netwire | 9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c

Analysis

max time kernel
124s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-10-2022 12:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe
Size

941KB
MD5

de8b5bf85996fdf042f003dbf666f127
SHA1

69f502f7da3c50371aa65fcfc491c1dd9e8a1af4
SHA256

9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c
SHA512

b6372a6d318f4bdb1e979730a0931b6adc11f99ac05fb4b9dc6d02a588bb85b093a8a2621a352defef9651e065b5565bc6939bdd357806ccde08390cd8cc5801
SSDEEP

12288:+tb20Qc3lT7af41ePBRYuQLKpqeUhbTv5OFgNuPPpHSgaylegnRSN5i6A:+tb20pkaCqT5TBWgNQ7acegm5i6A

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4964-137-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/4964-139-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/4964-140-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 3 IoCs

Processes:

Host.exeHost.exeHost.exe

pid process

4844 Host.exe
1916 Host.exe
2744 Host.exe

pid	process
4844	Host.exe
1916	Host.exe
2744	Host.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exeHost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Host.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exeHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe"	9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Host.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe"	Host.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Install\Host.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Install\Host.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Install\Host.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Install\Host.exe	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exeHost.exe

description	pid	process	target process
PID 4768 set thread context of 4964	4768	9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe	9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe
PID 1916 set thread context of 2744	1916	Host.exe	Host.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exeHost.exe

pid	process
4768	9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe
4768	9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe
1916	Host.exe
1916	Host.exe

Suspicious use of FindShellTrayWindow 19 IoCs

Processes:

9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exeHost.exe

pid	process
2088	9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe
2088	9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe
2088	9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe
2088	9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe
2088	9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe
2088	9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe
2088	9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe
2088	9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe
2088	9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe
2088	9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe
2088	9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe
2088	9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe
2088	9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe
2088	9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe
4844	Host.exe
4844	Host.exe
4844	Host.exe
4844	Host.exe
4844	Host.exe

Suspicious use of SendNotifyMessage 19 IoCs

Processes:

9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exeHost.exe

pid	process
2088	9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe
2088	9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe
2088	9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe
2088	9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe
2088	9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe
2088	9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe
2088	9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe
2088	9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe
2088	9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe
2088	9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe
2088	9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe
2088	9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe
2088	9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe
2088	9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe
4844	Host.exe
4844	Host.exe
4844	Host.exe
4844	Host.exe
4844	Host.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exeHost.exeHost.exe

description	pid	process	target process
PID 2088 wrote to memory of 4768	2088	9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe	9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe
PID 2088 wrote to memory of 4768	2088	9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe	9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe
PID 2088 wrote to memory of 4768	2088	9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe	9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe
PID 4768 wrote to memory of 4964	4768	9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe	9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe
PID 4768 wrote to memory of 4964	4768	9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe	9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe
PID 4768 wrote to memory of 4964	4768	9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe	9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe
PID 4768 wrote to memory of 4964	4768	9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe	9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe
PID 4768 wrote to memory of 4964	4768	9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe	9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe
PID 4964 wrote to memory of 4844	4964	9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe	Host.exe
PID 4964 wrote to memory of 4844	4964	9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe	Host.exe
PID 4964 wrote to memory of 4844	4964	9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe	Host.exe
PID 4844 wrote to memory of 1916	4844	Host.exe	Host.exe
PID 4844 wrote to memory of 1916	4844	Host.exe	Host.exe
PID 4844 wrote to memory of 1916	4844	Host.exe	Host.exe
PID 1916 wrote to memory of 2744	1916	Host.exe	Host.exe
PID 1916 wrote to memory of 2744	1916	Host.exe	Host.exe
PID 1916 wrote to memory of 2744	1916	Host.exe	Host.exe
PID 1916 wrote to memory of 2744	1916	Host.exe	Host.exe
PID 1916 wrote to memory of 2744	1916	Host.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe
"C:\Users\Admin\AppData\Local\Temp\9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2088

C:\Users\Admin\AppData\Local\Temp\9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe
"C:\Users\Admin\AppData\Local\Temp\9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe" /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\612296" "C:\Users\Admin\AppData\Local\Temp\9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4768

C:\Users\Admin\AppData\Local\Temp\9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe
"C:\Users\Admin\AppData\Local\Temp\9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4964

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4844

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe" /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\832023" "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1916

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
6⤵
- Executes dropped EXE
PID:2744

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\612296
Filesize
17KB

MD5
acb96857f1515cd9dc58fddefd4500ba

SHA1
b581e4649a7208e4136397759cb85cd488a0ba9d

SHA256
5ba7ad392b20e2ed5bff396445a68930f54f71eccfda850eefe345a06c131eaa

SHA512
d58046cf05f1f6d1843c419b70efa97f44e1df3624cd77308a7def236cdfdb40c416ee311065ee61dea6a4ea959c239d12cf4c5b76c0616407466767c3ee571d

Download Submit
C:\Users\Admin\AppData\Local\Temp\832023
Filesize
17KB

MD5
acb96857f1515cd9dc58fddefd4500ba

SHA1
b581e4649a7208e4136397759cb85cd488a0ba9d

SHA256
5ba7ad392b20e2ed5bff396445a68930f54f71eccfda850eefe345a06c131eaa

SHA512
d58046cf05f1f6d1843c419b70efa97f44e1df3624cd77308a7def236cdfdb40c416ee311065ee61dea6a4ea959c239d12cf4c5b76c0616407466767c3ee571d

Download Submit
C:\Users\Admin\AppData\Local\Temp\incl1
Filesize
15KB

MD5
43be50d8c2e1daa337c2a095036d31c8

SHA1
95f036a4a87d917289b2d9aaa66ed988923af631

SHA256
5f5f65f7559705ede966292f4253dc132bff7b954befe54537dcd905c4e0d43c

SHA512
0dd1ac8b0a6ef4d1513035e718fd2ab34e449e92fd72bc9ef50caee45de979d816deb64e673f54982d9fea02500f0893a5101fd5f67b8c6e2019d1dc03b4d2bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\incl1
Filesize
15KB

MD5
43be50d8c2e1daa337c2a095036d31c8

SHA1
95f036a4a87d917289b2d9aaa66ed988923af631

SHA256
5f5f65f7559705ede966292f4253dc132bff7b954befe54537dcd905c4e0d43c

SHA512
0dd1ac8b0a6ef4d1513035e718fd2ab34e449e92fd72bc9ef50caee45de979d816deb64e673f54982d9fea02500f0893a5101fd5f67b8c6e2019d1dc03b4d2bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\incl2
Filesize
81KB

MD5
0befa75ab59c2b7c956217c940d2fedc

SHA1
eecafe732b699ee4ced655e8998bd4aacb165ed0

SHA256
5587214fabea7842a8e1015ec6ab1930f416722c5609fae3b64801798d86d5b8

SHA512
4435b2ab9ea76f038bcf77da2cbea4db29bf84c5552c6dd82a897e0337d90d2b5e784400f57c77f4b4c9d33fb40d457ee06df541006b1e7bb182558f3c1d66d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\incl2
Filesize
81KB

MD5
0befa75ab59c2b7c956217c940d2fedc

SHA1
eecafe732b699ee4ced655e8998bd4aacb165ed0

SHA256
5587214fabea7842a8e1015ec6ab1930f416722c5609fae3b64801798d86d5b8

SHA512
4435b2ab9ea76f038bcf77da2cbea4db29bf84c5552c6dd82a897e0337d90d2b5e784400f57c77f4b4c9d33fb40d457ee06df541006b1e7bb182558f3c1d66d0

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
941KB

MD5
de8b5bf85996fdf042f003dbf666f127

SHA1
69f502f7da3c50371aa65fcfc491c1dd9e8a1af4

SHA256
9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c

SHA512
b6372a6d318f4bdb1e979730a0931b6adc11f99ac05fb4b9dc6d02a588bb85b093a8a2621a352defef9651e065b5565bc6939bdd357806ccde08390cd8cc5801

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
941KB

MD5
de8b5bf85996fdf042f003dbf666f127

SHA1
69f502f7da3c50371aa65fcfc491c1dd9e8a1af4

SHA256
9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c

SHA512
b6372a6d318f4bdb1e979730a0931b6adc11f99ac05fb4b9dc6d02a588bb85b093a8a2621a352defef9651e065b5565bc6939bdd357806ccde08390cd8cc5801

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
941KB

MD5
de8b5bf85996fdf042f003dbf666f127

SHA1
69f502f7da3c50371aa65fcfc491c1dd9e8a1af4

SHA256
9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c

SHA512
b6372a6d318f4bdb1e979730a0931b6adc11f99ac05fb4b9dc6d02a588bb85b093a8a2621a352defef9651e065b5565bc6939bdd357806ccde08390cd8cc5801

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
941KB

MD5
de8b5bf85996fdf042f003dbf666f127

SHA1
69f502f7da3c50371aa65fcfc491c1dd9e8a1af4

SHA256
9fc49863c7226d428886386cbf707f4ef4a592c2ecc8549fe8206da18d3a8d4c

SHA512
b6372a6d318f4bdb1e979730a0931b6adc11f99ac05fb4b9dc6d02a588bb85b093a8a2621a352defef9651e065b5565bc6939bdd357806ccde08390cd8cc5801

Download Submit
memory/1916-144-0x0000000000000000-mapping.dmp

Download
memory/2744-149-0x0000000000000000-mapping.dmp

Download
memory/4768-132-0x0000000000000000-mapping.dmp

Download
memory/4844-141-0x0000000000000000-mapping.dmp

Download
memory/4964-140-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4964-139-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4964-137-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4964-136-0x0000000000000000-mapping.dmp

Download