netwire | 1cc44e0f214cbf72c836dcbd1b1e67ad574bba62873f974432ee076072bf42cc

General

Target

SecuriteInfo.com.Variant.Barys.51933.17281.33.exe
Size

791KB
MD5

4ce9503e6cbbcc8ec8a8b3696986843f
SHA1

62f2a7cd9fc8b4acf6c442b246cbf34035f0b540
SHA256

1cc44e0f214cbf72c836dcbd1b1e67ad574bba62873f974432ee076072bf42cc
SHA512

f53743b7e2dd7eb88a99a01ca95ca12b4afe56892fa0fa28c3409b72cf15aedcc15c2f0966959399a2effd2b6d0b323f4ab61c66bc15ce30bec0093157127dbf
SSDEEP

12288:/B4XsRQQwHXOMYRIp7RNqW/1D8TkJhTUDT1+RngcpCYrNl:pQjHXO5RIp7R91+2h4DLICQl

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

79.134.225.121:2210

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
lock_executable
false
offline_keylogger
false
password
Elibee88
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 11 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1732-71-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/1732-73-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/1732-74-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/1732-77-0x000000000041AD7B-mapping.dmp	netwire
behavioral1/memory/1732-76-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/1732-80-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/1732-81-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/1732-86-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/1936-107-0x000000000041AD7B-mapping.dmp	netwire
behavioral1/memory/1936-111-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/1936-112-0x0000000000400000-0x000000000044F000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

Host.exeHost.exe

pid process

1904 Host.exe
1936 Host.exe
Loads dropped DLL 2 IoCs

Processes:

SecuriteInfo.com.Variant.Barys.51933.17281.33.exe

pid process

1732 SecuriteInfo.com.Variant.Barys.51933.17281.33.exe
1732 SecuriteInfo.com.Variant.Barys.51933.17281.33.exe

pid	process
1904	Host.exe
1936	Host.exe

pid	process
1732	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe
1732	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

SecuriteInfo.com.Variant.Barys.51933.17281.33.exeHost.exe

description	pid	process	target process
PID 1048 set thread context of 1732	1048	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe
PID 1904 set thread context of 1936	1904	Host.exe	Host.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

884 schtasks.exe
2016 schtasks.exe

pid	process
884	schtasks.exe
2016	schtasks.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

SecuriteInfo.com.Variant.Barys.51933.17281.33.exepowershell.exeHost.exepowershell.exe

pid	process
1048	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe
1048	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe
1048	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe
1048	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe
1048	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe
1048	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe
1048	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe
1048	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe
1048	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe
1048	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe
1048	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe
1048	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe
1048	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe
1688	powershell.exe
1048	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe
1048	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe
1048	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe
1904	Host.exe
1904	Host.exe
1904	Host.exe
1904	Host.exe
1904	Host.exe
1904	Host.exe
1508	powershell.exe
1904	Host.exe
1904	Host.exe
1904	Host.exe
1904	Host.exe
1904	Host.exe
1904	Host.exe
1904	Host.exe
1904	Host.exe
1904	Host.exe
1904	Host.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

SecuriteInfo.com.Variant.Barys.51933.17281.33.exepowershell.exeHost.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1048	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	1904	Host.exe
Token: SeDebugPrivilege	1508	powershell.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

SecuriteInfo.com.Variant.Barys.51933.17281.33.exeSecuriteInfo.com.Variant.Barys.51933.17281.33.exeHost.exe

description	pid	process	target process
PID 1048 wrote to memory of 1688	1048	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe	powershell.exe
PID 1048 wrote to memory of 1688	1048	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe	powershell.exe
PID 1048 wrote to memory of 1688	1048	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe	powershell.exe
PID 1048 wrote to memory of 1688	1048	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe	powershell.exe
PID 1048 wrote to memory of 884	1048	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe	schtasks.exe
PID 1048 wrote to memory of 884	1048	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe	schtasks.exe
PID 1048 wrote to memory of 884	1048	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe	schtasks.exe
PID 1048 wrote to memory of 884	1048	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe	schtasks.exe
PID 1048 wrote to memory of 816	1048	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe
PID 1048 wrote to memory of 816	1048	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe
PID 1048 wrote to memory of 816	1048	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe
PID 1048 wrote to memory of 816	1048	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe
PID 1048 wrote to memory of 1732	1048	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe
PID 1048 wrote to memory of 1732	1048	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe
PID 1048 wrote to memory of 1732	1048	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe
PID 1048 wrote to memory of 1732	1048	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe
PID 1048 wrote to memory of 1732	1048	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe
PID 1048 wrote to memory of 1732	1048	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe
PID 1048 wrote to memory of 1732	1048	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe
PID 1048 wrote to memory of 1732	1048	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe
PID 1048 wrote to memory of 1732	1048	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe
PID 1048 wrote to memory of 1732	1048	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe
PID 1048 wrote to memory of 1732	1048	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe
PID 1732 wrote to memory of 1904	1732	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe	Host.exe
PID 1732 wrote to memory of 1904	1732	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe	Host.exe
PID 1732 wrote to memory of 1904	1732	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe	Host.exe
PID 1732 wrote to memory of 1904	1732	SecuriteInfo.com.Variant.Barys.51933.17281.33.exe	Host.exe
PID 1904 wrote to memory of 1508	1904	Host.exe	powershell.exe
PID 1904 wrote to memory of 1508	1904	Host.exe	powershell.exe
PID 1904 wrote to memory of 1508	1904	Host.exe	powershell.exe
PID 1904 wrote to memory of 1508	1904	Host.exe	powershell.exe
PID 1904 wrote to memory of 2016	1904	Host.exe	schtasks.exe
PID 1904 wrote to memory of 2016	1904	Host.exe	schtasks.exe
PID 1904 wrote to memory of 2016	1904	Host.exe	schtasks.exe
PID 1904 wrote to memory of 2016	1904	Host.exe	schtasks.exe
PID 1904 wrote to memory of 1936	1904	Host.exe	Host.exe
PID 1904 wrote to memory of 1936	1904	Host.exe	Host.exe
PID 1904 wrote to memory of 1936	1904	Host.exe	Host.exe
PID 1904 wrote to memory of 1936	1904	Host.exe	Host.exe
PID 1904 wrote to memory of 1936	1904	Host.exe	Host.exe
PID 1904 wrote to memory of 1936	1904	Host.exe	Host.exe
PID 1904 wrote to memory of 1936	1904	Host.exe	Host.exe
PID 1904 wrote to memory of 1936	1904	Host.exe	Host.exe
PID 1904 wrote to memory of 1936	1904	Host.exe	Host.exe
PID 1904 wrote to memory of 1936	1904	Host.exe	Host.exe
PID 1904 wrote to memory of 1936	1904	Host.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Barys.51933.17281.33.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Barys.51933.17281.33.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\URdnAiSIrsI.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\URdnAiSIrsI" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBC5E.tmp"
2⤵
- Creates scheduled task(s)
PID:884

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Barys.51933.17281.33.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Barys.51933.17281.33.exe"
2⤵
PID:816

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Barys.51933.17281.33.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Barys.51933.17281.33.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\URdnAiSIrsI.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1508

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\URdnAiSIrsI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7A01.tmp"
4⤵
- Creates scheduled task(s)
PID:2016

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
4⤵
- Executes dropped EXE
PID:1936

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7A01.tmp
Filesize
1KB

MD5
849177d34075a7bf6022f69a04e75029

SHA1
54a23084a962dbc642c1fa554e7587918e55a39b

SHA256
64ed4e987cc293ec1c4f9035687bb7d0a57c082fa6426e901e48aaa111d355c0

SHA512
88b790fe2e93243aa819916b1559fdfb6403c8b1c772f9a61b94c79b68bec58187d889d1b34bf0d4bdd1dc605a166df42ea8c5f70a190bad357bf794d284fe6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBC5E.tmp
Filesize
1KB

MD5
849177d34075a7bf6022f69a04e75029

SHA1
54a23084a962dbc642c1fa554e7587918e55a39b

SHA256
64ed4e987cc293ec1c4f9035687bb7d0a57c082fa6426e901e48aaa111d355c0

SHA512
88b790fe2e93243aa819916b1559fdfb6403c8b1c772f9a61b94c79b68bec58187d889d1b34bf0d4bdd1dc605a166df42ea8c5f70a190bad357bf794d284fe6a

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
791KB

MD5
4ce9503e6cbbcc8ec8a8b3696986843f

SHA1
62f2a7cd9fc8b4acf6c442b246cbf34035f0b540

SHA256
1cc44e0f214cbf72c836dcbd1b1e67ad574bba62873f974432ee076072bf42cc

SHA512
f53743b7e2dd7eb88a99a01ca95ca12b4afe56892fa0fa28c3409b72cf15aedcc15c2f0966959399a2effd2b6d0b323f4ab61c66bc15ce30bec0093157127dbf

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
791KB

MD5
4ce9503e6cbbcc8ec8a8b3696986843f

SHA1
62f2a7cd9fc8b4acf6c442b246cbf34035f0b540

SHA256
1cc44e0f214cbf72c836dcbd1b1e67ad574bba62873f974432ee076072bf42cc

SHA512
f53743b7e2dd7eb88a99a01ca95ca12b4afe56892fa0fa28c3409b72cf15aedcc15c2f0966959399a2effd2b6d0b323f4ab61c66bc15ce30bec0093157127dbf

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
791KB

MD5
4ce9503e6cbbcc8ec8a8b3696986843f

SHA1
62f2a7cd9fc8b4acf6c442b246cbf34035f0b540

SHA256
1cc44e0f214cbf72c836dcbd1b1e67ad574bba62873f974432ee076072bf42cc

SHA512
f53743b7e2dd7eb88a99a01ca95ca12b4afe56892fa0fa28c3409b72cf15aedcc15c2f0966959399a2effd2b6d0b323f4ab61c66bc15ce30bec0093157127dbf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
091c2ad050574c11811a4cba3f5e58ab

SHA1
843ea953bd27a279321820c2b64a6c9c5eaafd03

SHA256
bb0cc4b396183f7057ae63ff5a5968a7ba79ce44fdbb10bb3791c2b745235003

SHA512
fe09261336ffcf8a0c30440e0ff796dbb82530f60e36ce6c816e9524d3fb6b4e9b57edd7cb51d28ca0840a685c828270b3929813216c9efafa2c42a62d873687

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
791KB

MD5
4ce9503e6cbbcc8ec8a8b3696986843f

SHA1
62f2a7cd9fc8b4acf6c442b246cbf34035f0b540

SHA256
1cc44e0f214cbf72c836dcbd1b1e67ad574bba62873f974432ee076072bf42cc

SHA512
f53743b7e2dd7eb88a99a01ca95ca12b4afe56892fa0fa28c3409b72cf15aedcc15c2f0966959399a2effd2b6d0b323f4ab61c66bc15ce30bec0093157127dbf

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
791KB

MD5
4ce9503e6cbbcc8ec8a8b3696986843f

SHA1
62f2a7cd9fc8b4acf6c442b246cbf34035f0b540

SHA256
1cc44e0f214cbf72c836dcbd1b1e67ad574bba62873f974432ee076072bf42cc

SHA512
f53743b7e2dd7eb88a99a01ca95ca12b4afe56892fa0fa28c3409b72cf15aedcc15c2f0966959399a2effd2b6d0b323f4ab61c66bc15ce30bec0093157127dbf

Download Submit
memory/884-62-0x0000000000000000-mapping.dmp

Download
memory/1048-57-0x0000000000380000-0x000000000038C000-memory.dmp

Filesize
48KB

Download
memory/1048-65-0x0000000001090000-0x00000000010DA000-memory.dmp

Filesize
296KB

Download
memory/1048-54-0x00000000012B0000-0x000000000137C000-memory.dmp

Filesize
816KB

Download
memory/1048-58-0x0000000007E60000-0x0000000007EE4000-memory.dmp

Filesize
528KB

Download
memory/1048-56-0x00000000003C0000-0x00000000003D8000-memory.dmp

Filesize
96KB

Download
memory/1048-55-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/1508-90-0x0000000000000000-mapping.dmp

Download
memory/1508-93-0x000000006ED80000-0x000000006F32B000-memory.dmp

Filesize
5.7MB

Download
memory/1688-64-0x000000006ED90000-0x000000006F33B000-memory.dmp

Filesize
5.7MB

Download
memory/1688-61-0x000000006ED90000-0x000000006F33B000-memory.dmp

Filesize
5.7MB

Download
memory/1688-59-0x0000000000000000-mapping.dmp

Download
memory/1732-76-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1732-71-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1732-80-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1732-66-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1732-77-0x000000000041AD7B-mapping.dmp

Download
memory/1732-86-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1732-74-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1732-67-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1732-73-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1732-81-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1732-69-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1904-88-0x0000000000F10000-0x0000000000FDC000-memory.dmp

Filesize
816KB

Download
memory/1904-84-0x0000000000000000-mapping.dmp

Download
memory/1936-107-0x000000000041AD7B-mapping.dmp

Download
memory/1936-111-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1936-112-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2016-94-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads