netwire | 637e17723ea88878915ba42095680ee5438c22a88a4538137b3174dd4e2e8c6a

General

Target

9c46fdf7827bce482555180c932d47d8.exe
Size

584KB
MD5

9c46fdf7827bce482555180c932d47d8
SHA1

1ae60690cc27ec74be8f4334e0e9fbfd05fdffa0
SHA256

637e17723ea88878915ba42095680ee5438c22a88a4538137b3174dd4e2e8c6a
SHA512

36e6295ebe04db32830646b301c4aff10e1b3365dfe10d8801b15af2a0237c3a16e6b77528ff13fe3f0d0929e20b573bc4466d5d06c441862bd6c72cdb5652c1
SSDEEP

12288:zNZwI+hBtAnzo+YSSwiG5LgpRwMX6HhJ6qnepnU55dTOdQ:zADhBmzovSSm5CK7hekdTOdQ

Score

10^/10

netwire botnet collection rat spyware stealer

Malware Config

Signatures

NetWire RAT payload 7 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/700-70-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral1/memory/700-71-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral1/memory/700-73-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral1/memory/700-76-0x00000000004026D0-mapping.dmp	netwire
behavioral1/memory/700-75-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral1/memory/700-79-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral1/memory/700-80-0x0000000000400000-0x000000000042B000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

9c46fdf7827bce482555180c932d47d8.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	9c46fdf7827bce482555180c932d47d8.exe
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	9c46fdf7827bce482555180c932d47d8.exe
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	9c46fdf7827bce482555180c932d47d8.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

9c46fdf7827bce482555180c932d47d8.exe

description pid process target process

PID 1204 set thread context of 700 1204 9c46fdf7827bce482555180c932d47d8.exe 9c46fdf7827bce482555180c932d47d8.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

620 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1520 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1520 powershell.exe

description	pid	process	target process
PID 1204 set thread context of 700	1204	9c46fdf7827bce482555180c932d47d8.exe	9c46fdf7827bce482555180c932d47d8.exe

pid	process
620	schtasks.exe

pid	process
1520	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1520	powershell.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

9c46fdf7827bce482555180c932d47d8.exe

description	pid	process	target process
PID 1204 wrote to memory of 1520	1204	9c46fdf7827bce482555180c932d47d8.exe	powershell.exe
PID 1204 wrote to memory of 1520	1204	9c46fdf7827bce482555180c932d47d8.exe	powershell.exe
PID 1204 wrote to memory of 1520	1204	9c46fdf7827bce482555180c932d47d8.exe	powershell.exe
PID 1204 wrote to memory of 1520	1204	9c46fdf7827bce482555180c932d47d8.exe	powershell.exe
PID 1204 wrote to memory of 620	1204	9c46fdf7827bce482555180c932d47d8.exe	schtasks.exe
PID 1204 wrote to memory of 620	1204	9c46fdf7827bce482555180c932d47d8.exe	schtasks.exe
PID 1204 wrote to memory of 620	1204	9c46fdf7827bce482555180c932d47d8.exe	schtasks.exe
PID 1204 wrote to memory of 620	1204	9c46fdf7827bce482555180c932d47d8.exe	schtasks.exe
PID 1204 wrote to memory of 700	1204	9c46fdf7827bce482555180c932d47d8.exe	9c46fdf7827bce482555180c932d47d8.exe
PID 1204 wrote to memory of 700	1204	9c46fdf7827bce482555180c932d47d8.exe	9c46fdf7827bce482555180c932d47d8.exe
PID 1204 wrote to memory of 700	1204	9c46fdf7827bce482555180c932d47d8.exe	9c46fdf7827bce482555180c932d47d8.exe
PID 1204 wrote to memory of 700	1204	9c46fdf7827bce482555180c932d47d8.exe	9c46fdf7827bce482555180c932d47d8.exe
PID 1204 wrote to memory of 700	1204	9c46fdf7827bce482555180c932d47d8.exe	9c46fdf7827bce482555180c932d47d8.exe
PID 1204 wrote to memory of 700	1204	9c46fdf7827bce482555180c932d47d8.exe	9c46fdf7827bce482555180c932d47d8.exe
PID 1204 wrote to memory of 700	1204	9c46fdf7827bce482555180c932d47d8.exe	9c46fdf7827bce482555180c932d47d8.exe
PID 1204 wrote to memory of 700	1204	9c46fdf7827bce482555180c932d47d8.exe	9c46fdf7827bce482555180c932d47d8.exe
PID 1204 wrote to memory of 700	1204	9c46fdf7827bce482555180c932d47d8.exe	9c46fdf7827bce482555180c932d47d8.exe
PID 1204 wrote to memory of 700	1204	9c46fdf7827bce482555180c932d47d8.exe	9c46fdf7827bce482555180c932d47d8.exe
PID 1204 wrote to memory of 700	1204	9c46fdf7827bce482555180c932d47d8.exe	9c46fdf7827bce482555180c932d47d8.exe

outlook_office_path 1 IoCs

Processes:

9c46fdf7827bce482555180c932d47d8.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	9c46fdf7827bce482555180c932d47d8.exe

outlook_win_path 1 IoCs

Processes:

9c46fdf7827bce482555180c932d47d8.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	9c46fdf7827bce482555180c932d47d8.exe

C:\Users\Admin\AppData\Local\Temp\9c46fdf7827bce482555180c932d47d8.exe
"C:\Users\Admin\AppData\Local\Temp\9c46fdf7827bce482555180c932d47d8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\NezZmiraIRHJRN.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NezZmiraIRHJRN" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD2BB.tmp"
2⤵
- Creates scheduled task(s)
PID:620

C:\Users\Admin\AppData\Local\Temp\9c46fdf7827bce482555180c932d47d8.exe
"C:\Users\Admin\AppData\Local\Temp\9c46fdf7827bce482555180c932d47d8.exe"
2⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD2BB.tmp

Filesize
1KB

MD5
4f0c3cd5791bac5cde3e296b3e78d443

SHA1
d550ae3cffe3b937255d8bb9ef14ff45a891488c

SHA256
71c3c59e68c90f3dbee2a307760cb84830fc587f0885e33a1fa14fd86b913339

SHA512
b8ed41334e8e77ebbc6fabf9d57b84b7e51aefd4dc57acb398f1ec95bf103d69bf5db31941d236f7f199b14261fb993773c699bce0a5adc6c9fec7e9bc6e8bef

Download Submit
memory/620-61-0x0000000000000000-mapping.dmp

Download
memory/700-73-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/700-68-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/700-80-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/700-79-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/700-75-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/700-76-0x00000000004026D0-mapping.dmp

Download
memory/700-71-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/700-70-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/700-65-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/700-66-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1204-56-0x00000000045B0000-0x000000000466C000-memory.dmp

Filesize
752KB

Download
memory/1204-64-0x0000000005E60000-0x0000000005E86000-memory.dmp

Filesize
152KB

Download
memory/1204-55-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/1204-54-0x0000000000D40000-0x0000000000DD8000-memory.dmp

Filesize
608KB

Download
memory/1204-57-0x0000000000A40000-0x0000000000A58000-memory.dmp

Filesize
96KB

Download
memory/1204-59-0x000000000A3A0000-0x000000000A420000-memory.dmp

Filesize
512KB

Download
memory/1204-58-0x0000000000AF0000-0x0000000000AFC000-memory.dmp

Filesize
48KB

Download
memory/1520-60-0x0000000000000000-mapping.dmp

Download
memory/1520-81-0x0000000074030000-0x00000000745DB000-memory.dmp

Filesize
5.7MB

Download
memory/1520-82-0x0000000074030000-0x00000000745DB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads