netwire | 36255768ea0e742455a1146fdffe10c83de7cf69c1c4d7f9cae763ac6df4293c

General

Target

36255768ea0e742455a1146fdffe10c83de7cf69c1c4d7f9cae763ac6df4293c.exe
Size

761KB
MD5

0bbbe39130aa0cfdcc59fbafb00ea6c9
SHA1

d1ce34e3002e896a5b672f8ddb2dba6856abf292
SHA256

36255768ea0e742455a1146fdffe10c83de7cf69c1c4d7f9cae763ac6df4293c
SHA512

43018d5e9f4f61a025aba8f53bff0ff4d8995bd71d75709b29edca4da65d91833761491718001efe87a48ee04bd625da2ddc1583e525a343171d0fadb0843a7f
SSDEEP

12288:5at0EAH49n8Bk8/MmCfj2U8D+Foc1xu93NoG/+d5Wel666rnyCaeu/HHxI:It24Hm0j2UToc1xuzoVF58KG

Score

10^/10

netwire botnet evasion persistence rat stealer trojan

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

YVvj.com

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	YVvj.com

NetWire RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/820-73-0x0000000000400000-0x0000000000417000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 1 IoCs

Processes:

YVvj.com

pid process

1436 YVvj.com

pid	process
1436	YVvj.com

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12P2BG56-3215-R276-57DQ-60078P63YXLA}	RegSvcs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12P2BG56-3215-R276-57DQ-60078P63YXLA}\StubPath = "\"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegSvcs.exe\""	RegSvcs.exe

Loads dropped DLL 4 IoCs

Processes:

36255768ea0e742455a1146fdffe10c83de7cf69c1c4d7f9cae763ac6df4293c.exe

pid	process
956	36255768ea0e742455a1146fdffe10c83de7cf69c1c4d7f9cae763ac6df4293c.exe
956	36255768ea0e742455a1146fdffe10c83de7cf69c1c4d7f9cae763ac6df4293c.exe
956	36255768ea0e742455a1146fdffe10c83de7cf69c1c4d7f9cae763ac6df4293c.exe
956	36255768ea0e742455a1146fdffe10c83de7cf69c1c4d7f9cae763ac6df4293c.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

YVvj.comRegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\94o3h6f = "C:\\Users\\Admin\\94o3h6f\\15756.vbs"	YVvj.com
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	RegSvcs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegSvcs.exe"	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	YVvj.com

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

YVvj.com

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA YVvj.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

YVvj.com

description pid process target process

PID 1436 set thread context of 820 1436 YVvj.com RegSvcs.exe
Drops file in Windows directory 1 IoCs

Processes:

RegSvcs.exe

description ioc process

File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\.Identifier RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

YVvj.com

pid process

1436 YVvj.com

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	YVvj.com

description	pid	process	target process
PID 1436 set thread context of 820	1436	YVvj.com	RegSvcs.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\.Identifier	RegSvcs.exe

pid	process
1436	YVvj.com

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

36255768ea0e742455a1146fdffe10c83de7cf69c1c4d7f9cae763ac6df4293c.exeYVvj.com

description	pid	process	target process
PID 956 wrote to memory of 1436	956	36255768ea0e742455a1146fdffe10c83de7cf69c1c4d7f9cae763ac6df4293c.exe	YVvj.com
PID 956 wrote to memory of 1436	956	36255768ea0e742455a1146fdffe10c83de7cf69c1c4d7f9cae763ac6df4293c.exe	YVvj.com
PID 956 wrote to memory of 1436	956	36255768ea0e742455a1146fdffe10c83de7cf69c1c4d7f9cae763ac6df4293c.exe	YVvj.com
PID 956 wrote to memory of 1436	956	36255768ea0e742455a1146fdffe10c83de7cf69c1c4d7f9cae763ac6df4293c.exe	YVvj.com
PID 956 wrote to memory of 1436	956	36255768ea0e742455a1146fdffe10c83de7cf69c1c4d7f9cae763ac6df4293c.exe	YVvj.com
PID 956 wrote to memory of 1436	956	36255768ea0e742455a1146fdffe10c83de7cf69c1c4d7f9cae763ac6df4293c.exe	YVvj.com
PID 956 wrote to memory of 1436	956	36255768ea0e742455a1146fdffe10c83de7cf69c1c4d7f9cae763ac6df4293c.exe	YVvj.com
PID 1436 wrote to memory of 820	1436	YVvj.com	RegSvcs.exe
PID 1436 wrote to memory of 820	1436	YVvj.com	RegSvcs.exe
PID 1436 wrote to memory of 820	1436	YVvj.com	RegSvcs.exe
PID 1436 wrote to memory of 820	1436	YVvj.com	RegSvcs.exe
PID 1436 wrote to memory of 820	1436	YVvj.com	RegSvcs.exe
PID 1436 wrote to memory of 820	1436	YVvj.com	RegSvcs.exe
PID 1436 wrote to memory of 820	1436	YVvj.com	RegSvcs.exe
PID 1436 wrote to memory of 820	1436	YVvj.com	RegSvcs.exe
PID 1436 wrote to memory of 820	1436	YVvj.com	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\36255768ea0e742455a1146fdffe10c83de7cf69c1c4d7f9cae763ac6df4293c.exe
"C:\Users\Admin\AppData\Local\Temp\36255768ea0e742455a1146fdffe10c83de7cf69c1c4d7f9cae763ac6df4293c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:956

C:\Users\Admin\94o3h6f\YVvj.com
"C:\Users\Admin\94o3h6f\YVvj.com" oIWDyDjVJm.JNE
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1436

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
3⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in Windows directory
PID:820

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

1

T1158

Modify Registry

3

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\94o3h6f\BYUMPM~1.MEE
Filesize
68KB

MD5
ae190882f58dcba2f9f5dd516d8a9f69

SHA1
e4a31b222ad28f840085272519ae511a507438e5

SHA256
f08a9185e65a640c0d7d2831a5adb55abb76d225a8899f581a8dc37a3ee2d3ad

SHA512
16153677521cf84c0e83f513268cb0569498284d2a78864f48b3ba7452fc837237f224ddd19ad81fdcba8b1ee3c3f77a69c0d6f11f759022c61d05db8f8cc862

Download Submit
C:\Users\Admin\94o3h6f\IKkSpo.QLQ
Filesize
112B

MD5
9cfe5a9a7b071c1d705a94fac1c2e012

SHA1
45c3420d2c96730edb331ba9173319b62889481f

SHA256
50478e8b1cf43c9e42bf27a59c2c402aa1b283d6dca7aec1e6a8c59055b3dc7d

SHA512
7ce9bdf25e26d0f5930befbb24504df42ed12bb24f46a65ab5065f5c2e16e400923e4292ce072dd8b843e820caa5734bb09d6aa3281089540af84f273c64b33e

Download Submit
C:\Users\Admin\94o3h6f\YVvj.com
Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
C:\Users\Admin\94o3h6f\oIWDyDjVJm.JNE
Filesize
31.2MB

MD5
6bcdb465d6e2bc86fed1188fbc6d08a3

SHA1
9de7fe25187b3057493154a45d57d5a28a9f55ca

SHA256
717f302f40ecbb9ed340e52f8f70b02eeb64acc3337d39dccab32a4c0b10e338

SHA512
305b137395e71e0f118e8112e70371c0483077644cdbb59f5e85a4877d1e04db361b3d1cfe163654667af157197b1e75c41c2ab44f5c6a2c48fbf5d5ff5f3150

Download Submit
\Users\Admin\94o3h6f\YVvj.com
Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
\Users\Admin\94o3h6f\YVvj.com
Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
\Users\Admin\94o3h6f\YVvj.com
Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
\Users\Admin\94o3h6f\YVvj.com
Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
memory/820-65-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/820-67-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/820-68-0x0000000000401F8F-mapping.dmp

Download
memory/820-71-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/820-73-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/956-54-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download
memory/1436-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads