7d7c14814193f

Download Submit
C:\Users\Admin\Pictures\sqlsrv32.exe
Filesize
240KB

MD5
a07fb2ef06380c32ba1c916092576f71

SHA1
3204163ac87633c3dd18e4c6168eecf5014c408e

SHA256
f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721

SHA512
1448295c1775590ecf9c096646e28f91f60b68f098b1f8ffdb40bd8d98b6b50363b1ebcac2fe25217e604e232eda2e9d4b6e4795b141f46008b7d7c14814193f

Download Submit
\Users\Admin\Pictures\amstream.exe
Filesize
16KB

MD5
a0c9de40ec4391b9c7ed29af084c36a8

SHA1
d72a6e0f3703f7ae24febb2c1bf555cf201e73fd

SHA256
d46128dbb366fd5ebda1bed5e4651d346ce23b8753baadc07721981bb441d388

SHA512
21ea33aea75143f15e606b6c365340f6ea5efd3d9fbe964a1a6acf8dcfc9c660aac5fa23c49ebb1caaff02250a4cdbc62d496198328d513ce3ca280299d78a0e

Download Submit
\Users\Admin\Pictures\sqlsrv32.exe
Filesize
240KB

MD5
a07fb2ef06380c32ba1c916092576f71

SHA1
3204163ac87633c3dd18e4c6168eecf5014c408e

SHA256
f13046a5373d4862bd6968c2ddbc5776075e2e6d39de1f7b319c9bb2bf125721

SHA512
1448295c1775590ecf9c096646e28f91f60b68f098b1f8ffdb40bd8d98b6b50363b1ebcac2fe25217e604e232eda2e9d4b6e4795b141f46008b7d7c14814193f

Download Submit
memory/836-63-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/836-59-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/836-69-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/836-66-0x0000000000401FEC-mapping.dmp

Download
memory/836-85-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/836-65-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/836-61-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/836-58-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/836-77-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1508-83-0x0000000074330000-0x00000000748DB000-memory.dmp

Filesize
5.7MB

Download
memory/1508-80-0x0000000000000000-mapping.dmp

Download
memory/1508-87-0x0000000074330000-0x00000000748DB000-memory.dmp

Filesize
5.7MB

Download
memory/1656-56-0x0000000074330000-0x00000000748DB000-memory.dmp

Filesize
5.7MB

Download
memory/1656-54-0x0000000074D61000-0x0000000074D63000-memory.dmp

Filesize
8KB

Download
memory/1656-55-0x0000000074330000-0x00000000748DB000-memory.dmp

Filesize
5.7MB

Download
memory/1684-75-0x0000000074330000-0x00000000748DB000-memory.dmp

Filesize
5.7MB

Download
memory/1684-84-0x0000000074330000-0x00000000748DB000-memory.dmp

Filesize
5.7MB

Download
memory/1684-71-0x0000000000000000-mapping.dmp

Download
memory/2008-96-0x0000000000401FEC-mapping.dmp

Download
memory/2008-101-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads