netwire | 9852b6d615cc6d7e5e61044d3cb167bff5bcc528ba0dcb6de4e39de6105d5e42

General

Target

Product_Order_Quotation_X1208.exe
Size

322KB
MD5

709714b4261957287537f7f78e6dbdfb
SHA1

82f2efbbf0c86913932567caf70ae6f66665bec9
SHA256

72c3b0ef24972aa0269b5084d27257fa83229ddca82ae020de2194e9ed7cbb0f
SHA512

e969eba70b15e3b346931a5f812f38c20be028b30cc2512d1410d2cbdabd0664d3e9d3a56b6cd83f4e0b88ac66cb5326802d2c0a831deb138ee64b8586141601
SSDEEP

6144:my1lpFvAAkTIo9OVP8YW5hQ9wDdRrz7sn1q0eop5MvuMpGxByK/tdA8F8Tz:mAn2oZ8J5ySDdx+sySvfi0GTA8F8Tz

Score

10^/10

netwire botnet persistence rat stealer upx

Malware Config

Extracted

Family

netwire

C2

franrnar.com.tw:1009

Attributes

activex_autorun
false
copy_executable
true
delete_original
true
host_id
HostId-%Rand%
install_path
%AppData%\Microsoft\windows\explorer.exe
keylogger_dir
%AppData%\Microsoft\windows\Logs\
lock_executable
true
mutex
LqICFQGC
offline_keylogger
true
password
GetTheFuckOFf
registry_autorun
true
startup_name
iexplorer
use_mutex
true

Signatures

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4224-137-0x0000000000400000-0x0000000000423000-memory.dmp	netwire
behavioral2/memory/4224-142-0x0000000000400000-0x0000000000423000-memory.dmp	netwire
behavioral2/memory/1608-150-0x0000000000400000-0x0000000000423000-memory.dmp	netwire
behavioral2/memory/1608-151-0x0000000000400000-0x0000000000423000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

explorer.exeexplorer.exe

pid process

1952 explorer.exe
1608 explorer.exe

pid	process
1952	explorer.exe
1608	explorer.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4224-134-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/4224-136-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/4224-137-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/4224-142-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1608-148-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1608-150-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1608-151-0x0000000000400000-0x0000000000423000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iexplorer = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\windows\\explorer.exe"	explorer.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Product_Order_Quotation_X1208.exeexplorer.exe

description	pid	process	target process
PID 5044 set thread context of 4224	5044	Product_Order_Quotation_X1208.exe	Product_Order_Quotation_X1208.exe
PID 1952 set thread context of 1608	1952	explorer.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Product_Order_Quotation_X1208.exeexplorer.exe

pid process

5044 Product_Order_Quotation_X1208.exe
5044 Product_Order_Quotation_X1208.exe
1952 explorer.exe
1952 explorer.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Product_Order_Quotation_X1208.exeexplorer.exe

description pid process

Token: SeDebugPrivilege 5044 Product_Order_Quotation_X1208.exe
Token: SeDebugPrivilege 1952 explorer.exe

pid	process
5044	Product_Order_Quotation_X1208.exe
5044	Product_Order_Quotation_X1208.exe
1952	explorer.exe
1952	explorer.exe

description	pid	process
Token: SeDebugPrivilege	5044	Product_Order_Quotation_X1208.exe
Token: SeDebugPrivilege	1952	explorer.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

Product_Order_Quotation_X1208.exeProduct_Order_Quotation_X1208.exeexplorer.exe

description	pid	process	target process
PID 5044 wrote to memory of 4224	5044	Product_Order_Quotation_X1208.exe	Product_Order_Quotation_X1208.exe
PID 5044 wrote to memory of 4224	5044	Product_Order_Quotation_X1208.exe	Product_Order_Quotation_X1208.exe
PID 5044 wrote to memory of 4224	5044	Product_Order_Quotation_X1208.exe	Product_Order_Quotation_X1208.exe
PID 5044 wrote to memory of 4224	5044	Product_Order_Quotation_X1208.exe	Product_Order_Quotation_X1208.exe
PID 5044 wrote to memory of 4224	5044	Product_Order_Quotation_X1208.exe	Product_Order_Quotation_X1208.exe
PID 5044 wrote to memory of 4224	5044	Product_Order_Quotation_X1208.exe	Product_Order_Quotation_X1208.exe
PID 5044 wrote to memory of 4224	5044	Product_Order_Quotation_X1208.exe	Product_Order_Quotation_X1208.exe
PID 5044 wrote to memory of 4224	5044	Product_Order_Quotation_X1208.exe	Product_Order_Quotation_X1208.exe
PID 4224 wrote to memory of 1952	4224	Product_Order_Quotation_X1208.exe	explorer.exe
PID 4224 wrote to memory of 1952	4224	Product_Order_Quotation_X1208.exe	explorer.exe
PID 4224 wrote to memory of 1952	4224	Product_Order_Quotation_X1208.exe	explorer.exe
PID 1952 wrote to memory of 1608	1952	explorer.exe	explorer.exe
PID 1952 wrote to memory of 1608	1952	explorer.exe	explorer.exe
PID 1952 wrote to memory of 1608	1952	explorer.exe	explorer.exe
PID 1952 wrote to memory of 1608	1952	explorer.exe	explorer.exe
PID 1952 wrote to memory of 1608	1952	explorer.exe	explorer.exe
PID 1952 wrote to memory of 1608	1952	explorer.exe	explorer.exe
PID 1952 wrote to memory of 1608	1952	explorer.exe	explorer.exe
PID 1952 wrote to memory of 1608	1952	explorer.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\Product_Order_Quotation_X1208.exe
"C:\Users\Admin\AppData\Local\Temp\Product_Order_Quotation_X1208.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5044

C:\Users\Admin\AppData\Local\Temp\Product_Order_Quotation_X1208.exe
"C:\Users\Admin\AppData\Local\Temp\Product_Order_Quotation_X1208.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4224

C:\Users\Admin\AppData\Roaming\Microsoft\windows\explorer.exe
-m "C:\Users\Admin\AppData\Local\Temp\Product_Order_Quotation_X1208.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1952

C:\Users\Admin\AppData\Roaming\Microsoft\windows\explorer.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\windows\explorer.exe" C:\Users\Admin\AppData\Local\Temp\Product_Order_Quotation_X1208.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe

Filesize
322KB

MD5
709714b4261957287537f7f78e6dbdfb

SHA1
82f2efbbf0c86913932567caf70ae6f66665bec9

SHA256
72c3b0ef24972aa0269b5084d27257fa83229ddca82ae020de2194e9ed7cbb0f

SHA512
e969eba70b15e3b346931a5f812f38c20be028b30cc2512d1410d2cbdabd0664d3e9d3a56b6cd83f4e0b88ac66cb5326802d2c0a831deb138ee64b8586141601

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe

Filesize
322KB

MD5
709714b4261957287537f7f78e6dbdfb

SHA1
82f2efbbf0c86913932567caf70ae6f66665bec9

SHA256
72c3b0ef24972aa0269b5084d27257fa83229ddca82ae020de2194e9ed7cbb0f

SHA512
e969eba70b15e3b346931a5f812f38c20be028b30cc2512d1410d2cbdabd0664d3e9d3a56b6cd83f4e0b88ac66cb5326802d2c0a831deb138ee64b8586141601

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\windows\explorer.exe

Filesize
322KB

MD5
709714b4261957287537f7f78e6dbdfb

SHA1
82f2efbbf0c86913932567caf70ae6f66665bec9

SHA256
72c3b0ef24972aa0269b5084d27257fa83229ddca82ae020de2194e9ed7cbb0f

SHA512
e969eba70b15e3b346931a5f812f38c20be028b30cc2512d1410d2cbdabd0664d3e9d3a56b6cd83f4e0b88ac66cb5326802d2c0a831deb138ee64b8586141601

Download Submit
memory/1608-151-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1608-150-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1608-148-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1608-144-0x0000000000000000-mapping.dmp

Download
memory/1952-143-0x0000000075140000-0x00000000756F1000-memory.dmp

Filesize
5.7MB

Download
memory/1952-138-0x0000000000000000-mapping.dmp

Download
memory/1952-149-0x0000000075140000-0x00000000756F1000-memory.dmp

Filesize
5.7MB

Download
memory/4224-137-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4224-142-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4224-136-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4224-134-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4224-133-0x0000000000000000-mapping.dmp

Download
memory/5044-140-0x0000000075140000-0x00000000756F1000-memory.dmp

Filesize
5.7MB

Download
memory/5044-132-0x0000000075140000-0x00000000756F1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads