netwire | 98949b9cd7eb063eb4a2970136d3483b29891bd8c1c2ec6104e45b76f838ddf9

General

Target

AW7938730028-10-24-22.exe
Size

1.0MB
MD5

839197eee0260468564f9d9b495925ee
SHA1

071635cb3bf7e3366a18222ae2f505167be50d78
SHA256

98949b9cd7eb063eb4a2970136d3483b29891bd8c1c2ec6104e45b76f838ddf9
SHA512

d703f04cd774dc747580f1994c0d531ae82c9d9013b025b60abcd4fb849ec6dda62f721eabb5dbc904f18e4a857c347aa302083999ae9edb85d26a153488f4e2
SSDEEP

12288:UKOwdd/jJVGhZzg9fP8tdyvUFAF73b3rFguY8:UKXdrL+yvUiF7L35f

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

podzeye2.duckdns.org:4411

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
lock_executable
false
offline_keylogger
false
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 7 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1156-69-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/1156-71-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/1156-72-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/1156-74-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/1156-75-0x000000000041AD7B-mapping.dmp	netwire
behavioral1/memory/1156-78-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/1156-80-0x0000000000400000-0x000000000044F000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Suspicious use of SetThreadContext 1 IoCs

Processes:

AW7938730028-10-24-22.exe

description pid process target process

PID 1048 set thread context of 1156 1048 AW7938730028-10-24-22.exe AW7938730028-10-24-22.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1872 schtasks.exe

description	pid	process	target process
PID 1048 set thread context of 1156	1048	AW7938730028-10-24-22.exe	AW7938730028-10-24-22.exe

pid	process
1872	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

AW7938730028-10-24-22.exepowershell.exe

pid	process
1048	AW7938730028-10-24-22.exe
1048	AW7938730028-10-24-22.exe
1048	AW7938730028-10-24-22.exe
1048	AW7938730028-10-24-22.exe
1048	AW7938730028-10-24-22.exe
1048	AW7938730028-10-24-22.exe
468	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AW7938730028-10-24-22.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1048 AW7938730028-10-24-22.exe
Token: SeDebugPrivilege 468 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1048	AW7938730028-10-24-22.exe
Token: SeDebugPrivilege	468	powershell.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

AW7938730028-10-24-22.exe

description	pid	process	target process
PID 1048 wrote to memory of 468	1048	AW7938730028-10-24-22.exe	powershell.exe
PID 1048 wrote to memory of 468	1048	AW7938730028-10-24-22.exe	powershell.exe
PID 1048 wrote to memory of 468	1048	AW7938730028-10-24-22.exe	powershell.exe
PID 1048 wrote to memory of 468	1048	AW7938730028-10-24-22.exe	powershell.exe
PID 1048 wrote to memory of 1872	1048	AW7938730028-10-24-22.exe	schtasks.exe
PID 1048 wrote to memory of 1872	1048	AW7938730028-10-24-22.exe	schtasks.exe
PID 1048 wrote to memory of 1872	1048	AW7938730028-10-24-22.exe	schtasks.exe
PID 1048 wrote to memory of 1872	1048	AW7938730028-10-24-22.exe	schtasks.exe
PID 1048 wrote to memory of 1156	1048	AW7938730028-10-24-22.exe	AW7938730028-10-24-22.exe
PID 1048 wrote to memory of 1156	1048	AW7938730028-10-24-22.exe	AW7938730028-10-24-22.exe
PID 1048 wrote to memory of 1156	1048	AW7938730028-10-24-22.exe	AW7938730028-10-24-22.exe
PID 1048 wrote to memory of 1156	1048	AW7938730028-10-24-22.exe	AW7938730028-10-24-22.exe
PID 1048 wrote to memory of 1156	1048	AW7938730028-10-24-22.exe	AW7938730028-10-24-22.exe
PID 1048 wrote to memory of 1156	1048	AW7938730028-10-24-22.exe	AW7938730028-10-24-22.exe
PID 1048 wrote to memory of 1156	1048	AW7938730028-10-24-22.exe	AW7938730028-10-24-22.exe
PID 1048 wrote to memory of 1156	1048	AW7938730028-10-24-22.exe	AW7938730028-10-24-22.exe
PID 1048 wrote to memory of 1156	1048	AW7938730028-10-24-22.exe	AW7938730028-10-24-22.exe
PID 1048 wrote to memory of 1156	1048	AW7938730028-10-24-22.exe	AW7938730028-10-24-22.exe
PID 1048 wrote to memory of 1156	1048	AW7938730028-10-24-22.exe	AW7938730028-10-24-22.exe

C:\Users\Admin\AppData\Local\Temp\AW7938730028-10-24-22.exe
"C:\Users\Admin\AppData\Local\Temp\AW7938730028-10-24-22.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\OXPRotPDpoJ.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:468

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OXPRotPDpoJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDFF4.tmp"
2⤵
- Creates scheduled task(s)
PID:1872

C:\Users\Admin\AppData\Local\Temp\AW7938730028-10-24-22.exe
"C:\Users\Admin\AppData\Local\Temp\AW7938730028-10-24-22.exe"
2⤵
PID:1156

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpDFF4.tmp
Filesize
1KB

MD5
e420652efd6907064b7404a20995589b

SHA1
74be7d17a541d36c399a66625ffbc231f4c4881e

SHA256
05a6755bb43bccb37422d7b801874ce53cfa46b9d7e6bbeb3623003c3673f076

SHA512
89c097a55e7b2684e69fd9285e2b55084518bb5b7bd77834b8f633f97e3d7807ba756a967d7ebbb09aa0ffbc9ec4a1c761746cd9cb0ac304cfd0aa393b70645a

Download Submit
memory/468-59-0x0000000000000000-mapping.dmp

Download
memory/468-81-0x000000006EC60000-0x000000006F20B000-memory.dmp

Filesize
5.7MB

Download
memory/468-79-0x000000006EC60000-0x000000006F20B000-memory.dmp

Filesize
5.7MB

Download
memory/1048-54-0x0000000001130000-0x000000000123A000-memory.dmp

Filesize
1.0MB

Download
memory/1048-55-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/1048-56-0x0000000000640000-0x0000000000656000-memory.dmp

Filesize
88KB

Download
memory/1048-57-0x0000000000530000-0x000000000053C000-memory.dmp

Filesize
48KB

Download
memory/1048-58-0x0000000005E20000-0x0000000005EA4000-memory.dmp

Filesize
528KB

Download
memory/1048-63-0x0000000005EA0000-0x0000000005EEA000-memory.dmp

Filesize
296KB

Download
memory/1156-64-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1156-67-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1156-69-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1156-71-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1156-72-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1156-74-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1156-75-0x000000000041AD7B-mapping.dmp

Download
memory/1156-78-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1156-65-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1156-80-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1872-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads