netwire | c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e

Analysis

max time kernel
133s
max time network
147s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
21-10-2022 19:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe
Size

352KB
MD5

e4bb38c03679084dc319981ad8614523
SHA1

ec4188989b4fa3dedfe68c19ede60e0f0bd9e4cd
SHA256

c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e
SHA512

5a386819804b24b1e8099b9a2f25271c74e51ab4c9309fbe52c1c20d65a67c071f361c05be79cdf4070b6d5b2081261d959092000b3e217db81754a6e8e5d357
SSDEEP

6144:JC33oXNrOFygLL8ujybI1sEg+AoA68bAt5aKT:JTXQHuCDTT

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 7 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/612-64-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/612-67-0x00000000004021DA-mapping.dmp	netwire
behavioral1/memory/612-66-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/612-72-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/612-76-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/536-92-0x00000000004021DA-mapping.dmp	netwire
behavioral1/memory/536-98-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 3 IoCs

Processes:

c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exeHKRUN.exeHKRUN.exe

pid process

612 c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe
1732 HKRUN.exe
536 HKRUN.exe

pid	process
612	c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe
1732	HKRUN.exe
536	HKRUN.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

HKRUN.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{SL5JY177-PJ3Y-E8CD-646H-S0V6OY4OJKL6}	HKRUN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{SL5JY177-PJ3Y-E8CD-646H-S0V6OY4OJKL6}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\HKRUN.exe\""	HKRUN.exe

Loads dropped DLL 4 IoCs

Processes:

c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exec6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exeHKRUN.exe

pid	process
2012	c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe
612	c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe
612	c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe
1732	HKRUN.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

HKRUN.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	HKRUN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegEdit1 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\HKRUN.exe"	HKRUN.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exeHKRUN.exe

description	pid	process	target process
PID 2012 set thread context of 612	2012	c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe	c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe
PID 1732 set thread context of 536	1732	HKRUN.exe	HKRUN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NTFS ADS 2 IoCs

Processes:

cmd.execmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe:ZONE.identifier	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\HKRUN.exe:ZONE.identifier	cmd.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exec6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exeHKRUN.exe

description	pid	process	target process
PID 2012 wrote to memory of 2016	2012	c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe	cmd.exe
PID 2012 wrote to memory of 2016	2012	c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe	cmd.exe
PID 2012 wrote to memory of 2016	2012	c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe	cmd.exe
PID 2012 wrote to memory of 2016	2012	c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe	cmd.exe
PID 2012 wrote to memory of 612	2012	c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe	c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe
PID 2012 wrote to memory of 612	2012	c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe	c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe
PID 2012 wrote to memory of 612	2012	c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe	c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe
PID 2012 wrote to memory of 612	2012	c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe	c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe
PID 2012 wrote to memory of 612	2012	c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe	c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe
PID 2012 wrote to memory of 612	2012	c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe	c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe
PID 2012 wrote to memory of 612	2012	c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe	c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe
PID 2012 wrote to memory of 612	2012	c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe	c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe
PID 2012 wrote to memory of 612	2012	c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe	c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe
PID 612 wrote to memory of 1732	612	c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe	HKRUN.exe
PID 612 wrote to memory of 1732	612	c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe	HKRUN.exe
PID 612 wrote to memory of 1732	612	c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe	HKRUN.exe
PID 612 wrote to memory of 1732	612	c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe	HKRUN.exe
PID 1732 wrote to memory of 1356	1732	HKRUN.exe	cmd.exe
PID 1732 wrote to memory of 1356	1732	HKRUN.exe	cmd.exe
PID 1732 wrote to memory of 1356	1732	HKRUN.exe	cmd.exe
PID 1732 wrote to memory of 1356	1732	HKRUN.exe	cmd.exe
PID 1732 wrote to memory of 536	1732	HKRUN.exe	HKRUN.exe
PID 1732 wrote to memory of 536	1732	HKRUN.exe	HKRUN.exe
PID 1732 wrote to memory of 536	1732	HKRUN.exe	HKRUN.exe
PID 1732 wrote to memory of 536	1732	HKRUN.exe	HKRUN.exe
PID 1732 wrote to memory of 536	1732	HKRUN.exe	HKRUN.exe
PID 1732 wrote to memory of 536	1732	HKRUN.exe	HKRUN.exe
PID 1732 wrote to memory of 536	1732	HKRUN.exe	HKRUN.exe
PID 1732 wrote to memory of 536	1732	HKRUN.exe	HKRUN.exe
PID 1732 wrote to memory of 536	1732	HKRUN.exe	HKRUN.exe

C:\Users\Admin\AppData\Local\Temp\c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe
"C:\Users\Admin\AppData\Local\Temp\c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Local\Temp\c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe":ZONE.identifier & exit
2⤵
- NTFS ADS
PID:2016

C:\Users\Admin\AppData\Local\Temp\c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe
"C:\Users\Admin\AppData\Local\Temp\c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:612

C:\Users\Admin\AppData\Roaming\Microsoft\HKRUN.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\HKRUN.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Roaming\Microsoft\HKRUN.exe":ZONE.identifier & exit
4⤵
- NTFS ADS
PID:1356

C:\Users\Admin\AppData\Roaming\Microsoft\HKRUN.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\HKRUN.exe"
4⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:536

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe
Filesize
352KB

MD5
e4bb38c03679084dc319981ad8614523

SHA1
ec4188989b4fa3dedfe68c19ede60e0f0bd9e4cd

SHA256
c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e

SHA512
5a386819804b24b1e8099b9a2f25271c74e51ab4c9309fbe52c1c20d65a67c071f361c05be79cdf4070b6d5b2081261d959092000b3e217db81754a6e8e5d357

Download Submit
C:\Users\Admin\AppData\Local\Temp\c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe
Filesize
352KB

MD5
e4bb38c03679084dc319981ad8614523

SHA1
ec4188989b4fa3dedfe68c19ede60e0f0bd9e4cd

SHA256
c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e

SHA512
5a386819804b24b1e8099b9a2f25271c74e51ab4c9309fbe52c1c20d65a67c071f361c05be79cdf4070b6d5b2081261d959092000b3e217db81754a6e8e5d357

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\HKRUN.exe
Filesize
352KB

MD5
e4bb38c03679084dc319981ad8614523

SHA1
ec4188989b4fa3dedfe68c19ede60e0f0bd9e4cd

SHA256
c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e

SHA512
5a386819804b24b1e8099b9a2f25271c74e51ab4c9309fbe52c1c20d65a67c071f361c05be79cdf4070b6d5b2081261d959092000b3e217db81754a6e8e5d357

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\HKRUN.exe
Filesize
352KB

MD5
e4bb38c03679084dc319981ad8614523

SHA1
ec4188989b4fa3dedfe68c19ede60e0f0bd9e4cd

SHA256
c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e

SHA512
5a386819804b24b1e8099b9a2f25271c74e51ab4c9309fbe52c1c20d65a67c071f361c05be79cdf4070b6d5b2081261d959092000b3e217db81754a6e8e5d357

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\HKRUN.exe
Filesize
352KB

MD5
e4bb38c03679084dc319981ad8614523

SHA1
ec4188989b4fa3dedfe68c19ede60e0f0bd9e4cd

SHA256
c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e

SHA512
5a386819804b24b1e8099b9a2f25271c74e51ab4c9309fbe52c1c20d65a67c071f361c05be79cdf4070b6d5b2081261d959092000b3e217db81754a6e8e5d357

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\HKRUN.exe
Filesize
352KB

MD5
e4bb38c03679084dc319981ad8614523

SHA1
ec4188989b4fa3dedfe68c19ede60e0f0bd9e4cd

SHA256
c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e

SHA512
5a386819804b24b1e8099b9a2f25271c74e51ab4c9309fbe52c1c20d65a67c071f361c05be79cdf4070b6d5b2081261d959092000b3e217db81754a6e8e5d357

Download Submit
\Users\Admin\AppData\Local\Temp\c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe
Filesize
352KB

MD5
e4bb38c03679084dc319981ad8614523

SHA1
ec4188989b4fa3dedfe68c19ede60e0f0bd9e4cd

SHA256
c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e

SHA512
5a386819804b24b1e8099b9a2f25271c74e51ab4c9309fbe52c1c20d65a67c071f361c05be79cdf4070b6d5b2081261d959092000b3e217db81754a6e8e5d357

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\HKRUN.exe
Filesize
352KB

MD5
e4bb38c03679084dc319981ad8614523

SHA1
ec4188989b4fa3dedfe68c19ede60e0f0bd9e4cd

SHA256
c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e

SHA512
5a386819804b24b1e8099b9a2f25271c74e51ab4c9309fbe52c1c20d65a67c071f361c05be79cdf4070b6d5b2081261d959092000b3e217db81754a6e8e5d357

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\HKRUN.exe
Filesize
352KB

MD5
e4bb38c03679084dc319981ad8614523

SHA1
ec4188989b4fa3dedfe68c19ede60e0f0bd9e4cd

SHA256
c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e

SHA512
5a386819804b24b1e8099b9a2f25271c74e51ab4c9309fbe52c1c20d65a67c071f361c05be79cdf4070b6d5b2081261d959092000b3e217db81754a6e8e5d357

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\HKRUN.exe
Filesize
352KB

MD5
e4bb38c03679084dc319981ad8614523

SHA1
ec4188989b4fa3dedfe68c19ede60e0f0bd9e4cd

SHA256
c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e

SHA512
5a386819804b24b1e8099b9a2f25271c74e51ab4c9309fbe52c1c20d65a67c071f361c05be79cdf4070b6d5b2081261d959092000b3e217db81754a6e8e5d357

Download Submit
memory/536-98-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/536-92-0x00000000004021DA-mapping.dmp

Download
memory/612-62-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/612-59-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/612-66-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/612-72-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/612-76-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/612-67-0x00000000004021DA-mapping.dmp

Download
memory/612-64-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/612-60-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1356-81-0x0000000000000000-mapping.dmp

Download
memory/1732-75-0x0000000000000000-mapping.dmp

Download
memory/1732-80-0x0000000074260000-0x000000007480B000-memory.dmp

Filesize
5.7MB

Download
memory/1732-95-0x0000000074260000-0x000000007480B000-memory.dmp

Filesize
5.7MB

Download
memory/2012-54-0x0000000074B51000-0x0000000074B53000-memory.dmp

Filesize
8KB

Download
memory/2012-70-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/2012-55-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/2016-56-0x0000000000000000-mapping.dmp

Download