netwire | dc2add0b011dc2b4ae2511caa812858bbe370cf22721e46c264542ce29d60c6e

Analysis

max time kernel
152s
max time network
41s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06-11-2022 16:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Trojan-Ransom.Win32.Blocker.exe
Size

909KB
MD5

be95306ba1b3d87913f6f8dd5f86cbc3
SHA1

5901ba5c4199e5bb8b58dae9ae78566afbb44fa2
SHA256

dc2add0b011dc2b4ae2511caa812858bbe370cf22721e46c264542ce29d60c6e
SHA512

0a413cc1922d87474781cff268a3bb2170050148bb4eaa36411f28c2ca4e008b947ba4d60cc194511b59dc43a079eabd37fa01f5048ba2017c1a7959f34791e0
SSDEEP

24576:iUWqist6UzuAKg6s11X38rMrIzv6B50xq:iUUJUzJKz8F5eS0M

Score

10^/10

netwire botnet evasion persistence rat stealer trojan

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112

Processes:

BajLUV.pzBXsOyDOIMq

description ioc process

Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" BajLUV.pzBXsOyDOIMq
NetWire RAT payload 1 IoCs
rat

Processes:

resource yara_rule

behavioral1/memory/900-74-0x0000000000400000-0x0000000000418000-memory.dmp netwire
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Disables Task Manager via registry modification
evasion
Executes dropped EXE 1 IoCs

Processes:

BajLUV.pzBXsOyDOIMq

pid process

1496 BajLUV.pzBXsOyDOIMq

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	BajLUV.pzBXsOyDOIMq

resource	yara_rule
behavioral1/memory/900-74-0x0000000000400000-0x0000000000418000-memory.dmp	netwire

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{U5421566-RYV5-7OTE-1Q8V-R86HOGMN66K5}\StubPath = "\"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe\""	RegSvcs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{U5421566-RYV5-7OTE-1Q8V-R86HOGMN66K5}	RegSvcs.exe

Loads dropped DLL 1 IoCs

Processes:

WScript.exe

pid process

1644 WScript.exe

pid	process
1644	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

BajLUV.pzBXsOyDOIMq

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	BajLUV.pzBXsOyDOIMq
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\mldui = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mldui\\45401.vbs"	BajLUV.pzBXsOyDOIMq

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

BajLUV.pzBXsOyDOIMq

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BajLUV.pzBXsOyDOIMq
Suspicious use of SetThreadContext 1 IoCs

Processes:

BajLUV.pzBXsOyDOIMq

description pid process target process

PID 1496 set thread context of 900 1496 BajLUV.pzBXsOyDOIMq RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BajLUV.pzBXsOyDOIMq

description	pid	process	target process
PID 1496 set thread context of 900	1496	BajLUV.pzBXsOyDOIMq	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

BajLUV.pzBXsOyDOIMq

pid	process
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq
1496	BajLUV.pzBXsOyDOIMq

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

BajLUV.pzBXsOyDOIMq

description	pid	process
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq
Token: SeDebugPrivilege	1496	BajLUV.pzBXsOyDOIMq

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

Trojan-Ransom.Win32.Blocker.exeWScript.exeBajLUV.pzBXsOyDOIMq

description	pid	process	target process
PID 1452 wrote to memory of 1644	1452	Trojan-Ransom.Win32.Blocker.exe	WScript.exe
PID 1452 wrote to memory of 1644	1452	Trojan-Ransom.Win32.Blocker.exe	WScript.exe
PID 1452 wrote to memory of 1644	1452	Trojan-Ransom.Win32.Blocker.exe	WScript.exe
PID 1452 wrote to memory of 1644	1452	Trojan-Ransom.Win32.Blocker.exe	WScript.exe
PID 1452 wrote to memory of 1644	1452	Trojan-Ransom.Win32.Blocker.exe	WScript.exe
PID 1452 wrote to memory of 1644	1452	Trojan-Ransom.Win32.Blocker.exe	WScript.exe
PID 1452 wrote to memory of 1644	1452	Trojan-Ransom.Win32.Blocker.exe	WScript.exe
PID 1644 wrote to memory of 1496	1644	WScript.exe	BajLUV.pzBXsOyDOIMq
PID 1644 wrote to memory of 1496	1644	WScript.exe	BajLUV.pzBXsOyDOIMq
PID 1644 wrote to memory of 1496	1644	WScript.exe	BajLUV.pzBXsOyDOIMq
PID 1644 wrote to memory of 1496	1644	WScript.exe	BajLUV.pzBXsOyDOIMq
PID 1644 wrote to memory of 1496	1644	WScript.exe	BajLUV.pzBXsOyDOIMq
PID 1644 wrote to memory of 1496	1644	WScript.exe	BajLUV.pzBXsOyDOIMq
PID 1644 wrote to memory of 1496	1644	WScript.exe	BajLUV.pzBXsOyDOIMq
PID 1496 wrote to memory of 900	1496	BajLUV.pzBXsOyDOIMq	RegSvcs.exe
PID 1496 wrote to memory of 900	1496	BajLUV.pzBXsOyDOIMq	RegSvcs.exe
PID 1496 wrote to memory of 900	1496	BajLUV.pzBXsOyDOIMq	RegSvcs.exe
PID 1496 wrote to memory of 900	1496	BajLUV.pzBXsOyDOIMq	RegSvcs.exe
PID 1496 wrote to memory of 900	1496	BajLUV.pzBXsOyDOIMq	RegSvcs.exe
PID 1496 wrote to memory of 900	1496	BajLUV.pzBXsOyDOIMq	RegSvcs.exe
PID 1496 wrote to memory of 900	1496	BajLUV.pzBXsOyDOIMq	RegSvcs.exe
PID 1496 wrote to memory of 900	1496	BajLUV.pzBXsOyDOIMq	RegSvcs.exe
PID 1496 wrote to memory of 900	1496	BajLUV.pzBXsOyDOIMq	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Blocker.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Blocker.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1452

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\mldui\QzafowI.vbs"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1644

C:\Users\Admin\AppData\Local\Temp\mldui\BajLUV.pzBXsOyDOIMq
BajLUV.pzBXsOyDOIMq kFYhscmgri.QEQ
3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
- Modifies Installed Components in the registry
PID:900

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mldui\BajLUV.pzBXsOyDOIMq
Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\AppData\Local\Temp\mldui\BajLUV.pzBXsOyDOIMq
Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\AppData\Local\Temp\mldui\CMXpQjy.IJI
Filesize
222B

MD5
787d8d90965e70ca0d269c83c406f0de

SHA1
7da6d7053aa2a43831a3f1257a77a8752ea3e603

SHA256
8bb92766af21fb83dbb90825ef102d1c6576d07c9556d2da4658779c02d5341f

SHA512
50604ea6e708997dc857c4e50e48f7d3a9a05c1b7a7865e5053c06e20fc951e9eb41d9e6bc78b4bd0f2f59d79c6a4f5a7dbd83506d27a33f1fd187e9ce4abaef

Download Submit
C:\Users\Admin\AppData\Local\Temp\mldui\QzafowI.vbs
Filesize
71B

MD5
78c4f6655dacda99ba5c2af055938a6a

SHA1
2f93f8ec878389b6864c4fed993842a2924497f0

SHA256
a92626bfd54da9e526ad67032269dd578735fec319915464450634e3d1517fa5

SHA512
ffcbddf5ae65ae5519db78dee11e54ef1fb3e4152916036d243100389ace3d70d62e83b9568f4eddf281faf16c87a2c6a8728aa167dfe5c72dafb685b7ee0e21

Download Submit
C:\Users\Admin\AppData\Local\Temp\mldui\TZNQPU~1.ANW
Filesize
69KB

MD5
5794ef0198b5e9dc3d1b25ddaf65bb70

SHA1
4d0f49194e749ff2887a1e93cce757713e96cd96

SHA256
a58a7ff745b154ec55f28378e314555aec5e05cbef360eab29a549fec834a17a

SHA512
3c1005b49d7ac191363ceb3587242d62415d6b3436854a3a873e8deb9f5562ea1c431d94e28f1bb5c5f8565e57192afb3df67ce4b13d00fb103fbaec79224fea

Download Submit
C:\Users\Admin\AppData\Local\Temp\mldui\kFYhscmgri.QEQ
Filesize
24.0MB

MD5
2c8878e3aa40fa8cfc4605767126e783

SHA1
1ec2fd0f64e637b74bc0efe892475f431f4038b1

SHA256
816974014b6627a98afe0d1fdb877e9b8b88fbeef9e2b8bcf99fb5d47892debf

SHA512
1b0b3803764a0dcce0f3178d40c0feab07eeec54d70ecc6837da5818b0e6010e715a754a46b19dd41d2d8e86834245d1efdc3d1ed7093bad1e5e8bc61e65b113

Download Submit
\Users\Admin\AppData\Local\Temp\mldui\BajLUV.pzBXsOyDOIMq
Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
memory/900-66-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/900-68-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/900-69-0x0000000000401FEC-mapping.dmp

Download
memory/900-72-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/900-74-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1452-54-0x0000000075041000-0x0000000075043000-memory.dmp

Filesize
8KB

Download
memory/1496-60-0x0000000000000000-mapping.dmp

Download
memory/1644-55-0x0000000000000000-mapping.dmp

Download