netwire | 2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b

General

Target

2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe
Size

337KB
MD5

729d5a1609fe981f93cfdd4f938dbbae
SHA1

6954cdfca61258328b80b670e2099beb8e768ef7
SHA256

2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b
SHA512

56647a30a1739f34ee8364b5636945c3a881a280b045128dc60dbebe6a66ca53231ec1465dba7249a7a04aca64df7df1bc260897a27730cba85d9f3c1f6b8264
SSDEEP

6144:sIm+KvQEgWF18i6a3IkfcU9HRuaNjwyDJ:sdYD5ex8a3

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1916-73-0x0000000000400000-0x0000000000417000-memory.dmp	netwire
behavioral1/memory/108-95-0x0000000000400000-0x0000000000417000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

WUDHost.exeAcctres.exe

pid process

2000 WUDHost.exe
1652 Acctres.exe
Loads dropped DLL 2 IoCs

Processes:

2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exeWUDHost.exe

pid process

908 2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe
2000 WUDHost.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2000	WUDHost.exe
1652	Acctres.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WUDHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Boot File Servicing Utility = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\WUDHost.exe"	WUDHost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exeAcctres.exe

description	pid	process	target process
PID 908 set thread context of 1916	908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe	vbc.exe
PID 1652 set thread context of 108	1652	Acctres.exe	vbc.exe

Drops file in Windows directory 2 IoCs

Processes:

vbc.exevbc.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\.Identifier	vbc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\.Identifier	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exeWUDHost.exe

pid	process
908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe
908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe
908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe
908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe
908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe
908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe
908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe
908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe
908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe
908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe
908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe
908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe
908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe
908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe
908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe
908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe
908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe
908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe
908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe
908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe
908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe
908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe
908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe
908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe
2000	WUDHost.exe
908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe
908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe
2000	WUDHost.exe
908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe
908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe
2000	WUDHost.exe
908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe
908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe
2000	WUDHost.exe
908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe
908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe
2000	WUDHost.exe
908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe
908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe
2000	WUDHost.exe
908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe
908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe
2000	WUDHost.exe
908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe
908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe
2000	WUDHost.exe
908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe
908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe
2000	WUDHost.exe
908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe
908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe
2000	WUDHost.exe
908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe
908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe
2000	WUDHost.exe
908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe
908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe
2000	WUDHost.exe
908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe
908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe
2000	WUDHost.exe
908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe
908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe
2000	WUDHost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exeWUDHost.exeAcctres.exe

description	pid	process
Token: SeDebugPrivilege	908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe
Token: SeDebugPrivilege	2000	WUDHost.exe
Token: SeDebugPrivilege	1652	Acctres.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exeWUDHost.exeAcctres.exe

description	pid	process	target process
PID 908 wrote to memory of 1916	908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe	vbc.exe
PID 908 wrote to memory of 1916	908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe	vbc.exe
PID 908 wrote to memory of 1916	908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe	vbc.exe
PID 908 wrote to memory of 1916	908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe	vbc.exe
PID 908 wrote to memory of 1916	908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe	vbc.exe
PID 908 wrote to memory of 1916	908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe	vbc.exe
PID 908 wrote to memory of 1916	908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe	vbc.exe
PID 908 wrote to memory of 1916	908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe	vbc.exe
PID 908 wrote to memory of 1916	908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe	vbc.exe
PID 908 wrote to memory of 2000	908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe	WUDHost.exe
PID 908 wrote to memory of 2000	908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe	WUDHost.exe
PID 908 wrote to memory of 2000	908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe	WUDHost.exe
PID 908 wrote to memory of 2000	908	2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe	WUDHost.exe
PID 2000 wrote to memory of 1652	2000	WUDHost.exe	Acctres.exe
PID 2000 wrote to memory of 1652	2000	WUDHost.exe	Acctres.exe
PID 2000 wrote to memory of 1652	2000	WUDHost.exe	Acctres.exe
PID 2000 wrote to memory of 1652	2000	WUDHost.exe	Acctres.exe
PID 1652 wrote to memory of 108	1652	Acctres.exe	vbc.exe
PID 1652 wrote to memory of 108	1652	Acctres.exe	vbc.exe
PID 1652 wrote to memory of 108	1652	Acctres.exe	vbc.exe
PID 1652 wrote to memory of 108	1652	Acctres.exe	vbc.exe
PID 1652 wrote to memory of 108	1652	Acctres.exe	vbc.exe
PID 1652 wrote to memory of 108	1652	Acctres.exe	vbc.exe
PID 1652 wrote to memory of 108	1652	Acctres.exe	vbc.exe
PID 1652 wrote to memory of 108	1652	Acctres.exe	vbc.exe
PID 1652 wrote to memory of 108	1652	Acctres.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe
"C:\Users\Admin\AppData\Local\Temp\2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:908
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - Drops file in Windows directory
  PID:1916
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1652
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      Drops file in Windows directory
      PID:108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe

Filesize
337KB

MD5
729d5a1609fe981f93cfdd4f938dbbae

SHA1
6954cdfca61258328b80b670e2099beb8e768ef7

SHA256
2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b

SHA512
56647a30a1739f34ee8364b5636945c3a881a280b045128dc60dbebe6a66ca53231ec1465dba7249a7a04aca64df7df1bc260897a27730cba85d9f3c1f6b8264

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe

Filesize
337KB

MD5
729d5a1609fe981f93cfdd4f938dbbae

SHA1
6954cdfca61258328b80b670e2099beb8e768ef7

SHA256
2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b

SHA512
56647a30a1739f34ee8364b5636945c3a881a280b045128dc60dbebe6a66ca53231ec1465dba7249a7a04aca64df7df1bc260897a27730cba85d9f3c1f6b8264

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe

Filesize
14KB

MD5
06ae42860eae9cb866f7ff532e15c9af

SHA1
2b489da234f0d3d43fb30aa83511a9d776b46162

SHA256
8eadee20698ab1465c76355c6f17eaaa9099d7f816f03ed1cbd8c28684564990

SHA512
16c91a6b9ceb4168e5ebf60b624bab8bfeec0cf34ee1f2908195542fc95374fb45e93a6a0b79de26598647ea342d0a414a80987fe588c92d106e234381dea2fa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe

Filesize
14KB

MD5
06ae42860eae9cb866f7ff532e15c9af

SHA1
2b489da234f0d3d43fb30aa83511a9d776b46162

SHA256
8eadee20698ab1465c76355c6f17eaaa9099d7f816f03ed1cbd8c28684564990

SHA512
16c91a6b9ceb4168e5ebf60b624bab8bfeec0cf34ee1f2908195542fc95374fb45e93a6a0b79de26598647ea342d0a414a80987fe588c92d106e234381dea2fa

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\.Identifier

Filesize
64B

MD5
23a76a6dc52f1855b8322f1853a5d327

SHA1
a0dbba06832fbf78af6faa30f39afe876636ff0f

SHA256
dbd79bf249301a1bc9d3d9639eedda1ed07a4901b6c73edaf5afc248dde62ccd

SHA512
5fbd3fece60f591f193695ecd2c06bb1bf2f742e67f9ab09a8ebf6a7befc0e4757a876b542c6fdd12b991cc6c2af44bf0ec26f9ee589d54edff4ca94e50a2600

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe

Filesize
337KB

MD5
729d5a1609fe981f93cfdd4f938dbbae

SHA1
6954cdfca61258328b80b670e2099beb8e768ef7

SHA256
2ada082e83bf395790bdfe83564d7bdc711de7b66a3d3615f85d6217701d7c7b

SHA512
56647a30a1739f34ee8364b5636945c3a881a280b045128dc60dbebe6a66ca53231ec1465dba7249a7a04aca64df7df1bc260897a27730cba85d9f3c1f6b8264

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe

Filesize
14KB

MD5
06ae42860eae9cb866f7ff532e15c9af

SHA1
2b489da234f0d3d43fb30aa83511a9d776b46162

SHA256
8eadee20698ab1465c76355c6f17eaaa9099d7f816f03ed1cbd8c28684564990

SHA512
16c91a6b9ceb4168e5ebf60b624bab8bfeec0cf34ee1f2908195542fc95374fb45e93a6a0b79de26598647ea342d0a414a80987fe588c92d106e234381dea2fa

Download Submit
memory/108-90-0x0000000000401F8F-mapping.dmp

Download
memory/108-95-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/908-56-0x0000000073FA0000-0x000000007454B000-memory.dmp

Filesize
5.7MB

Download
memory/908-54-0x0000000075131000-0x0000000075133000-memory.dmp

Filesize
8KB

Download
memory/908-55-0x0000000073FA0000-0x000000007454B000-memory.dmp

Filesize
5.7MB

Download
memory/1652-78-0x0000000000000000-mapping.dmp

Download
memory/1652-82-0x0000000073FA0000-0x000000007454B000-memory.dmp

Filesize
5.7MB

Download
memory/1652-81-0x0000000073FA0000-0x000000007454B000-memory.dmp

Filesize
5.7MB

Download
memory/1916-57-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1916-73-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1916-62-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1916-67-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1916-63-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1916-64-0x0000000000401F8F-mapping.dmp

Download
memory/1916-60-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1916-58-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2000-74-0x0000000073FA0000-0x000000007454B000-memory.dmp

Filesize
5.7MB

Download
memory/2000-75-0x0000000073FA0000-0x000000007454B000-memory.dmp

Filesize
5.7MB

Download
memory/2000-69-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads