netwire | 637e17723ea88878915ba42095680ee5438c22a88a4538137b3174dd4e2e8c6a

General

Target

9c46fdf7827bce482555180c932d47d8.exe
Size

584KB
MD5

9c46fdf7827bce482555180c932d47d8
SHA1

1ae60690cc27ec74be8f4334e0e9fbfd05fdffa0
SHA256

637e17723ea88878915ba42095680ee5438c22a88a4538137b3174dd4e2e8c6a
SHA512

36e6295ebe04db32830646b301c4aff10e1b3365dfe10d8801b15af2a0237c3a16e6b77528ff13fe3f0d0929e20b573bc4466d5d06c441862bd6c72cdb5652c1
SSDEEP

12288:zNZwI+hBtAnzo+YSSwiG5LgpRwMX6HhJ6qnepnU55dTOdQ:zADhBmzovSSm5CK7hekdTOdQ

Score

10^/10

netwire botnet rat spyware stealer

Malware Config

Signatures

NetWire RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/5068-144-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral2/memory/5068-146-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral2/memory/5068-149-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral2/memory/5068-161-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral2/memory/5068-162-0x0000000000400000-0x000000000042B000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9c46fdf7827bce482555180c932d47d8.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	9c46fdf7827bce482555180c932d47d8.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

9c46fdf7827bce482555180c932d47d8.exe

description pid process target process

PID 3440 set thread context of 5068 3440 9c46fdf7827bce482555180c932d47d8.exe 9c46fdf7827bce482555180c932d47d8.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1932 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

4980 powershell.exe
4980 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 4980 powershell.exe

description	pid	process	target process
PID 3440 set thread context of 5068	3440	9c46fdf7827bce482555180c932d47d8.exe	9c46fdf7827bce482555180c932d47d8.exe

pid	process
1932	schtasks.exe

pid	process
4980	powershell.exe
4980	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4980	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

9c46fdf7827bce482555180c932d47d8.exe

C:\Users\Admin\AppData\Local\Temp\9c46fdf7827bce482555180c932d47d8.exe
"C:\Users\Admin\AppData\Local\Temp\9c46fdf7827bce482555180c932d47d8.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3440

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\NezZmiraIRHJRN.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4980

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NezZmiraIRHJRN" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1741.tmp"
2⤵
- Creates scheduled task(s)
PID:1932

C:\Users\Admin\AppData\Local\Temp\9c46fdf7827bce482555180c932d47d8.exe
"C:\Users\Admin\AppData\Local\Temp\9c46fdf7827bce482555180c932d47d8.exe"
2⤵
PID:5068

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1741.tmp
Filesize
1KB

MD5
06ee3379c2802e4b9699e5c4d9b2731e

SHA1
5e7a0fb8a49b11fa99db0f6f59e5e5fd601e242c

SHA256
eaef0300a14d9130f62bf57be6b7b1d7a0f0189630cea6fabd6fed956b8d84f1

SHA512
4222ade4c122794f955893abc6e5e0262525e7fa6ff028d6bce060a32bb57bd144bfcf0e4a5c1de88190f5a0bd6e0cf782b9127c091451ce5d01a7d9e18dc0be

Download Submit
memory/1932-139-0x0000000000000000-mapping.dmp

Download
memory/3440-133-0x0000000005B80000-0x0000000006124000-memory.dmp

Filesize
5.6MB

Download
memory/3440-134-0x0000000005670000-0x0000000005702000-memory.dmp

Filesize
584KB

Download
memory/3440-135-0x0000000005630000-0x000000000563A000-memory.dmp

Filesize
40KB

Download
memory/3440-136-0x000000000B700000-0x000000000B79C000-memory.dmp

Filesize
624KB

Download
memory/3440-137-0x000000000B810000-0x000000000B876000-memory.dmp

Filesize
408KB

Download
memory/3440-132-0x0000000000BC0000-0x0000000000C58000-memory.dmp

Filesize
608KB

Download
memory/4980-147-0x00000000051D0000-0x00000000051F2000-memory.dmp

Filesize
136KB

Download
memory/4980-152-0x00000000712F0000-0x000000007133C000-memory.dmp

Filesize
304KB

Download
memory/4980-143-0x00000000054B0000-0x0000000005AD8000-memory.dmp

Filesize
6.2MB

Download
memory/4980-160-0x00000000077D0000-0x00000000077D8000-memory.dmp

Filesize
32KB

Download
memory/4980-159-0x00000000077F0000-0x000000000780A000-memory.dmp

Filesize
104KB

Download
memory/4980-158-0x00000000076E0000-0x00000000076EE000-memory.dmp

Filesize
56KB

Download
memory/4980-138-0x0000000000000000-mapping.dmp

Download
memory/4980-148-0x0000000005280000-0x00000000052E6000-memory.dmp

Filesize
408KB

Download
memory/4980-157-0x0000000007730000-0x00000000077C6000-memory.dmp

Filesize
600KB

Download
memory/4980-150-0x00000000061A0000-0x00000000061BE000-memory.dmp

Filesize
120KB

Download
memory/4980-151-0x0000000006760000-0x0000000006792000-memory.dmp

Filesize
200KB

Download
memory/4980-140-0x0000000002890000-0x00000000028C6000-memory.dmp

Filesize
216KB

Download
memory/4980-153-0x00000000067A0000-0x00000000067BE000-memory.dmp

Filesize
120KB

Download
memory/4980-154-0x0000000007AF0000-0x000000000816A000-memory.dmp

Filesize
6.5MB

Download
memory/4980-155-0x00000000074B0000-0x00000000074CA000-memory.dmp

Filesize
104KB

Download
memory/4980-156-0x0000000007520000-0x000000000752A000-memory.dmp

Filesize
40KB

Download
memory/5068-149-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5068-146-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5068-144-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5068-142-0x0000000000000000-mapping.dmp

Download
memory/5068-161-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5068-162-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

description	pid	process	target process
PID 3440 wrote to memory of 4980	3440	9c46fdf7827bce482555180c932d47d8.exe	powershell.exe
PID 3440 wrote to memory of 4980	3440	9c46fdf7827bce482555180c932d47d8.exe	powershell.exe
PID 3440 wrote to memory of 4980	3440	9c46fdf7827bce482555180c932d47d8.exe	powershell.exe
PID 3440 wrote to memory of 1932	3440	9c46fdf7827bce482555180c932d47d8.exe	schtasks.exe
PID 3440 wrote to memory of 1932	3440	9c46fdf7827bce482555180c932d47d8.exe	schtasks.exe
PID 3440 wrote to memory of 1932	3440	9c46fdf7827bce482555180c932d47d8.exe	schtasks.exe
PID 3440 wrote to memory of 5068	3440	9c46fdf7827bce482555180c932d47d8.exe	9c46fdf7827bce482555180c932d47d8.exe
PID 3440 wrote to memory of 5068	3440	9c46fdf7827bce482555180c932d47d8.exe	9c46fdf7827bce482555180c932d47d8.exe
PID 3440 wrote to memory of 5068	3440	9c46fdf7827bce482555180c932d47d8.exe	9c46fdf7827bce482555180c932d47d8.exe
PID 3440 wrote to memory of 5068	3440	9c46fdf7827bce482555180c932d47d8.exe	9c46fdf7827bce482555180c932d47d8.exe
PID 3440 wrote to memory of 5068	3440	9c46fdf7827bce482555180c932d47d8.exe	9c46fdf7827bce482555180c932d47d8.exe
PID 3440 wrote to memory of 5068	3440	9c46fdf7827bce482555180c932d47d8.exe	9c46fdf7827bce482555180c932d47d8.exe
PID 3440 wrote to memory of 5068	3440	9c46fdf7827bce482555180c932d47d8.exe	9c46fdf7827bce482555180c932d47d8.exe
PID 3440 wrote to memory of 5068	3440	9c46fdf7827bce482555180c932d47d8.exe	9c46fdf7827bce482555180c932d47d8.exe
PID 3440 wrote to memory of 5068	3440	9c46fdf7827bce482555180c932d47d8.exe	9c46fdf7827bce482555180c932d47d8.exe
PID 3440 wrote to memory of 5068	3440	9c46fdf7827bce482555180c932d47d8.exe	9c46fdf7827bce482555180c932d47d8.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads