netwire | 63df87359c853538ba2814f07c2e47b112d2827d437e4baef14ebfdcfdb0a62e

General

Target

63df87359c853538ba2814f07c2e47b112d2827d437e4baef14ebfdcfdb0a62e.exe
Size

136KB
MD5

cef43cdb007639120a4a0d838d712193
SHA1

a214a4ebcad9d9d0e083751db9d48c2a79a04c96
SHA256

63df87359c853538ba2814f07c2e47b112d2827d437e4baef14ebfdcfdb0a62e
SHA512

3537f805975d1456a676b4cd7b35cbdd2e802b701270842bb35ff6a9ba9a3ee0e9ed87a4b16ee0056219193e56cce46937ad02614f64196f292ef1f8be163ca2
SSDEEP

3072:h4URpNUUX6z/DBXJfbjWzkCIqkTo7znirudL1jPeCUkHY:h4SUjhtbaods7zGEVPBL4

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1128-67-0x0000000000400000-0x0000000000417000-memory.dmp	netwire
behavioral1/memory/1520-87-0x0000000000400000-0x0000000000417000-memory.dmp	netwire
behavioral1/memory/1520-88-0x0000000000400000-0x0000000000417000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

ImgBurn.exeImgBurn.exe

pid process

904 ImgBurn.exe
1520 ImgBurn.exe

pid	process
904	ImgBurn.exe
1520	ImgBurn.exe

Loads dropped DLL 3 IoCs

Processes:

63df87359c853538ba2814f07c2e47b112d2827d437e4baef14ebfdcfdb0a62e.exe63df87359c853538ba2814f07c2e47b112d2827d437e4baef14ebfdcfdb0a62e.exeImgBurn.exe

pid	process
1736	63df87359c853538ba2814f07c2e47b112d2827d437e4baef14ebfdcfdb0a62e.exe
1128	63df87359c853538ba2814f07c2e47b112d2827d437e4baef14ebfdcfdb0a62e.exe
904	ImgBurn.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ImgBurn.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	ImgBurn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ImgBurn = "C:\\Users\\Admin\\AppData\\Roaming\\ImgBurn\\ImgBurn.exe"	ImgBurn.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

63df87359c853538ba2814f07c2e47b112d2827d437e4baef14ebfdcfdb0a62e.exeImgBurn.exe

description	pid	process	target process
PID 1736 set thread context of 1128	1736	63df87359c853538ba2814f07c2e47b112d2827d437e4baef14ebfdcfdb0a62e.exe	63df87359c853538ba2814f07c2e47b112d2827d437e4baef14ebfdcfdb0a62e.exe
PID 904 set thread context of 1520	904	ImgBurn.exe	ImgBurn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 8 IoCs

installer

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\ImgBurn\ImgBurn.exe	nsis_installer_1
\Users\Admin\AppData\Roaming\ImgBurn\ImgBurn.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\ImgBurn\ImgBurn.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\ImgBurn\ImgBurn.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\ImgBurn\ImgBurn.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\ImgBurn\ImgBurn.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\ImgBurn\ImgBurn.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\ImgBurn\ImgBurn.exe	nsis_installer_2

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

63df87359c853538ba2814f07c2e47b112d2827d437e4baef14ebfdcfdb0a62e.exe63df87359c853538ba2814f07c2e47b112d2827d437e4baef14ebfdcfdb0a62e.exeImgBurn.exe

description	pid	process	target process
PID 1736 wrote to memory of 1128	1736	63df87359c853538ba2814f07c2e47b112d2827d437e4baef14ebfdcfdb0a62e.exe	63df87359c853538ba2814f07c2e47b112d2827d437e4baef14ebfdcfdb0a62e.exe
PID 1736 wrote to memory of 1128	1736	63df87359c853538ba2814f07c2e47b112d2827d437e4baef14ebfdcfdb0a62e.exe	63df87359c853538ba2814f07c2e47b112d2827d437e4baef14ebfdcfdb0a62e.exe
PID 1736 wrote to memory of 1128	1736	63df87359c853538ba2814f07c2e47b112d2827d437e4baef14ebfdcfdb0a62e.exe	63df87359c853538ba2814f07c2e47b112d2827d437e4baef14ebfdcfdb0a62e.exe
PID 1736 wrote to memory of 1128	1736	63df87359c853538ba2814f07c2e47b112d2827d437e4baef14ebfdcfdb0a62e.exe	63df87359c853538ba2814f07c2e47b112d2827d437e4baef14ebfdcfdb0a62e.exe
PID 1736 wrote to memory of 1128	1736	63df87359c853538ba2814f07c2e47b112d2827d437e4baef14ebfdcfdb0a62e.exe	63df87359c853538ba2814f07c2e47b112d2827d437e4baef14ebfdcfdb0a62e.exe
PID 1736 wrote to memory of 1128	1736	63df87359c853538ba2814f07c2e47b112d2827d437e4baef14ebfdcfdb0a62e.exe	63df87359c853538ba2814f07c2e47b112d2827d437e4baef14ebfdcfdb0a62e.exe
PID 1736 wrote to memory of 1128	1736	63df87359c853538ba2814f07c2e47b112d2827d437e4baef14ebfdcfdb0a62e.exe	63df87359c853538ba2814f07c2e47b112d2827d437e4baef14ebfdcfdb0a62e.exe
PID 1736 wrote to memory of 1128	1736	63df87359c853538ba2814f07c2e47b112d2827d437e4baef14ebfdcfdb0a62e.exe	63df87359c853538ba2814f07c2e47b112d2827d437e4baef14ebfdcfdb0a62e.exe
PID 1736 wrote to memory of 1128	1736	63df87359c853538ba2814f07c2e47b112d2827d437e4baef14ebfdcfdb0a62e.exe	63df87359c853538ba2814f07c2e47b112d2827d437e4baef14ebfdcfdb0a62e.exe
PID 1128 wrote to memory of 904	1128	63df87359c853538ba2814f07c2e47b112d2827d437e4baef14ebfdcfdb0a62e.exe	ImgBurn.exe
PID 1128 wrote to memory of 904	1128	63df87359c853538ba2814f07c2e47b112d2827d437e4baef14ebfdcfdb0a62e.exe	ImgBurn.exe
PID 1128 wrote to memory of 904	1128	63df87359c853538ba2814f07c2e47b112d2827d437e4baef14ebfdcfdb0a62e.exe	ImgBurn.exe
PID 1128 wrote to memory of 904	1128	63df87359c853538ba2814f07c2e47b112d2827d437e4baef14ebfdcfdb0a62e.exe	ImgBurn.exe
PID 904 wrote to memory of 1520	904	ImgBurn.exe	ImgBurn.exe
PID 904 wrote to memory of 1520	904	ImgBurn.exe	ImgBurn.exe
PID 904 wrote to memory of 1520	904	ImgBurn.exe	ImgBurn.exe
PID 904 wrote to memory of 1520	904	ImgBurn.exe	ImgBurn.exe
PID 904 wrote to memory of 1520	904	ImgBurn.exe	ImgBurn.exe
PID 904 wrote to memory of 1520	904	ImgBurn.exe	ImgBurn.exe
PID 904 wrote to memory of 1520	904	ImgBurn.exe	ImgBurn.exe
PID 904 wrote to memory of 1520	904	ImgBurn.exe	ImgBurn.exe
PID 904 wrote to memory of 1520	904	ImgBurn.exe	ImgBurn.exe

C:\Users\Admin\AppData\Local\Temp\63df87359c853538ba2814f07c2e47b112d2827d437e4baef14ebfdcfdb0a62e.exe
"C:\Users\Admin\AppData\Local\Temp\63df87359c853538ba2814f07c2e47b112d2827d437e4baef14ebfdcfdb0a62e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1736

C:\Users\Admin\AppData\Local\Temp\63df87359c853538ba2814f07c2e47b112d2827d437e4baef14ebfdcfdb0a62e.exe
"C:\Users\Admin\AppData\Local\Temp\63df87359c853538ba2814f07c2e47b112d2827d437e4baef14ebfdcfdb0a62e.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1128

C:\Users\Admin\AppData\Roaming\ImgBurn\ImgBurn.exe
"C:\Users\Admin\AppData\Roaming\ImgBurn\ImgBurn.exe" -m C:\Users\Admin\AppData\Local\Temp\63df87359c853538ba2814f07c2e47b112d2827d437e4baef14ebfdcfdb0a62e.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:904

C:\Users\Admin\AppData\Roaming\ImgBurn\ImgBurn.exe
"C:\Users\Admin\AppData\Roaming\ImgBurn\ImgBurn.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1520

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aviculture\cockpit.ctj
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\ImgBurn\ImgBurn.exe
Filesize
136KB

MD5
cef43cdb007639120a4a0d838d712193

SHA1
a214a4ebcad9d9d0e083751db9d48c2a79a04c96

SHA256
63df87359c853538ba2814f07c2e47b112d2827d437e4baef14ebfdcfdb0a62e

SHA512
3537f805975d1456a676b4cd7b35cbdd2e802b701270842bb35ff6a9ba9a3ee0e9ed87a4b16ee0056219193e56cce46937ad02614f64196f292ef1f8be163ca2

Download Submit
C:\Users\Admin\AppData\Roaming\ImgBurn\ImgBurn.exe
Filesize
136KB

MD5
cef43cdb007639120a4a0d838d712193

SHA1
a214a4ebcad9d9d0e083751db9d48c2a79a04c96

SHA256
63df87359c853538ba2814f07c2e47b112d2827d437e4baef14ebfdcfdb0a62e

SHA512
3537f805975d1456a676b4cd7b35cbdd2e802b701270842bb35ff6a9ba9a3ee0e9ed87a4b16ee0056219193e56cce46937ad02614f64196f292ef1f8be163ca2

Download Submit
C:\Users\Admin\AppData\Roaming\ImgBurn\ImgBurn.exe
Filesize
136KB

MD5
cef43cdb007639120a4a0d838d712193

SHA1
a214a4ebcad9d9d0e083751db9d48c2a79a04c96

SHA256
63df87359c853538ba2814f07c2e47b112d2827d437e4baef14ebfdcfdb0a62e

SHA512
3537f805975d1456a676b4cd7b35cbdd2e802b701270842bb35ff6a9ba9a3ee0e9ed87a4b16ee0056219193e56cce46937ad02614f64196f292ef1f8be163ca2

Download Submit
\Users\Admin\AppData\Local\Temp\nsj6D36.tmp\cockpit.dll
Filesize
60KB

MD5
74778778572de126af8b54ff656f75f8

SHA1
dcf6e90bad1b74b653d10eb1d0cf0019b626960b

SHA256
d2bbe601752db2dc9998c39ca8d7955ba5697343d869c3f2495d7bc16fec0b53

SHA512
6f698972ab016a2caf00456dc47c3054b5299845e38dfd76573f07a416d61ef721d04ff50906cc461bb8c0e0c19d1ad94921cf475c9632211c830b9f0a974698

Download Submit
\Users\Admin\AppData\Local\Temp\nsoBEAF.tmp\cockpit.dll
Filesize
60KB

MD5
74778778572de126af8b54ff656f75f8

SHA1
dcf6e90bad1b74b653d10eb1d0cf0019b626960b

SHA256
d2bbe601752db2dc9998c39ca8d7955ba5697343d869c3f2495d7bc16fec0b53

SHA512
6f698972ab016a2caf00456dc47c3054b5299845e38dfd76573f07a416d61ef721d04ff50906cc461bb8c0e0c19d1ad94921cf475c9632211c830b9f0a974698

Download Submit
\Users\Admin\AppData\Roaming\ImgBurn\ImgBurn.exe
Filesize
136KB

MD5
cef43cdb007639120a4a0d838d712193

SHA1
a214a4ebcad9d9d0e083751db9d48c2a79a04c96

SHA256
63df87359c853538ba2814f07c2e47b112d2827d437e4baef14ebfdcfdb0a62e

SHA512
3537f805975d1456a676b4cd7b35cbdd2e802b701270842bb35ff6a9ba9a3ee0e9ed87a4b16ee0056219193e56cce46937ad02614f64196f292ef1f8be163ca2

Download Submit
memory/904-69-0x0000000000000000-mapping.dmp

Download
memory/1128-63-0x0000000000401F8F-mapping.dmp

Download
memory/1128-66-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1128-67-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1128-56-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1128-62-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1128-61-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1128-59-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1128-57-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1520-82-0x0000000000401F8F-mapping.dmp

Download
memory/1520-87-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1520-88-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1736-54-0x0000000076D71000-0x0000000076D73000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads