netwire | dbb7bd6fcc8d6536b345ad60b9a73f6347a7a3cdeeb6d70c30e3cc071bc385a9

General

Target

dbb7bd6fcc8d6536b345ad60b9a73f6347a7a3cdeeb6d70c30e3cc071bc385a9.exe
Size

929KB
MD5

9b9168993c6917e4d22c803e5debae72
SHA1

8246cc5731773b5dd5b4cad5e4c9d647af5e6ab6
SHA256

dbb7bd6fcc8d6536b345ad60b9a73f6347a7a3cdeeb6d70c30e3cc071bc385a9
SHA512

27e1761af2a901da6f05220dbd9f3c77e85b53a48f5f23bcf1e59dc0a45b57f6f30fee89e96632f27c4a96c02e0f78ae04564f4ebd839103484b99dfd7281051
SSDEEP

12288:SK2mhAMJ/cPly0xW2/Npj8h7UZYE82Y5UKUL4n4y3Xp3SbSlQMYs:T2O/GlyEW2j47g6zwm4m53Sb21Ys

Score

10^/10

netwire botnet evasion persistence rat stealer trojan

Malware Config

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/684-139-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/684-141-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/684-142-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 1 IoCs

Processes:

Java.exe

pid process

864 Java.exe

pid	process
864	Java.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dbb7bd6fcc8d6536b345ad60b9a73f6347a7a3cdeeb6d70c30e3cc071bc385a9.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	dbb7bd6fcc8d6536b345ad60b9a73f6347a7a3cdeeb6d70c30e3cc071bc385a9.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Java.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	Java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\C:\Users\Admin\gi51947 = "C:\\Users\\Admin\\gi51947\\r.vbs"	Java.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Java.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Java.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Java.exe

description pid process target process

PID 864 set thread context of 684 864 Java.exe RegSvcs.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Java.exe

description	pid	process	target process
PID 864 set thread context of 684	864	Java.exe	RegSvcs.exe

Drops file in Windows directory 2 IoCs

Processes:

RegSvcs.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\.Identifier	RegSvcs.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\.Identifier	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Java.exe

pid process

864 Java.exe
864 Java.exe
864 Java.exe
864 Java.exe
864 Java.exe
864 Java.exe

pid	process
864	Java.exe
864	Java.exe
864	Java.exe
864	Java.exe
864	Java.exe
864	Java.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

dbb7bd6fcc8d6536b345ad60b9a73f6347a7a3cdeeb6d70c30e3cc071bc385a9.exeJava.exe

description	pid	process	target process
PID 4316 wrote to memory of 864	4316	dbb7bd6fcc8d6536b345ad60b9a73f6347a7a3cdeeb6d70c30e3cc071bc385a9.exe	Java.exe
PID 4316 wrote to memory of 864	4316	dbb7bd6fcc8d6536b345ad60b9a73f6347a7a3cdeeb6d70c30e3cc071bc385a9.exe	Java.exe
PID 4316 wrote to memory of 864	4316	dbb7bd6fcc8d6536b345ad60b9a73f6347a7a3cdeeb6d70c30e3cc071bc385a9.exe	Java.exe
PID 864 wrote to memory of 684	864	Java.exe	RegSvcs.exe
PID 864 wrote to memory of 684	864	Java.exe	RegSvcs.exe
PID 864 wrote to memory of 684	864	Java.exe	RegSvcs.exe
PID 864 wrote to memory of 684	864	Java.exe	RegSvcs.exe
PID 864 wrote to memory of 684	864	Java.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\dbb7bd6fcc8d6536b345ad60b9a73f6347a7a3cdeeb6d70c30e3cc071bc385a9.exe
"C:\Users\Admin\AppData\Local\Temp\dbb7bd6fcc8d6536b345ad60b9a73f6347a7a3cdeeb6d70c30e3cc071bc385a9.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4316

C:\Users\Admin\gi51947\Java.exe
"C:\Users\Admin\gi51947\Java.exe" vrporoniclh
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Drops file in Windows directory
PID:684

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\gi51947\Java.exe
Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\gi51947\Java.exe
Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\gi51947\acqn.AQD
Filesize
140B

MD5
05c4e5f2fc02d8078139d17bcae0b8cb

SHA1
3abd1ac93bd56b4183d0b065697068beb0969662

SHA256
ee3bd1515406343db29d523176c35469a82ff2ad2fcd1f430a0b8d5ac6370c13

SHA512
4a5489c49e576ee301de4d37eccafc335db8f78e289592ea86bdc97e65f37fbb8ab679b2530018232dd94a72e1ed17f234f153ed5ddefb08041d0accdf2107e1

Download Submit
C:\Users\Admin\gi51947\uuhgs.LGL
Filesize
84KB

MD5
eb257d02551ece59ee7b2a295d64c684

SHA1
bd8fa12f9b3c54f6028687a97c7eb319f36e7fde

SHA256
73185759e98e25236ac7fb119d4ecf303ed4f89204a83ad3de2a208274b336d9

SHA512
d8ba8c301069e1587834f6862a3a291f70eb8eb3708d09907dfeaad2e0cd72a6ebf80cc1bd97b6a015b3d2b8fe0543d9eb4a4771f5e629075416a6421dd53711

Download Submit
C:\Users\Admin\gi51947\vrporoniclh
Filesize
646.8MB

MD5
4999589e676ffd61cb16a58ed9bdbb17

SHA1
a5a23b17271ec4e060f4b0406203c34033a864fe

SHA256
dd321e68f68610ec18d66e6fb50f803878ed6bebd65c3b5c49ee5d2e1136e58e

SHA512
51233000e2b485ef053e8b439f742c445d0950395284e339059ade9889c9cf09c2a58dc26ca2045a6e0ee6fde8314087da69fa08a8da4914fc319d68431ae0bc

Download Submit
memory/684-139-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/684-138-0x0000000000000000-mapping.dmp

Download
memory/684-141-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/684-142-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/864-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads