netwire | dc2add0b011dc2b4ae2511caa812858bbe370cf22721e46c264542ce29d60c6e

Analysis

max time kernel
152s
max time network
41s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/11/2022, 16:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Trojan-Ransom.Win32.Blocker.exe
Size

909KB
MD5

be95306ba1b3d87913f6f8dd5f86cbc3
SHA1

5901ba5c4199e5bb8b58dae9ae78566afbb44fa2
SHA256

dc2add0b011dc2b4ae2511caa812858bbe370cf22721e46c264542ce29d60c6e
SHA512

0a413cc1922d87474781cff268a3bb2170050148bb4eaa36411f28c2ca4e008b947ba4d60cc194511b59dc43a079eabd37fa01f5048ba2017c1a7959f34791e0
SSDEEP

24576:iUWqist6UzuAKg6s11X38rMrIzv6B50xq:iUUJUzJKz8F5eS0M

Score

10^/10

netwire botnet evasion persistence rat stealer trojan

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	BajLUV.pzBXsOyDOIMq

NetWire RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/900-74-0x0000000000400000-0x0000000000418000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Disables Task Manager via registry modification
evasion

Executes dropped EXE 1 IoCs

pid	Process
1496	BajLUV.pzBXsOyDOIMq

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{U5421566-RYV5-7OTE-1Q8V-R86HOGMN66K5}\StubPath = "\"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe\""	RegSvcs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{U5421566-RYV5-7OTE-1Q8V-R86HOGMN66K5}	RegSvcs.exe

Loads dropped DLL 1 IoCs

pid	Process
1644	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	BajLUV.pzBXsOyDOIMq
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\mldui = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mldui\\45401.vbs"	BajLUV.pzBXsOyDOIMq

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BajLUV.pzBXsOyDOIMq

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1496 set thread context of 900	1496	BajLUV.pzBXsOyDOIMq	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 1644	1452	Trojan-Ransom.Win32.Blocker.exe	26
PID 1452 wrote to memory of 1644	1452	Trojan-Ransom.Win32.Blocker.exe	26
PID 1452 wrote to memory of 1644	1452	Trojan-Ransom.Win32.Blocker.exe	26
PID 1452 wrote to memory of 1644	1452	Trojan-Ransom.Win32.Blocker.exe	26
PID 1452 wrote to memory of 1644	1452	Trojan-Ransom.Win32.Blocker.exe	26
PID 1452 wrote to memory of 1644	1452	Trojan-Ransom.Win32.Blocker.exe	26
PID 1452 wrote to memory of 1644	1452	Trojan-Ransom.Win32.Blocker.exe	26
PID 1644 wrote to memory of 1496	1644	WScript.exe	27
PID 1644 wrote to memory of 1496	1644	WScript.exe	27
PID 1644 wrote to memory of 1496	1644	WScript.exe	27
PID 1644 wrote to memory of 1496	1644	WScript.exe	27
PID 1644 wrote to memory of 1496	1644	WScript.exe	27
PID 1644 wrote to memory of 1496	1644	WScript.exe	27
PID 1644 wrote to memory of 1496	1644	WScript.exe	27
PID 1496 wrote to memory of 900	1496	BajLUV.pzBXsOyDOIMq	28
PID 1496 wrote to memory of 900	1496	BajLUV.pzBXsOyDOIMq	28
PID 1496 wrote to memory of 900	1496	BajLUV.pzBXsOyDOIMq	28
PID 1496 wrote to memory of 900	1496	BajLUV.pzBXsOyDOIMq	28
PID 1496 wrote to memory of 900	1496	BajLUV.pzBXsOyDOIMq	28
PID 1496 wrote to memory of 900	1496	BajLUV.pzBXsOyDOIMq	28
PID 1496 wrote to memory of 900	1496	BajLUV.pzBXsOyDOIMq	28
PID 1496 wrote to memory of 900	1496	BajLUV.pzBXsOyDOIMq	28
PID 1496 wrote to memory of 900	1496	BajLUV.pzBXsOyDOIMq	28

C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Blocker.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Blocker.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\mldui\QzafowI.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Users\Admin\AppData\Local\Temp\mldui\BajLUV.pzBXsOyDOIMq
    BajLUV.pzBXsOyDOIMq kFYhscmgri.QEQ
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1496
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      Modifies Installed Components in the registry
      PID:900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mldui\BajLUV.pzBXsOyDOIMq

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\AppData\Local\Temp\mldui\BajLUV.pzBXsOyDOIMq

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\AppData\Local\Temp\mldui\CMXpQjy.IJI

Filesize
222B

MD5
787d8d90965e70ca0d269c83c406f0de

SHA1
7da6d7053aa2a43831a3f1257a77a8752ea3e603

SHA256
8bb92766af21fb83dbb90825ef102d1c6576d07c9556d2da4658779c02d5341f

SHA512
50604ea6e708997dc857c4e50e48f7d3a9a05c1b7a7865e5053c06e20fc951e9eb41d9e6bc78b4bd0f2f59d79c6a4f5a7dbd83506d27a33f1fd187e9ce4abaef

Download Submit
C:\Users\Admin\AppData\Local\Temp\mldui\QzafowI.vbs

Filesize
71B

MD5
78c4f6655dacda99ba5c2af055938a6a

SHA1
2f93f8ec878389b6864c4fed993842a2924497f0

SHA256
a92626bfd54da9e526ad67032269dd578735fec319915464450634e3d1517fa5

SHA512
ffcbddf5ae65ae5519db78dee11e54ef1fb3e4152916036d243100389ace3d70d62e83b9568f4eddf281faf16c87a2c6a8728aa167dfe5c72dafb685b7ee0e21

Download Submit
C:\Users\Admin\AppData\Local\Temp\mldui\TZNQPU~1.ANW

Filesize
69KB

MD5
5794ef0198b5e9dc3d1b25ddaf65bb70

SHA1
4d0f49194e749ff2887a1e93cce757713e96cd96

SHA256
a58a7ff745b154ec55f28378e314555aec5e05cbef360eab29a549fec834a17a

SHA512
3c1005b49d7ac191363ceb3587242d62415d6b3436854a3a873e8deb9f5562ea1c431d94e28f1bb5c5f8565e57192afb3df67ce4b13d00fb103fbaec79224fea

Download Submit
C:\Users\Admin\AppData\Local\Temp\mldui\kFYhscmgri.QEQ

Filesize
24.0MB

MD5
2c8878e3aa40fa8cfc4605767126e783

SHA1
1ec2fd0f64e637b74bc0efe892475f431f4038b1

SHA256
816974014b6627a98afe0d1fdb877e9b8b88fbeef9e2b8bcf99fb5d47892debf

SHA512
1b0b3803764a0dcce0f3178d40c0feab07eeec54d70ecc6837da5818b0e6010e715a754a46b19dd41d2d8e86834245d1efdc3d1ed7093bad1e5e8bc61e65b113

Download Submit
\Users\Admin\AppData\Local\Temp\mldui\BajLUV.pzBXsOyDOIMq

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
memory/900-66-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/900-68-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/900-72-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/900-74-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1452-54-0x0000000075041000-0x0000000075043000-memory.dmp

Filesize
8KB

Download