netwire | b5073a634b26acaba749136f0d2cdc2eb592d6778419c6446eaa5c7b449d33d4

General

Target

b5073a634b26acaba749136f0d2cdc2eb592d6778419c6446eaa5c7b449d33d4.exe
Size

742KB
MD5

7513a2bc0a206d10b25973a348e5acb8
SHA1

3ff6f9fac6461ab5bbb0f1ec99390df79db7848e
SHA256

b5073a634b26acaba749136f0d2cdc2eb592d6778419c6446eaa5c7b449d33d4
SHA512

5dd3ab7a45a90f52ce5dfa67867ebb902f82185f4423cff214d95ac22a17f8fcd302b3808203bc56ed762a078423bc7b6f889dc567b8cf05d2a9331947c04bed
SSDEEP

12288:6K2mhAMJ/cPlDXXKgMuSEaN2uiEqOHYRVPVT04rQWlHkAinpXdZ5FUN3Bk:L2O/Gl7XKu4UED4RVPVI8Qyqd7FOxk

Score

10^/10

netwire botnet rat stealer

Malware Config

Signatures

NetWire RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4576-142-0x0000000000400000-0x0000000000417000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 1 IoCs

Processes:

vozzetsztuc.exe

pid process

5108 vozzetsztuc.exe

pid	process
5108	vozzetsztuc.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b5073a634b26acaba749136f0d2cdc2eb592d6778419c6446eaa5c7b449d33d4.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	b5073a634b26acaba749136f0d2cdc2eb592d6778419c6446eaa5c7b449d33d4.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

vozzetsztuc.exe

description pid process target process

PID 5108 set thread context of 4576 5108 vozzetsztuc.exe RegSvcs.exe
Drops file in Windows directory 1 IoCs

Processes:

RegSvcs.exe

description ioc process

File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\.Identifier RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

vozzetsztuc.exe

pid process

5108 vozzetsztuc.exe
5108 vozzetsztuc.exe
5108 vozzetsztuc.exe
5108 vozzetsztuc.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

vozzetsztuc.exe

description pid process

Token: SeDebugPrivilege 5108 vozzetsztuc.exe

description	pid	process	target process
PID 5108 set thread context of 4576	5108	vozzetsztuc.exe	RegSvcs.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\.Identifier	RegSvcs.exe

pid	process
5108	vozzetsztuc.exe
5108	vozzetsztuc.exe
5108	vozzetsztuc.exe
5108	vozzetsztuc.exe

description	pid	process
Token: SeDebugPrivilege	5108	vozzetsztuc.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

b5073a634b26acaba749136f0d2cdc2eb592d6778419c6446eaa5c7b449d33d4.exevozzetsztuc.exe

description	pid	process	target process
PID 1056 wrote to memory of 5108	1056	b5073a634b26acaba749136f0d2cdc2eb592d6778419c6446eaa5c7b449d33d4.exe	vozzetsztuc.exe
PID 1056 wrote to memory of 5108	1056	b5073a634b26acaba749136f0d2cdc2eb592d6778419c6446eaa5c7b449d33d4.exe	vozzetsztuc.exe
PID 1056 wrote to memory of 5108	1056	b5073a634b26acaba749136f0d2cdc2eb592d6778419c6446eaa5c7b449d33d4.exe	vozzetsztuc.exe
PID 5108 wrote to memory of 4576	5108	vozzetsztuc.exe	RegSvcs.exe
PID 5108 wrote to memory of 4576	5108	vozzetsztuc.exe	RegSvcs.exe
PID 5108 wrote to memory of 4576	5108	vozzetsztuc.exe	RegSvcs.exe
PID 5108 wrote to memory of 4576	5108	vozzetsztuc.exe	RegSvcs.exe
PID 5108 wrote to memory of 4576	5108	vozzetsztuc.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\b5073a634b26acaba749136f0d2cdc2eb592d6778419c6446eaa5c7b449d33d4.exe
"C:\Users\Admin\AppData\Local\Temp\b5073a634b26acaba749136f0d2cdc2eb592d6778419c6446eaa5c7b449d33d4.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1056

C:\Users\Admin\hagv85pvjw112t\vozzetsztuc.exe
"C:\Users\Admin\hagv85pvjw112t\vozzetsztuc.exe" ehymev.ZOO
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5108

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
3⤵
- Drops file in Windows directory
PID:4576

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\HAGV85~1\pkuslvq.NMB
Filesize
35B

MD5
724e9c5bef43d0294e55345b1d5135a7

SHA1
1de1e3749d16d20098fbb80718700b9c4aaf2468

SHA256
ad98fbefaac2f4c6ffb79c36b8e962c0dfa9b9126788e66d1b771317d5602b1f

SHA512
48deac1ca632fb35a77a4666ea46f3baaffb0ef1e05764622a2c15e7f68c490cdebb3f95caa42cd0a9c757230f0128e3c89cdd9d59bb10bce672d835a1ffdcec

Download Submit
C:\Users\Admin\HAGV85~1\wrrr.IMO
Filesize
68KB

MD5
c9c55b8d91d2a68bd03372026ee0b399

SHA1
aebe91dfa0972cb256ccef3a7318c584d3b6edca

SHA256
a88cdd6f32af42835ff0fcb87438c9958605c88ca961222a936cf9be9206f81b

SHA512
c6eb1afd2ddf46cca7663d9186f60b94c7b8e1cf710764ba0ebe030d6f6cddd253b0d722b70ebf714b801ec5f26b4082c19f80be37ad60e28b25029b9f64367f

Download Submit
C:\Users\Admin\hagv85pvjw112t\ehymev.ZOO
Filesize
39.4MB

MD5
4adc3e0c6f487bd63b9b908a6c22ecdf

SHA1
f58a701792884a7a6c7c0142e794379c9b3179b7

SHA256
496f434f0c2650de684621b2fa842e4f9e2c320e8224e5681396b135323464fc

SHA512
190be2eba7750df8e6176ea9501ab30e2175edf57dcc8c3362d11e58835af4dd5f6cef28f010905153958927894bf183519e9ab5f2fc6216fa6c105acec359bb

Download Submit
C:\Users\Admin\hagv85pvjw112t\vozzetsztuc.exe
Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
C:\Users\Admin\hagv85pvjw112t\vozzetsztuc.exe
Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
memory/4576-138-0x0000000000000000-mapping.dmp

Download
memory/4576-139-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4576-141-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4576-142-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5108-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads