netwire | fd1ddff4e361bc59e19399cae6bd9f9f81381a3480774d283ebfa01a3a9cc2f6

General

Target

fd1ddff4e361bc59e19399cae6bd9f9f81381a3480774d283ebfa01a3a9cc2f6.exe
Size

274KB
MD5

954a40569d9840fd4d492d19cc3fa5a6
SHA1

a3c6622bfbeef7023d5bbede041451e305124d02
SHA256

fd1ddff4e361bc59e19399cae6bd9f9f81381a3480774d283ebfa01a3a9cc2f6
SHA512

e9a7b97647d10178a60a88c6310d49db2c10edab7ded53c63a8fe2f80d3af9be25b3525f58f2b808c84d73e8bbc8b3003953201456c107880be3bba695907d3c
SSDEEP

6144:bwwik3MHZNEDy756uTayLhvIZp9QTwtlSBtNCD3WQlGb1Y724shg+agT:bbikc5jTCSdj3cgT

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1956-69-0x0000000000400000-0x0000000000417000-memory.dmp	netwire
behavioral1/memory/1136-83-0x0000000000400000-0x0000000000417000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

ImgBurn.exeImgBurn.exe

pid process

1336 ImgBurn.exe
1136 ImgBurn.exe
Deletes itself 1 IoCs

Processes:

ImgBurn.exe

pid process

1136 ImgBurn.exe
Loads dropped DLL 1 IoCs

Processes:

fd1ddff4e361bc59e19399cae6bd9f9f81381a3480774d283ebfa01a3a9cc2f6.exe

pid process

1956 fd1ddff4e361bc59e19399cae6bd9f9f81381a3480774d283ebfa01a3a9cc2f6.exe

pid	process
1336	ImgBurn.exe
1136	ImgBurn.exe

pid	process
1136	ImgBurn.exe

pid	process
1956	fd1ddff4e361bc59e19399cae6bd9f9f81381a3480774d283ebfa01a3a9cc2f6.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ImgBurn.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	ImgBurn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ImgBurn = "C:\\Users\\Admin\\AppData\\Roaming\\ImgBurn\\ImgBurn.exe"	ImgBurn.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

fd1ddff4e361bc59e19399cae6bd9f9f81381a3480774d283ebfa01a3a9cc2f6.exeImgBurn.exe

description	pid	process	target process
PID 1784 set thread context of 1956	1784	fd1ddff4e361bc59e19399cae6bd9f9f81381a3480774d283ebfa01a3a9cc2f6.exe	fd1ddff4e361bc59e19399cae6bd9f9f81381a3480774d283ebfa01a3a9cc2f6.exe
PID 1336 set thread context of 1136	1336	ImgBurn.exe	ImgBurn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

fd1ddff4e361bc59e19399cae6bd9f9f81381a3480774d283ebfa01a3a9cc2f6.exefd1ddff4e361bc59e19399cae6bd9f9f81381a3480774d283ebfa01a3a9cc2f6.exeImgBurn.exe

description	pid	process	target process
PID 1784 wrote to memory of 1956	1784	fd1ddff4e361bc59e19399cae6bd9f9f81381a3480774d283ebfa01a3a9cc2f6.exe	fd1ddff4e361bc59e19399cae6bd9f9f81381a3480774d283ebfa01a3a9cc2f6.exe
PID 1784 wrote to memory of 1956	1784	fd1ddff4e361bc59e19399cae6bd9f9f81381a3480774d283ebfa01a3a9cc2f6.exe	fd1ddff4e361bc59e19399cae6bd9f9f81381a3480774d283ebfa01a3a9cc2f6.exe
PID 1784 wrote to memory of 1956	1784	fd1ddff4e361bc59e19399cae6bd9f9f81381a3480774d283ebfa01a3a9cc2f6.exe	fd1ddff4e361bc59e19399cae6bd9f9f81381a3480774d283ebfa01a3a9cc2f6.exe
PID 1784 wrote to memory of 1956	1784	fd1ddff4e361bc59e19399cae6bd9f9f81381a3480774d283ebfa01a3a9cc2f6.exe	fd1ddff4e361bc59e19399cae6bd9f9f81381a3480774d283ebfa01a3a9cc2f6.exe
PID 1784 wrote to memory of 1956	1784	fd1ddff4e361bc59e19399cae6bd9f9f81381a3480774d283ebfa01a3a9cc2f6.exe	fd1ddff4e361bc59e19399cae6bd9f9f81381a3480774d283ebfa01a3a9cc2f6.exe
PID 1784 wrote to memory of 1956	1784	fd1ddff4e361bc59e19399cae6bd9f9f81381a3480774d283ebfa01a3a9cc2f6.exe	fd1ddff4e361bc59e19399cae6bd9f9f81381a3480774d283ebfa01a3a9cc2f6.exe
PID 1784 wrote to memory of 1956	1784	fd1ddff4e361bc59e19399cae6bd9f9f81381a3480774d283ebfa01a3a9cc2f6.exe	fd1ddff4e361bc59e19399cae6bd9f9f81381a3480774d283ebfa01a3a9cc2f6.exe
PID 1784 wrote to memory of 1956	1784	fd1ddff4e361bc59e19399cae6bd9f9f81381a3480774d283ebfa01a3a9cc2f6.exe	fd1ddff4e361bc59e19399cae6bd9f9f81381a3480774d283ebfa01a3a9cc2f6.exe
PID 1784 wrote to memory of 1956	1784	fd1ddff4e361bc59e19399cae6bd9f9f81381a3480774d283ebfa01a3a9cc2f6.exe	fd1ddff4e361bc59e19399cae6bd9f9f81381a3480774d283ebfa01a3a9cc2f6.exe
PID 1956 wrote to memory of 1336	1956	fd1ddff4e361bc59e19399cae6bd9f9f81381a3480774d283ebfa01a3a9cc2f6.exe	ImgBurn.exe
PID 1956 wrote to memory of 1336	1956	fd1ddff4e361bc59e19399cae6bd9f9f81381a3480774d283ebfa01a3a9cc2f6.exe	ImgBurn.exe
PID 1956 wrote to memory of 1336	1956	fd1ddff4e361bc59e19399cae6bd9f9f81381a3480774d283ebfa01a3a9cc2f6.exe	ImgBurn.exe
PID 1956 wrote to memory of 1336	1956	fd1ddff4e361bc59e19399cae6bd9f9f81381a3480774d283ebfa01a3a9cc2f6.exe	ImgBurn.exe
PID 1336 wrote to memory of 1136	1336	ImgBurn.exe	ImgBurn.exe
PID 1336 wrote to memory of 1136	1336	ImgBurn.exe	ImgBurn.exe
PID 1336 wrote to memory of 1136	1336	ImgBurn.exe	ImgBurn.exe
PID 1336 wrote to memory of 1136	1336	ImgBurn.exe	ImgBurn.exe
PID 1336 wrote to memory of 1136	1336	ImgBurn.exe	ImgBurn.exe
PID 1336 wrote to memory of 1136	1336	ImgBurn.exe	ImgBurn.exe
PID 1336 wrote to memory of 1136	1336	ImgBurn.exe	ImgBurn.exe
PID 1336 wrote to memory of 1136	1336	ImgBurn.exe	ImgBurn.exe
PID 1336 wrote to memory of 1136	1336	ImgBurn.exe	ImgBurn.exe

C:\Users\Admin\AppData\Local\Temp\fd1ddff4e361bc59e19399cae6bd9f9f81381a3480774d283ebfa01a3a9cc2f6.exe
"C:\Users\Admin\AppData\Local\Temp\fd1ddff4e361bc59e19399cae6bd9f9f81381a3480774d283ebfa01a3a9cc2f6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1784
- C:\Users\Admin\AppData\Local\Temp\fd1ddff4e361bc59e19399cae6bd9f9f81381a3480774d283ebfa01a3a9cc2f6.exe
  "C:\Users\Admin\AppData\Local\Temp\fd1ddff4e361bc59e19399cae6bd9f9f81381a3480774d283ebfa01a3a9cc2f6.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Users\Admin\AppData\Roaming\ImgBurn\ImgBurn.exe
    "C:\Users\Admin\AppData\Roaming\ImgBurn\ImgBurn.exe" -m C:\Users\Admin\AppData\Local\Temp\fd1ddff4e361bc59e19399cae6bd9f9f81381a3480774d283ebfa01a3a9cc2f6.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1336
  - - C:\Users\Admin\AppData\Roaming\ImgBurn\ImgBurn.exe
      "C:\Users\Admin\AppData\Roaming\ImgBurn\ImgBurn.exe" -m C:\Users\Admin\AppData\Local\Temp\fd1ddff4e361bc59e19399cae6bd9f9f81381a3480774d283ebfa01a3a9cc2f6.exe
      4⤵
      Executes dropped EXE
      Deletes itself
      Adds Run key to start application
      PID:1136

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ImgBurn\ImgBurn.exe

Filesize
274KB

MD5
954a40569d9840fd4d492d19cc3fa5a6

SHA1
a3c6622bfbeef7023d5bbede041451e305124d02

SHA256
fd1ddff4e361bc59e19399cae6bd9f9f81381a3480774d283ebfa01a3a9cc2f6

SHA512
e9a7b97647d10178a60a88c6310d49db2c10edab7ded53c63a8fe2f80d3af9be25b3525f58f2b808c84d73e8bbc8b3003953201456c107880be3bba695907d3c

Download Submit
C:\Users\Admin\AppData\Roaming\ImgBurn\ImgBurn.exe

Filesize
274KB

MD5
954a40569d9840fd4d492d19cc3fa5a6

SHA1
a3c6622bfbeef7023d5bbede041451e305124d02

SHA256
fd1ddff4e361bc59e19399cae6bd9f9f81381a3480774d283ebfa01a3a9cc2f6

SHA512
e9a7b97647d10178a60a88c6310d49db2c10edab7ded53c63a8fe2f80d3af9be25b3525f58f2b808c84d73e8bbc8b3003953201456c107880be3bba695907d3c

Download Submit
\Users\Admin\AppData\Roaming\ImgBurn\ImgBurn.exe

Filesize
274KB

MD5
954a40569d9840fd4d492d19cc3fa5a6

SHA1
a3c6622bfbeef7023d5bbede041451e305124d02

SHA256
fd1ddff4e361bc59e19399cae6bd9f9f81381a3480774d283ebfa01a3a9cc2f6

SHA512
e9a7b97647d10178a60a88c6310d49db2c10edab7ded53c63a8fe2f80d3af9be25b3525f58f2b808c84d73e8bbc8b3003953201456c107880be3bba695907d3c

Download Submit
memory/1136-83-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1136-78-0x0000000000401F8F-mapping.dmp

Download
memory/1336-67-0x0000000000000000-mapping.dmp

Download
memory/1784-54-0x00000000762F1000-0x00000000762F3000-memory.dmp

Filesize
8KB

Download
memory/1956-61-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1956-65-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1956-63-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1956-55-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1956-69-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1956-62-0x0000000000401F8F-mapping.dmp

Download
memory/1956-60-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1956-58-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads