netwire | 40217d077e10762829d40552f060147eaf9235d03a1fc4581fbc80dfd931805a

General

Target

40217d077e10762829d40552f060147eaf9235d03a1fc4581fbc80dfd931805a.exe
Size

185KB
MD5

2033e4aafe2162ecc88f30ef5d30ef66
SHA1

9a5344fdf5f6f72aaff37aa4422caec310bce0a3
SHA256

40217d077e10762829d40552f060147eaf9235d03a1fc4581fbc80dfd931805a
SHA512

c844562a67e797cf825a39e9b93d2ccd505da31c66991a2067990a9ac3d3b2c8bf2ce943ef81c31a70c0c069cdb6250dc65ce3403ba447fb28cb3bee0360116e
SSDEEP

3072:CnEWyU+dea8BNhBuvmJFEIG3kIgyS9RJySqKgP:CEW1+deDc6F6kVVybz

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2352-136-0x0000000000400000-0x0000000000417000-memory.dmp	netwire
behavioral2/memory/1996-145-0x0000000000400000-0x0000000000417000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

ImgBurn.exeImgBurn.exe

pid process

3380 ImgBurn.exe
1996 ImgBurn.exe

pid	process
3380	ImgBurn.exe
1996	ImgBurn.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

40217d077e10762829d40552f060147eaf9235d03a1fc4581fbc80dfd931805a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	40217d077e10762829d40552f060147eaf9235d03a1fc4581fbc80dfd931805a.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ImgBurn.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	ImgBurn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ImgBurn = "C:\\Users\\Admin\\AppData\\Roaming\\ImgBurn\\ImgBurn.exe"	ImgBurn.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

40217d077e10762829d40552f060147eaf9235d03a1fc4581fbc80dfd931805a.exeImgBurn.exe

description	pid	process	target process
PID 744 set thread context of 2352	744	40217d077e10762829d40552f060147eaf9235d03a1fc4581fbc80dfd931805a.exe	40217d077e10762829d40552f060147eaf9235d03a1fc4581fbc80dfd931805a.exe
PID 3380 set thread context of 1996	3380	ImgBurn.exe	ImgBurn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

40217d077e10762829d40552f060147eaf9235d03a1fc4581fbc80dfd931805a.exe40217d077e10762829d40552f060147eaf9235d03a1fc4581fbc80dfd931805a.exeImgBurn.exe

description	pid	process	target process
PID 744 wrote to memory of 2352	744	40217d077e10762829d40552f060147eaf9235d03a1fc4581fbc80dfd931805a.exe	40217d077e10762829d40552f060147eaf9235d03a1fc4581fbc80dfd931805a.exe
PID 744 wrote to memory of 2352	744	40217d077e10762829d40552f060147eaf9235d03a1fc4581fbc80dfd931805a.exe	40217d077e10762829d40552f060147eaf9235d03a1fc4581fbc80dfd931805a.exe
PID 744 wrote to memory of 2352	744	40217d077e10762829d40552f060147eaf9235d03a1fc4581fbc80dfd931805a.exe	40217d077e10762829d40552f060147eaf9235d03a1fc4581fbc80dfd931805a.exe
PID 744 wrote to memory of 2352	744	40217d077e10762829d40552f060147eaf9235d03a1fc4581fbc80dfd931805a.exe	40217d077e10762829d40552f060147eaf9235d03a1fc4581fbc80dfd931805a.exe
PID 744 wrote to memory of 2352	744	40217d077e10762829d40552f060147eaf9235d03a1fc4581fbc80dfd931805a.exe	40217d077e10762829d40552f060147eaf9235d03a1fc4581fbc80dfd931805a.exe
PID 744 wrote to memory of 2352	744	40217d077e10762829d40552f060147eaf9235d03a1fc4581fbc80dfd931805a.exe	40217d077e10762829d40552f060147eaf9235d03a1fc4581fbc80dfd931805a.exe
PID 744 wrote to memory of 2352	744	40217d077e10762829d40552f060147eaf9235d03a1fc4581fbc80dfd931805a.exe	40217d077e10762829d40552f060147eaf9235d03a1fc4581fbc80dfd931805a.exe
PID 744 wrote to memory of 2352	744	40217d077e10762829d40552f060147eaf9235d03a1fc4581fbc80dfd931805a.exe	40217d077e10762829d40552f060147eaf9235d03a1fc4581fbc80dfd931805a.exe
PID 744 wrote to memory of 2352	744	40217d077e10762829d40552f060147eaf9235d03a1fc4581fbc80dfd931805a.exe	40217d077e10762829d40552f060147eaf9235d03a1fc4581fbc80dfd931805a.exe
PID 2352 wrote to memory of 3380	2352	40217d077e10762829d40552f060147eaf9235d03a1fc4581fbc80dfd931805a.exe	ImgBurn.exe
PID 2352 wrote to memory of 3380	2352	40217d077e10762829d40552f060147eaf9235d03a1fc4581fbc80dfd931805a.exe	ImgBurn.exe
PID 2352 wrote to memory of 3380	2352	40217d077e10762829d40552f060147eaf9235d03a1fc4581fbc80dfd931805a.exe	ImgBurn.exe
PID 3380 wrote to memory of 1996	3380	ImgBurn.exe	ImgBurn.exe
PID 3380 wrote to memory of 1996	3380	ImgBurn.exe	ImgBurn.exe
PID 3380 wrote to memory of 1996	3380	ImgBurn.exe	ImgBurn.exe
PID 3380 wrote to memory of 1996	3380	ImgBurn.exe	ImgBurn.exe
PID 3380 wrote to memory of 1996	3380	ImgBurn.exe	ImgBurn.exe
PID 3380 wrote to memory of 1996	3380	ImgBurn.exe	ImgBurn.exe
PID 3380 wrote to memory of 1996	3380	ImgBurn.exe	ImgBurn.exe
PID 3380 wrote to memory of 1996	3380	ImgBurn.exe	ImgBurn.exe
PID 3380 wrote to memory of 1996	3380	ImgBurn.exe	ImgBurn.exe

C:\Users\Admin\AppData\Local\Temp\40217d077e10762829d40552f060147eaf9235d03a1fc4581fbc80dfd931805a.exe
"C:\Users\Admin\AppData\Local\Temp\40217d077e10762829d40552f060147eaf9235d03a1fc4581fbc80dfd931805a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:744

C:\Users\Admin\AppData\Local\Temp\40217d077e10762829d40552f060147eaf9235d03a1fc4581fbc80dfd931805a.exe
"C:\Users\Admin\AppData\Local\Temp\40217d077e10762829d40552f060147eaf9235d03a1fc4581fbc80dfd931805a.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2352

C:\Users\Admin\AppData\Roaming\ImgBurn\ImgBurn.exe
"C:\Users\Admin\AppData\Roaming\ImgBurn\ImgBurn.exe" -m C:\Users\Admin\AppData\Local\Temp\40217d077e10762829d40552f060147eaf9235d03a1fc4581fbc80dfd931805a.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3380

C:\Users\Admin\AppData\Roaming\ImgBurn\ImgBurn.exe
"C:\Users\Admin\AppData\Roaming\ImgBurn\ImgBurn.exe" -m C:\Users\Admin\AppData\Local\Temp\40217d077e10762829d40552f060147eaf9235d03a1fc4581fbc80dfd931805a.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1996

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ImgBurn\ImgBurn.exe
Filesize
185KB

MD5
2033e4aafe2162ecc88f30ef5d30ef66

SHA1
9a5344fdf5f6f72aaff37aa4422caec310bce0a3

SHA256
40217d077e10762829d40552f060147eaf9235d03a1fc4581fbc80dfd931805a

SHA512
c844562a67e797cf825a39e9b93d2ccd505da31c66991a2067990a9ac3d3b2c8bf2ce943ef81c31a70c0c069cdb6250dc65ce3403ba447fb28cb3bee0360116e

Download Submit
C:\Users\Admin\AppData\Roaming\ImgBurn\ImgBurn.exe
Filesize
185KB

MD5
2033e4aafe2162ecc88f30ef5d30ef66

SHA1
9a5344fdf5f6f72aaff37aa4422caec310bce0a3

SHA256
40217d077e10762829d40552f060147eaf9235d03a1fc4581fbc80dfd931805a

SHA512
c844562a67e797cf825a39e9b93d2ccd505da31c66991a2067990a9ac3d3b2c8bf2ce943ef81c31a70c0c069cdb6250dc65ce3403ba447fb28cb3bee0360116e

Download Submit
C:\Users\Admin\AppData\Roaming\ImgBurn\ImgBurn.exe
Filesize
185KB

MD5
2033e4aafe2162ecc88f30ef5d30ef66

SHA1
9a5344fdf5f6f72aaff37aa4422caec310bce0a3

SHA256
40217d077e10762829d40552f060147eaf9235d03a1fc4581fbc80dfd931805a

SHA512
c844562a67e797cf825a39e9b93d2ccd505da31c66991a2067990a9ac3d3b2c8bf2ce943ef81c31a70c0c069cdb6250dc65ce3403ba447fb28cb3bee0360116e

Download Submit
memory/1996-140-0x0000000000000000-mapping.dmp

Download
memory/1996-145-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2352-132-0x0000000000000000-mapping.dmp

Download
memory/2352-133-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2352-134-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2352-135-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2352-136-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3380-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads