netwire | 17c7284c36afc584e97304bcc919260d74bc51427e41b594f2c31ffe4abd6a43

Analysis

max time kernel
147s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 14:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17c7284c36afc584e97304bcc919260d74bc51427e41b594f2c31ffe4abd6a43.exe
Size

559KB
MD5

bf6fee94cfb3d3074f9b5610c92c8736
SHA1

275d6c72eaf3ff795d9c9ce0d8589529117dc3da
SHA256

17c7284c36afc584e97304bcc919260d74bc51427e41b594f2c31ffe4abd6a43
SHA512

db15afafc57b654d3ec119ee6b509ddee62d31cea74cd5ae9ce8811e16f7e3e65571b975d55013311bfc7cd4a3b1dd6e479710275553b119fc8082cbd74810d5
SSDEEP

6144:rFhmxTB7drI/7gkzKTr6gQu4ZGhp2y8A/f5c/m6bBApevftP89:vKv6gQu4Aph5QlipeHw

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

17c7284c36afc584e97304bcc919260d74bc51427e41b594f2c31ffe4abd6a43.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\file.exe"	17c7284c36afc584e97304bcc919260d74bc51427e41b594f2c31ffe4abd6a43.exe

NetWire RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1512-84-0x0000000000400000-0x0000000000417000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

tmp.exenotepad .exe

pid process

1652 tmp.exe
1512 notepad .exe

pid	process
1652	tmp.exe
1512	notepad .exe

Loads dropped DLL 3 IoCs

Processes:

17c7284c36afc584e97304bcc919260d74bc51427e41b594f2c31ffe4abd6a43.exe

pid	process
1064	17c7284c36afc584e97304bcc919260d74bc51427e41b594f2c31ffe4abd6a43.exe
1064	17c7284c36afc584e97304bcc919260d74bc51427e41b594f2c31ffe4abd6a43.exe
1064	17c7284c36afc584e97304bcc919260d74bc51427e41b594f2c31ffe4abd6a43.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

17c7284c36afc584e97304bcc919260d74bc51427e41b594f2c31ffe4abd6a43.exe

description	pid	process	target process
PID 1064 set thread context of 1512	1064	17c7284c36afc584e97304bcc919260d74bc51427e41b594f2c31ffe4abd6a43.exe	notepad .exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

17c7284c36afc584e97304bcc919260d74bc51427e41b594f2c31ffe4abd6a43.exe

pid	process
1064	17c7284c36afc584e97304bcc919260d74bc51427e41b594f2c31ffe4abd6a43.exe
1064	17c7284c36afc584e97304bcc919260d74bc51427e41b594f2c31ffe4abd6a43.exe
1064	17c7284c36afc584e97304bcc919260d74bc51427e41b594f2c31ffe4abd6a43.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

17c7284c36afc584e97304bcc919260d74bc51427e41b594f2c31ffe4abd6a43.exe

description pid process

Token: SeDebugPrivilege 1064 17c7284c36afc584e97304bcc919260d74bc51427e41b594f2c31ffe4abd6a43.exe

description	pid	process
Token: SeDebugPrivilege	1064	17c7284c36afc584e97304bcc919260d74bc51427e41b594f2c31ffe4abd6a43.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

17c7284c36afc584e97304bcc919260d74bc51427e41b594f2c31ffe4abd6a43.execmd.exewscript.exe

description	pid	process	target process
PID 1064 wrote to memory of 936	1064	17c7284c36afc584e97304bcc919260d74bc51427e41b594f2c31ffe4abd6a43.exe	cmd.exe
PID 1064 wrote to memory of 936	1064	17c7284c36afc584e97304bcc919260d74bc51427e41b594f2c31ffe4abd6a43.exe	cmd.exe
PID 1064 wrote to memory of 936	1064	17c7284c36afc584e97304bcc919260d74bc51427e41b594f2c31ffe4abd6a43.exe	cmd.exe
PID 1064 wrote to memory of 936	1064	17c7284c36afc584e97304bcc919260d74bc51427e41b594f2c31ffe4abd6a43.exe	cmd.exe
PID 936 wrote to memory of 1640	936	cmd.exe	wscript.exe
PID 936 wrote to memory of 1640	936	cmd.exe	wscript.exe
PID 936 wrote to memory of 1640	936	cmd.exe	wscript.exe
PID 936 wrote to memory of 1640	936	cmd.exe	wscript.exe
PID 1064 wrote to memory of 1652	1064	17c7284c36afc584e97304bcc919260d74bc51427e41b594f2c31ffe4abd6a43.exe	tmp.exe
PID 1640 wrote to memory of 432	1640	wscript.exe	cmd.exe
PID 1640 wrote to memory of 432	1640	wscript.exe	cmd.exe
PID 1640 wrote to memory of 432	1640	wscript.exe	cmd.exe
PID 1640 wrote to memory of 432	1640	wscript.exe	cmd.exe
PID 1064 wrote to memory of 1652	1064	17c7284c36afc584e97304bcc919260d74bc51427e41b594f2c31ffe4abd6a43.exe	tmp.exe
PID 1064 wrote to memory of 1652	1064	17c7284c36afc584e97304bcc919260d74bc51427e41b594f2c31ffe4abd6a43.exe	tmp.exe
PID 1064 wrote to memory of 1652	1064	17c7284c36afc584e97304bcc919260d74bc51427e41b594f2c31ffe4abd6a43.exe	tmp.exe
PID 1064 wrote to memory of 1512	1064	17c7284c36afc584e97304bcc919260d74bc51427e41b594f2c31ffe4abd6a43.exe	notepad .exe
PID 1064 wrote to memory of 1512	1064	17c7284c36afc584e97304bcc919260d74bc51427e41b594f2c31ffe4abd6a43.exe	notepad .exe
PID 1064 wrote to memory of 1512	1064	17c7284c36afc584e97304bcc919260d74bc51427e41b594f2c31ffe4abd6a43.exe	notepad .exe
PID 1064 wrote to memory of 1512	1064	17c7284c36afc584e97304bcc919260d74bc51427e41b594f2c31ffe4abd6a43.exe	notepad .exe
PID 1064 wrote to memory of 1512	1064	17c7284c36afc584e97304bcc919260d74bc51427e41b594f2c31ffe4abd6a43.exe	notepad .exe
PID 1064 wrote to memory of 1512	1064	17c7284c36afc584e97304bcc919260d74bc51427e41b594f2c31ffe4abd6a43.exe	notepad .exe
PID 1064 wrote to memory of 1512	1064	17c7284c36afc584e97304bcc919260d74bc51427e41b594f2c31ffe4abd6a43.exe	notepad .exe
PID 1064 wrote to memory of 1512	1064	17c7284c36afc584e97304bcc919260d74bc51427e41b594f2c31ffe4abd6a43.exe	notepad .exe
PID 1064 wrote to memory of 1512	1064	17c7284c36afc584e97304bcc919260d74bc51427e41b594f2c31ffe4abd6a43.exe	notepad .exe

C:\Users\Admin\AppData\Local\Temp\17c7284c36afc584e97304bcc919260d74bc51427e41b594f2c31ffe4abd6a43.exe
"C:\Users\Admin\AppData\Local\Temp\17c7284c36afc584e97304bcc919260d74bc51427e41b594f2c31ffe4abd6a43.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\\mata.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:936

C:\Windows\SysWOW64\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\mata2.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mata2.bat" "
4⤵
PID:432

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Executes dropped EXE
PID:1652

C:\Users\Admin\AppData\Local\Temp\notepad .exe
"C:\Users\Admin\AppData\Local\Temp\notepad .exe"
2⤵
- Executes dropped EXE
PID:1512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.Identifier
Filesize
64B

MD5
fdba9bec86617efdcc82ad0e57d9e01b

SHA1
cef4978f59c1753e379249a01d6b82f96aaccb1a

SHA256
74dd2599ceb62548d8452fa02c2a217d085cc2341eb88cecfb0477d08cee8932

SHA512
6790590f13d59a0e94e03b2860650d37de00ba61dd87b937afda9987f10375e49ece70ddcc190b03a7ac0f762518add949589730c3411fdd622bebaf34fd004e

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.exe
Filesize
559KB

MD5
bf6fee94cfb3d3074f9b5610c92c8736

SHA1
275d6c72eaf3ff795d9c9ce0d8589529117dc3da

SHA256
17c7284c36afc584e97304bcc919260d74bc51427e41b594f2c31ffe4abd6a43

SHA512
db15afafc57b654d3ec119ee6b509ddee62d31cea74cd5ae9ce8811e16f7e3e65571b975d55013311bfc7cd4a3b1dd6e479710275553b119fc8082cbd74810d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\invs.vbs
Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mata.bat
Filesize
47B

MD5
58c538a6ae20a3c6031217903cdf8e5d

SHA1
399fd50eadf4945b665877facfc4f53d16e18b1e

SHA256
6bcc0e04d9bc32209d90a65c320dc6363e523dd94b38b17bcdc5b980b6405f53

SHA512
c01828a5390fec3443e19d317137ae873de77c7737db7802650430e6a0a1edbd3aabe362903243b372536418fbd8482c2a6efd122d853744a41ade567956c359

Download Submit
C:\Users\Admin\AppData\Local\Temp\mata2.bat
Filesize
47B

MD5
095b2908ae8b2e0e3704c0163f26e283

SHA1
3429b6c1421d448c98c1da9625badcea2484a521

SHA256
22b182644ab28f5e9e17b5a03ba404d09b02da367146b80484584adc842a3ed1

SHA512
e22e379b4f0d8e11fa7c29c3297a3e24a533fb08895d18e9bb27e8cab84da1dd52ff437aca90c5c32a9bdb578b3c1bfb3ff42d3bc2c5951ffeb5941c8286c731

Download Submit
C:\Users\Admin\AppData\Local\Temp\notepad .exe
Filesize
31KB

MD5
ed797d8dc2c92401985d162e42ffa450

SHA1
0f02fc517c7facc4baefde4fe9467fb6488ebabe

SHA256
b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e

SHA512
e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\rundll11-.txt
Filesize
559KB

MD5
bf6fee94cfb3d3074f9b5610c92c8736

SHA1
275d6c72eaf3ff795d9c9ce0d8589529117dc3da

SHA256
17c7284c36afc584e97304bcc919260d74bc51427e41b594f2c31ffe4abd6a43

SHA512
db15afafc57b654d3ec119ee6b509ddee62d31cea74cd5ae9ce8811e16f7e3e65571b975d55013311bfc7cd4a3b1dd6e479710275553b119fc8082cbd74810d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
68KB

MD5
d4879fb623ae695fbb0db7917e36778a

SHA1
98aac1553a2362a112df26fec7239d7c4656655d

SHA256
0fca46b7d77046cb9bf84271f8ea678f8f950bc7ebc81ac7e2c5afd3e96f41c3

SHA512
4f129dc31548a05889e2e124f9885a59895c56b8ccef5ad9ad28084f690b657efaa667504cb0e4495fac83a13c76f836404e6178be4e539737013b5b71a79e78

Download Submit
\Users\Admin\AppData\Local\Temp\notepad .exe
Filesize
31KB

MD5
ed797d8dc2c92401985d162e42ffa450

SHA1
0f02fc517c7facc4baefde4fe9467fb6488ebabe

SHA256
b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e

SHA512
e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

Download Submit
\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
68KB

MD5
d4879fb623ae695fbb0db7917e36778a

SHA1
98aac1553a2362a112df26fec7239d7c4656655d

SHA256
0fca46b7d77046cb9bf84271f8ea678f8f950bc7ebc81ac7e2c5afd3e96f41c3

SHA512
4f129dc31548a05889e2e124f9885a59895c56b8ccef5ad9ad28084f690b657efaa667504cb0e4495fac83a13c76f836404e6178be4e539737013b5b71a79e78

Download Submit
\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
68KB

MD5
d4879fb623ae695fbb0db7917e36778a

SHA1
98aac1553a2362a112df26fec7239d7c4656655d

SHA256
0fca46b7d77046cb9bf84271f8ea678f8f950bc7ebc81ac7e2c5afd3e96f41c3

SHA512
4f129dc31548a05889e2e124f9885a59895c56b8ccef5ad9ad28084f690b657efaa667504cb0e4495fac83a13c76f836404e6178be4e539737013b5b71a79e78

Download Submit
memory/432-64-0x0000000000000000-mapping.dmp

Download
memory/936-56-0x0000000000000000-mapping.dmp

Download
memory/1064-86-0x0000000074760000-0x0000000074D0B000-memory.dmp

Filesize
5.7MB

Download
memory/1064-54-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

Filesize
8KB

Download
memory/1064-55-0x0000000074760000-0x0000000074D0B000-memory.dmp

Filesize
5.7MB

Download
memory/1064-77-0x0000000074760000-0x0000000074D0B000-memory.dmp

Filesize
5.7MB

Download
memory/1512-75-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1512-76-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1512-72-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1512-78-0x0000000000401F8F-mapping.dmp

Download
memory/1512-82-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1512-70-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1512-84-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1512-69-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1640-58-0x0000000000000000-mapping.dmp

Download
memory/1652-65-0x0000000000000000-mapping.dmp

Download