netwire | 915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855

Analysis

max time kernel
344s
max time network
410s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 12:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe
Size

131KB
MD5

57ff9ec083c9603c0251fe55595b8793
SHA1

8c3c7148559706e5523dae28d5852554042129b0
SHA256

915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855
SHA512

63f50958bd0b82057b62a4315fb9309af082ee06992949c4967bafe83407d7fcc7097d8713b2656cc5ae13c6386ec671d2a424f73b03f883d182551cdaf2770f
SSDEEP

3072:cnF6XpaIxS1rAPXJlfWMzMeYhLjYchZzj6ocuxdlh8CKUm2/4v4c:cnvIxAS+MAeYhLjYchZ3rcMl5KUm2/4v

Score

10^/10

netwire botnet rat stealer

Malware Config

Signatures

NetWire RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3124-138-0x0000000000400000-0x0000000000417000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Loads dropped DLL 1 IoCs

Processes:

915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe

pid process

1196 915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe

pid	process
1196	915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe

description	pid	process	target process
PID 1196 set thread context of 3124	1196	915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe	915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe

description	pid	process	target process
PID 1196 wrote to memory of 3124	1196	915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe	915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe
PID 1196 wrote to memory of 3124	1196	915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe	915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe
PID 1196 wrote to memory of 3124	1196	915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe	915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe
PID 1196 wrote to memory of 3124	1196	915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe	915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe
PID 1196 wrote to memory of 3124	1196	915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe	915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe
PID 1196 wrote to memory of 3124	1196	915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe	915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe
PID 1196 wrote to memory of 3124	1196	915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe	915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe
PID 1196 wrote to memory of 3124	1196	915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe	915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe
PID 1196 wrote to memory of 3124	1196	915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe	915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe

C:\Users\Admin\AppData\Local\Temp\915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe
"C:\Users\Admin\AppData\Local\Temp\915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1196

C:\Users\Admin\AppData\Local\Temp\915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe
"C:\Users\Admin\AppData\Local\Temp\915044c511cc81227acb26c559cc79eafdd65f28a99b6c73493b3ac80e739855.exe"
2⤵
PID:3124

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsj25C6.tmp\paperers.dll
Filesize
56KB

MD5
cba27c45fd90779276f96a717de8a8d0

SHA1
89ac88cc471d5dbf6b9897435dbeeed29df5246f

SHA256
9940a5c28cd07e33b24692df50381acdce80574c5e288293981e7b399b2d1e07

SHA512
534bb3af058e89510aaea6f3ca4955e0d7b6dbaf1694fc3523ddba4a7845b7b461e711250957c9673c91a7b7e2e92450fbf0365bfb50202b357346cb8c102d95

Download Submit
memory/3124-133-0x0000000000000000-mapping.dmp

Download
memory/3124-134-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3124-136-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3124-138-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download