netwire | c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e

General

Target

c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe
Size

352KB
MD5

e4bb38c03679084dc319981ad8614523
SHA1

ec4188989b4fa3dedfe68c19ede60e0f0bd9e4cd
SHA256

c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e
SHA512

5a386819804b24b1e8099b9a2f25271c74e51ab4c9309fbe52c1c20d65a67c071f361c05be79cdf4070b6d5b2081261d959092000b3e217db81754a6e8e5d357
SSDEEP

6144:JC33oXNrOFygLL8ujybI1sEg+AoA68bAt5aKT:JTXQHuCDTT

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4324-136-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/4324-139-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/4324-144-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/3200-155-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 3 IoCs

Processes:

c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exeHKRUN.exeHKRUN.exe

pid process

4324 c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe
1344 HKRUN.exe
3200 HKRUN.exe

pid	process
4324	c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe
1344	HKRUN.exe
3200	HKRUN.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

HKRUN.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{SL5JY177-PJ3Y-E8CD-646H-S0V6OY4OJKL6}	HKRUN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{SL5JY177-PJ3Y-E8CD-646H-S0V6OY4OJKL6}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\HKRUN.exe\""	HKRUN.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exeHKRUN.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	HKRUN.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

HKRUN.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	HKRUN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegEdit1 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\HKRUN.exe"	HKRUN.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exeHKRUN.exe

description	pid	process	target process
PID 4440 set thread context of 4324	4440	c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe	c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe
PID 1344 set thread context of 3200	1344	HKRUN.exe	HKRUN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NTFS ADS 2 IoCs

Processes:

cmd.execmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe:ZONE.identifier	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\HKRUN.exe:ZONE.identifier	cmd.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exec6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exeHKRUN.exe

description	pid	process	target process
PID 4440 wrote to memory of 3680	4440	c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe	cmd.exe
PID 4440 wrote to memory of 3680	4440	c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe	cmd.exe
PID 4440 wrote to memory of 3680	4440	c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe	cmd.exe
PID 4440 wrote to memory of 4324	4440	c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe	c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe
PID 4440 wrote to memory of 4324	4440	c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe	c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe
PID 4440 wrote to memory of 4324	4440	c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe	c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe
PID 4440 wrote to memory of 4324	4440	c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe	c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe
PID 4440 wrote to memory of 4324	4440	c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe	c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe
PID 4440 wrote to memory of 4324	4440	c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe	c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe
PID 4440 wrote to memory of 4324	4440	c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe	c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe
PID 4440 wrote to memory of 4324	4440	c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe	c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe
PID 4324 wrote to memory of 1344	4324	c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe	HKRUN.exe
PID 4324 wrote to memory of 1344	4324	c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe	HKRUN.exe
PID 4324 wrote to memory of 1344	4324	c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe	HKRUN.exe
PID 1344 wrote to memory of 4720	1344	HKRUN.exe	cmd.exe
PID 1344 wrote to memory of 4720	1344	HKRUN.exe	cmd.exe
PID 1344 wrote to memory of 4720	1344	HKRUN.exe	cmd.exe
PID 1344 wrote to memory of 3200	1344	HKRUN.exe	HKRUN.exe
PID 1344 wrote to memory of 3200	1344	HKRUN.exe	HKRUN.exe
PID 1344 wrote to memory of 3200	1344	HKRUN.exe	HKRUN.exe
PID 1344 wrote to memory of 3200	1344	HKRUN.exe	HKRUN.exe
PID 1344 wrote to memory of 3200	1344	HKRUN.exe	HKRUN.exe
PID 1344 wrote to memory of 3200	1344	HKRUN.exe	HKRUN.exe
PID 1344 wrote to memory of 3200	1344	HKRUN.exe	HKRUN.exe
PID 1344 wrote to memory of 3200	1344	HKRUN.exe	HKRUN.exe

C:\Users\Admin\AppData\Local\Temp\c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe
"C:\Users\Admin\AppData\Local\Temp\c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4440

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Local\Temp\c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe":ZONE.identifier & exit
2⤵
- NTFS ADS
PID:3680

C:\Users\Admin\AppData\Local\Temp\c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe
"C:\Users\Admin\AppData\Local\Temp\c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4324

C:\Users\Admin\AppData\Roaming\Microsoft\HKRUN.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\HKRUN.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1344

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Roaming\Microsoft\HKRUN.exe":ZONE.identifier & exit
4⤵
- NTFS ADS
PID:4720

C:\Users\Admin\AppData\Roaming\Microsoft\HKRUN.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\HKRUN.exe"
4⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:3200

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe
Filesize
352KB

MD5
e4bb38c03679084dc319981ad8614523

SHA1
ec4188989b4fa3dedfe68c19ede60e0f0bd9e4cd

SHA256
c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e

SHA512
5a386819804b24b1e8099b9a2f25271c74e51ab4c9309fbe52c1c20d65a67c071f361c05be79cdf4070b6d5b2081261d959092000b3e217db81754a6e8e5d357

Download Submit
C:\Users\Admin\AppData\Local\Temp\c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e.exe
Filesize
352KB

MD5
e4bb38c03679084dc319981ad8614523

SHA1
ec4188989b4fa3dedfe68c19ede60e0f0bd9e4cd

SHA256
c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e

SHA512
5a386819804b24b1e8099b9a2f25271c74e51ab4c9309fbe52c1c20d65a67c071f361c05be79cdf4070b6d5b2081261d959092000b3e217db81754a6e8e5d357

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\HKRUN.exe
Filesize
352KB

MD5
e4bb38c03679084dc319981ad8614523

SHA1
ec4188989b4fa3dedfe68c19ede60e0f0bd9e4cd

SHA256
c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e

SHA512
5a386819804b24b1e8099b9a2f25271c74e51ab4c9309fbe52c1c20d65a67c071f361c05be79cdf4070b6d5b2081261d959092000b3e217db81754a6e8e5d357

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\HKRUN.exe
Filesize
352KB

MD5
e4bb38c03679084dc319981ad8614523

SHA1
ec4188989b4fa3dedfe68c19ede60e0f0bd9e4cd

SHA256
c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e

SHA512
5a386819804b24b1e8099b9a2f25271c74e51ab4c9309fbe52c1c20d65a67c071f361c05be79cdf4070b6d5b2081261d959092000b3e217db81754a6e8e5d357

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\HKRUN.exe
Filesize
352KB

MD5
e4bb38c03679084dc319981ad8614523

SHA1
ec4188989b4fa3dedfe68c19ede60e0f0bd9e4cd

SHA256
c6072c6acb98990d381fc6a18908cfe7988e967e102f09be1e2eb2990591417e

SHA512
5a386819804b24b1e8099b9a2f25271c74e51ab4c9309fbe52c1c20d65a67c071f361c05be79cdf4070b6d5b2081261d959092000b3e217db81754a6e8e5d357

Download Submit
memory/1344-142-0x0000000000000000-mapping.dmp

Download
memory/1344-154-0x0000000074AC0000-0x0000000075071000-memory.dmp

Filesize
5.7MB

Download
memory/1344-147-0x0000000074AC0000-0x0000000075071000-memory.dmp

Filesize
5.7MB

Download
memory/1344-146-0x0000000074AC0000-0x0000000075071000-memory.dmp

Filesize
5.7MB

Download
memory/3200-149-0x0000000000000000-mapping.dmp

Download
memory/3200-155-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3680-134-0x0000000000000000-mapping.dmp

Download
memory/4324-144-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4324-136-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4324-139-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4324-135-0x0000000000000000-mapping.dmp

Download
memory/4440-132-0x0000000074AC0000-0x0000000075071000-memory.dmp

Filesize
5.7MB

Download
memory/4440-133-0x0000000074AC0000-0x0000000075071000-memory.dmp

Filesize
5.7MB

Download
memory/4440-141-0x0000000074AC0000-0x0000000075071000-memory.dmp

Filesize
5.7MB

Download
memory/4720-148-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads