netwire | 7ea64f3e3521d0660b5de4022b2b2dabc50f560469823bb71154f074fc9ae24d

Analysis

max time kernel
376s
max time network
1165s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
27-10-2022 15:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SPY510962.exe
Size

344KB
MD5

735b4ad89490a8fc7e09607d16aeb317
SHA1

8a55d37dfee42e056f56b49a3a979babdfd7c920
SHA256

7ea64f3e3521d0660b5de4022b2b2dabc50f560469823bb71154f074fc9ae24d
SHA512

47a0a52b0a761322e4369bf8468ab1a22d090c49fafb2ccced852767a935b02320f6bd2d12c4c0e68e12c2611d1ae597892352ce0c437122e46bade1c39120b3
SSDEEP

6144:SweEUssBLcl0lxNZSQSeMNvq8wj7e3tn4sBADoGSGHU+Y:SXLkhjNvq17ETBADoGnH5Y

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

85.31.46.78:3340

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
azaman
lock_executable
false
offline_keylogger
false
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4552-254-0x0000000000400000-0x000000000044F000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

ywctb.exeywctb.exe

pid process

960 ywctb.exe
4552 ywctb.exe

pid	process
960	ywctb.exe
4552	ywctb.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ywctb.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\stak = "C:\\Users\\Admin\\AppData\\Roaming\\hpes\\bibrqnq.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ywctb.exe\""	ywctb.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ywctb.exe

description pid process target process

PID 960 set thread context of 4552 960 ywctb.exe ywctb.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

ywctb.exe

pid process

960 ywctb.exe

description	pid	process	target process
PID 960 set thread context of 4552	960	ywctb.exe	ywctb.exe

pid	process
960	ywctb.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

SPY510962.exeywctb.exe

description	pid	process	target process
PID 1980 wrote to memory of 960	1980	SPY510962.exe	ywctb.exe
PID 1980 wrote to memory of 960	1980	SPY510962.exe	ywctb.exe
PID 1980 wrote to memory of 960	1980	SPY510962.exe	ywctb.exe
PID 960 wrote to memory of 4552	960	ywctb.exe	ywctb.exe
PID 960 wrote to memory of 4552	960	ywctb.exe	ywctb.exe
PID 960 wrote to memory of 4552	960	ywctb.exe	ywctb.exe
PID 960 wrote to memory of 4552	960	ywctb.exe	ywctb.exe

C:\Users\Admin\AppData\Local\Temp\SPY510962.exe
"C:\Users\Admin\AppData\Local\Temp\SPY510962.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1980

C:\Users\Admin\AppData\Local\Temp\ywctb.exe
"C:\Users\Admin\AppData\Local\Temp\ywctb.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:960

C:\Users\Admin\AppData\Local\Temp\ywctb.exe
"C:\Users\Admin\AppData\Local\Temp\ywctb.exe"
3⤵
- Executes dropped EXE
PID:4552

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\djxhtbiy.ok
Filesize
272KB

MD5
a519500f641e703d2f6338392c7cf368

SHA1
312bb1ffc92ca492dc19f3cccaefeb1f27d8cfcd

SHA256
ea1147f43ee9ee3e94e9daef35fd443feb6c663b02575eb610ffb9b95046809a

SHA512
5d47da929de0ecc7de0901eff689d6c923ad4d3b8b92f8dc8b91b9af94ed986866660744906687c47731ed495037fdb403a2f1c4929a6533cd8ee23aab149bab

Download Submit
C:\Users\Admin\AppData\Local\Temp\evdvogb.zi
Filesize
7KB

MD5
a6778dfc09727c2be6d6b3e8971532b5

SHA1
179d2dc0ebc7360e868e029eaff7ba5b0f4044fb

SHA256
480802cc280d53747911ec6e35283cbaec3ca0223b6bb1fdfc78b7c4c29c05ab

SHA512
5dc45632b6f10537983b7e88474a778e3c58a7305ec1a41c476804777b1003ec75f66ef2f934d1b5e774bd18a98d71a14df925b59593d4991c765004d399ab1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywctb.exe
Filesize
5KB

MD5
c9b18ca17f652d7814876338d4caa4a8

SHA1
6658b50c709ddff9f66eba5b5ccac2564421f1ae

SHA256
848a8084a39b1bfa98c65b0e55bf91460b82470a3f9f5b31d7464c400a9da355

SHA512
b01cea3f70cc0d88d617e9020cc1cd1729422dea9f9ffb68b8cd52a95fddeba110b7ebe3a8f7d4b044f23384605a0f74dfb66fde28953ffe1fa53c83d4e648e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywctb.exe
Filesize
5KB

MD5
c9b18ca17f652d7814876338d4caa4a8

SHA1
6658b50c709ddff9f66eba5b5ccac2564421f1ae

SHA256
848a8084a39b1bfa98c65b0e55bf91460b82470a3f9f5b31d7464c400a9da355

SHA512
b01cea3f70cc0d88d617e9020cc1cd1729422dea9f9ffb68b8cd52a95fddeba110b7ebe3a8f7d4b044f23384605a0f74dfb66fde28953ffe1fa53c83d4e648e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywctb.exe
Filesize
5KB

MD5
c9b18ca17f652d7814876338d4caa4a8

SHA1
6658b50c709ddff9f66eba5b5ccac2564421f1ae

SHA256
848a8084a39b1bfa98c65b0e55bf91460b82470a3f9f5b31d7464c400a9da355

SHA512
b01cea3f70cc0d88d617e9020cc1cd1729422dea9f9ffb68b8cd52a95fddeba110b7ebe3a8f7d4b044f23384605a0f74dfb66fde28953ffe1fa53c83d4e648e1

Download Submit
memory/960-176-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/960-173-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/960-183-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/960-182-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/960-181-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/960-180-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/960-179-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/960-178-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/960-177-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/960-186-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/960-175-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/960-184-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/960-174-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/960-185-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/960-172-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/960-171-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/960-170-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/960-168-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/960-167-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/960-166-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/960-165-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/960-161-0x0000000000000000-mapping.dmp

Download
memory/960-164-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/960-163-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-140-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-144-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-138-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-134-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-153-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-154-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-156-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-155-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-157-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-158-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-159-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-160-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-143-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-145-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-147-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-149-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-151-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-152-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-150-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-148-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-146-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-141-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-142-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-120-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-139-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-137-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-136-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-135-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-133-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-132-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-131-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-130-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-129-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-128-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-127-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-126-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-125-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-124-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-123-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-122-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-121-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/4552-205-0x000000000041AD7B-mapping.dmp

Download
memory/4552-254-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download