netwire | 8c907dfac7b88b74f60ed80c6acc916d94caa5ab36aac4db4597f215483afe05

Analysis

max time kernel
148s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 13:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c907dfac7b88b74f60ed80c6acc916d94caa5ab36aac4db4597f215483afe05.exe
Size

558KB
MD5

84c23174883bfc6185c61eb1106e4d2e
SHA1

59df87cd5af71f76db82d384379db01f56adc96c
SHA256

8c907dfac7b88b74f60ed80c6acc916d94caa5ab36aac4db4597f215483afe05
SHA512

601efcaa36ae9a1a08bbb964057d8911306e34a2c7a0d7dda0914d0bd725cd4e8b1b32e5c88fe6011d70363088f3a26763c42b18a326b36788c66a5545bd6a92
SSDEEP

6144:PFhmxTB7drI/7gkzKTr6gQutC24l8Pksw3sBb31+6iKtMHqCKBNdGh8Ab:TKv6gQutC/gy3sB31+D8MHNNb

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

8c907dfac7b88b74f60ed80c6acc916d94caa5ab36aac4db4597f215483afe05.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\file.exe"	8c907dfac7b88b74f60ed80c6acc916d94caa5ab36aac4db4597f215483afe05.exe

NetWire RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1980-78-0x0000000000401F8F-mapping.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

tmp.exenotepad .exe

pid process

1808 tmp.exe
1980 notepad .exe

pid	process
1808	tmp.exe
1980	notepad .exe

Loads dropped DLL 3 IoCs

Processes:

8c907dfac7b88b74f60ed80c6acc916d94caa5ab36aac4db4597f215483afe05.exe

pid	process
1348	8c907dfac7b88b74f60ed80c6acc916d94caa5ab36aac4db4597f215483afe05.exe
1348	8c907dfac7b88b74f60ed80c6acc916d94caa5ab36aac4db4597f215483afe05.exe
1348	8c907dfac7b88b74f60ed80c6acc916d94caa5ab36aac4db4597f215483afe05.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

8c907dfac7b88b74f60ed80c6acc916d94caa5ab36aac4db4597f215483afe05.exe

description	pid	process	target process
PID 1348 set thread context of 1980	1348	8c907dfac7b88b74f60ed80c6acc916d94caa5ab36aac4db4597f215483afe05.exe	notepad .exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

8c907dfac7b88b74f60ed80c6acc916d94caa5ab36aac4db4597f215483afe05.exe

pid	process
1348	8c907dfac7b88b74f60ed80c6acc916d94caa5ab36aac4db4597f215483afe05.exe
1348	8c907dfac7b88b74f60ed80c6acc916d94caa5ab36aac4db4597f215483afe05.exe
1348	8c907dfac7b88b74f60ed80c6acc916d94caa5ab36aac4db4597f215483afe05.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

8c907dfac7b88b74f60ed80c6acc916d94caa5ab36aac4db4597f215483afe05.exe

description pid process

Token: SeDebugPrivilege 1348 8c907dfac7b88b74f60ed80c6acc916d94caa5ab36aac4db4597f215483afe05.exe

description	pid	process
Token: SeDebugPrivilege	1348	8c907dfac7b88b74f60ed80c6acc916d94caa5ab36aac4db4597f215483afe05.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

8c907dfac7b88b74f60ed80c6acc916d94caa5ab36aac4db4597f215483afe05.execmd.exewscript.exe

description	pid	process	target process
PID 1348 wrote to memory of 2032	1348	8c907dfac7b88b74f60ed80c6acc916d94caa5ab36aac4db4597f215483afe05.exe	cmd.exe
PID 1348 wrote to memory of 2032	1348	8c907dfac7b88b74f60ed80c6acc916d94caa5ab36aac4db4597f215483afe05.exe	cmd.exe
PID 1348 wrote to memory of 2032	1348	8c907dfac7b88b74f60ed80c6acc916d94caa5ab36aac4db4597f215483afe05.exe	cmd.exe
PID 1348 wrote to memory of 2032	1348	8c907dfac7b88b74f60ed80c6acc916d94caa5ab36aac4db4597f215483afe05.exe	cmd.exe
PID 2032 wrote to memory of 1136	2032	cmd.exe	wscript.exe
PID 2032 wrote to memory of 1136	2032	cmd.exe	wscript.exe
PID 2032 wrote to memory of 1136	2032	cmd.exe	wscript.exe
PID 2032 wrote to memory of 1136	2032	cmd.exe	wscript.exe
PID 1136 wrote to memory of 544	1136	wscript.exe	cmd.exe
PID 1136 wrote to memory of 544	1136	wscript.exe	cmd.exe
PID 1136 wrote to memory of 544	1136	wscript.exe	cmd.exe
PID 1136 wrote to memory of 544	1136	wscript.exe	cmd.exe
PID 1348 wrote to memory of 1808	1348	8c907dfac7b88b74f60ed80c6acc916d94caa5ab36aac4db4597f215483afe05.exe	tmp.exe
PID 1348 wrote to memory of 1808	1348	8c907dfac7b88b74f60ed80c6acc916d94caa5ab36aac4db4597f215483afe05.exe	tmp.exe
PID 1348 wrote to memory of 1808	1348	8c907dfac7b88b74f60ed80c6acc916d94caa5ab36aac4db4597f215483afe05.exe	tmp.exe
PID 1348 wrote to memory of 1808	1348	8c907dfac7b88b74f60ed80c6acc916d94caa5ab36aac4db4597f215483afe05.exe	tmp.exe
PID 1348 wrote to memory of 1980	1348	8c907dfac7b88b74f60ed80c6acc916d94caa5ab36aac4db4597f215483afe05.exe	notepad .exe
PID 1348 wrote to memory of 1980	1348	8c907dfac7b88b74f60ed80c6acc916d94caa5ab36aac4db4597f215483afe05.exe	notepad .exe
PID 1348 wrote to memory of 1980	1348	8c907dfac7b88b74f60ed80c6acc916d94caa5ab36aac4db4597f215483afe05.exe	notepad .exe
PID 1348 wrote to memory of 1980	1348	8c907dfac7b88b74f60ed80c6acc916d94caa5ab36aac4db4597f215483afe05.exe	notepad .exe
PID 1348 wrote to memory of 1980	1348	8c907dfac7b88b74f60ed80c6acc916d94caa5ab36aac4db4597f215483afe05.exe	notepad .exe
PID 1348 wrote to memory of 1980	1348	8c907dfac7b88b74f60ed80c6acc916d94caa5ab36aac4db4597f215483afe05.exe	notepad .exe
PID 1348 wrote to memory of 1980	1348	8c907dfac7b88b74f60ed80c6acc916d94caa5ab36aac4db4597f215483afe05.exe	notepad .exe
PID 1348 wrote to memory of 1980	1348	8c907dfac7b88b74f60ed80c6acc916d94caa5ab36aac4db4597f215483afe05.exe	notepad .exe
PID 1348 wrote to memory of 1980	1348	8c907dfac7b88b74f60ed80c6acc916d94caa5ab36aac4db4597f215483afe05.exe	notepad .exe

C:\Users\Admin\AppData\Local\Temp\8c907dfac7b88b74f60ed80c6acc916d94caa5ab36aac4db4597f215483afe05.exe
"C:\Users\Admin\AppData\Local\Temp\8c907dfac7b88b74f60ed80c6acc916d94caa5ab36aac4db4597f215483afe05.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\\mata.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\mata2.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:1136

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mata2.bat" "
4⤵
PID:544

C:\Users\Admin\AppData\Local\Temp\notepad .exe
"C:\Users\Admin\AppData\Local\Temp\notepad .exe"
2⤵
- Executes dropped EXE
PID:1980

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Executes dropped EXE
PID:1808

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.Identifier
Filesize
64B

MD5
1ef2153e3654852777f9ccd9dff9340d

SHA1
e77b0f1fa343f4f637d15851b6b2d556c7ff8b01

SHA256
294867545131419cb37e86198e47594dc23627ba2b0c243810413967636e9f67

SHA512
5e73d0bb26a2da107dbae68955ab6068d59c9b8618661ddbe2b34b3d2c89cc7f6ea32af4919a6c1ba51f24a03d0fb95c63d7c8161469d3262b0234520501b4ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.exe
Filesize
558KB

MD5
84c23174883bfc6185c61eb1106e4d2e

SHA1
59df87cd5af71f76db82d384379db01f56adc96c

SHA256
8c907dfac7b88b74f60ed80c6acc916d94caa5ab36aac4db4597f215483afe05

SHA512
601efcaa36ae9a1a08bbb964057d8911306e34a2c7a0d7dda0914d0bd725cd4e8b1b32e5c88fe6011d70363088f3a26763c42b18a326b36788c66a5545bd6a92

Download Submit
C:\Users\Admin\AppData\Local\Temp\invs.vbs
Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mata.bat
Filesize
47B

MD5
58c538a6ae20a3c6031217903cdf8e5d

SHA1
399fd50eadf4945b665877facfc4f53d16e18b1e

SHA256
6bcc0e04d9bc32209d90a65c320dc6363e523dd94b38b17bcdc5b980b6405f53

SHA512
c01828a5390fec3443e19d317137ae873de77c7737db7802650430e6a0a1edbd3aabe362903243b372536418fbd8482c2a6efd122d853744a41ade567956c359

Download Submit
C:\Users\Admin\AppData\Local\Temp\mata2.bat
Filesize
47B

MD5
095b2908ae8b2e0e3704c0163f26e283

SHA1
3429b6c1421d448c98c1da9625badcea2484a521

SHA256
22b182644ab28f5e9e17b5a03ba404d09b02da367146b80484584adc842a3ed1

SHA512
e22e379b4f0d8e11fa7c29c3297a3e24a533fb08895d18e9bb27e8cab84da1dd52ff437aca90c5c32a9bdb578b3c1bfb3ff42d3bc2c5951ffeb5941c8286c731

Download Submit
C:\Users\Admin\AppData\Local\Temp\notepad .exe
Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\rundll11-.txt
Filesize
558KB

MD5
84c23174883bfc6185c61eb1106e4d2e

SHA1
59df87cd5af71f76db82d384379db01f56adc96c

SHA256
8c907dfac7b88b74f60ed80c6acc916d94caa5ab36aac4db4597f215483afe05

SHA512
601efcaa36ae9a1a08bbb964057d8911306e34a2c7a0d7dda0914d0bd725cd4e8b1b32e5c88fe6011d70363088f3a26763c42b18a326b36788c66a5545bd6a92

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
68KB

MD5
d4879fb623ae695fbb0db7917e36778a

SHA1
98aac1553a2362a112df26fec7239d7c4656655d

SHA256
0fca46b7d77046cb9bf84271f8ea678f8f950bc7ebc81ac7e2c5afd3e96f41c3

SHA512
4f129dc31548a05889e2e124f9885a59895c56b8ccef5ad9ad28084f690b657efaa667504cb0e4495fac83a13c76f836404e6178be4e539737013b5b71a79e78

Download Submit
\Users\Admin\AppData\Local\Temp\notepad .exe
Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
68KB

MD5
d4879fb623ae695fbb0db7917e36778a

SHA1
98aac1553a2362a112df26fec7239d7c4656655d

SHA256
0fca46b7d77046cb9bf84271f8ea678f8f950bc7ebc81ac7e2c5afd3e96f41c3

SHA512
4f129dc31548a05889e2e124f9885a59895c56b8ccef5ad9ad28084f690b657efaa667504cb0e4495fac83a13c76f836404e6178be4e539737013b5b71a79e78

Download Submit
\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
68KB

MD5
d4879fb623ae695fbb0db7917e36778a

SHA1
98aac1553a2362a112df26fec7239d7c4656655d

SHA256
0fca46b7d77046cb9bf84271f8ea678f8f950bc7ebc81ac7e2c5afd3e96f41c3

SHA512
4f129dc31548a05889e2e124f9885a59895c56b8ccef5ad9ad28084f690b657efaa667504cb0e4495fac83a13c76f836404e6178be4e539737013b5b71a79e78

Download Submit
memory/544-62-0x0000000000000000-mapping.dmp

Download
memory/1136-58-0x0000000000000000-mapping.dmp

Download
memory/1348-77-0x0000000074500000-0x0000000074AAB000-memory.dmp

Filesize
5.7MB

Download
memory/1348-86-0x0000000074500000-0x0000000074AAB000-memory.dmp

Filesize
5.7MB

Download
memory/1348-55-0x0000000074500000-0x0000000074AAB000-memory.dmp

Filesize
5.7MB

Download
memory/1348-54-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/1808-65-0x0000000000000000-mapping.dmp

Download
memory/1980-76-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1980-70-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1980-75-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1980-78-0x0000000000401F8F-mapping.dmp

Download
memory/1980-82-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1980-84-0x0000000000401000-0x0000000000410000-memory.dmp

Filesize
60KB

Download
memory/1980-73-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1980-71-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2032-56-0x0000000000000000-mapping.dmp

Download