netwire | 6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077

General

Target

6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077.exe
Size

109KB
MD5

7d9ca5f5b423bb33bda60994f81c6716
SHA1

05bc6d26466acb6a9f0eebe7769a3f475dc0c325
SHA256

6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077
SHA512

3fe410bb4e1b3c39633ac2365147c58921c291d0fb8cd85a5fd6cdd8626c5da594085ff6fe4cc2a8863fd0eb41cdc3b8fbf166860c8dca8d7f3de7c69cf626cd
SSDEEP

1536:/muKdaM4TIOyzdZJAISBcBcXUozNxJzcqZj1JJZ6uIS9ySP7oCtAevkw03qz+TB:ilIyjcXtNxJz3Zj1XcNScSDKeM3n

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1888-72-0x0000000000400000-0x0000000000417000-memory.dmp	netwire
behavioral1/memory/1416-89-0x0000000000400000-0x0000000000417000-memory.dmp	netwire
behavioral1/memory/1416-90-0x0000000000400000-0x0000000000417000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

Host.exeHost.exe

pid process

1696 Host.exe
1416 Host.exe

pid	process
1696	Host.exe
1416	Host.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Host.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{MG231XXL-1AY5-J754-X6I0-U14N8361Y762}	Host.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{MG231XXL-1AY5-J754-X6I0-U14N8361Y762}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe\""	Host.exe

Loads dropped DLL 2 IoCs

Processes:

6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077.exe

pid	process
1888	6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077.exe
1888	6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Host.exeHost.exe6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\mSILlzCwXBSr = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\QJWuPD4.exe\""	Host.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Host.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe"	Host.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\mSILlzCwXBSr = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\QJWuPD4.exe\""	6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077.exeHost.exe

description	pid	process	target process
PID 1584 set thread context of 1888	1584	6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077.exe	6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077.exe
PID 1696 set thread context of 1416	1696	Host.exe	Host.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077.exeHost.exe

pid	process
1584	6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077.exe
1584	6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077.exe
1584	6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077.exe
1584	6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077.exe
1584	6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077.exe
1584	6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077.exe
1696	Host.exe
1696	Host.exe
1696	Host.exe
1696	Host.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077.exeHost.exe

description	pid	process
Token: SeDebugPrivilege	1584	6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077.exe
Token: SeDebugPrivilege	1696	Host.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077.exe6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077.exeHost.exe

description	pid	process	target process
PID 1584 wrote to memory of 1948	1584	6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077.exe	6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077.exe
PID 1584 wrote to memory of 1948	1584	6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077.exe	6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077.exe
PID 1584 wrote to memory of 1948	1584	6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077.exe	6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077.exe
PID 1584 wrote to memory of 1948	1584	6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077.exe	6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077.exe
PID 1584 wrote to memory of 1888	1584	6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077.exe	6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077.exe
PID 1584 wrote to memory of 1888	1584	6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077.exe	6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077.exe
PID 1584 wrote to memory of 1888	1584	6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077.exe	6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077.exe
PID 1584 wrote to memory of 1888	1584	6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077.exe	6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077.exe
PID 1584 wrote to memory of 1888	1584	6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077.exe	6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077.exe
PID 1584 wrote to memory of 1888	1584	6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077.exe	6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077.exe
PID 1584 wrote to memory of 1888	1584	6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077.exe	6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077.exe
PID 1584 wrote to memory of 1888	1584	6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077.exe	6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077.exe
PID 1584 wrote to memory of 1888	1584	6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077.exe	6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077.exe
PID 1888 wrote to memory of 1696	1888	6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077.exe	Host.exe
PID 1888 wrote to memory of 1696	1888	6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077.exe	Host.exe
PID 1888 wrote to memory of 1696	1888	6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077.exe	Host.exe
PID 1888 wrote to memory of 1696	1888	6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077.exe	Host.exe
PID 1696 wrote to memory of 1416	1696	Host.exe	Host.exe
PID 1696 wrote to memory of 1416	1696	Host.exe	Host.exe
PID 1696 wrote to memory of 1416	1696	Host.exe	Host.exe
PID 1696 wrote to memory of 1416	1696	Host.exe	Host.exe
PID 1696 wrote to memory of 1416	1696	Host.exe	Host.exe
PID 1696 wrote to memory of 1416	1696	Host.exe	Host.exe
PID 1696 wrote to memory of 1416	1696	Host.exe	Host.exe
PID 1696 wrote to memory of 1416	1696	Host.exe	Host.exe
PID 1696 wrote to memory of 1416	1696	Host.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077.exe
"C:\Users\Admin\AppData\Local\Temp\6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Users\Admin\AppData\Local\Temp\6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077.exe
  "C:\Users\Admin\AppData\Local\Temp\6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077.exe"
  2⤵
  PID:1948
- C:\Users\Admin\AppData\Local\Temp\6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077.exe
  "C:\Users\Admin\AppData\Local\Temp\6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Users\Admin\AppData\Roaming\Install\Host.exe
    "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1696
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Executes dropped EXE
      Modifies Installed Components in the registry
      Adds Run key to start application
      PID:1416

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
109KB

MD5
7d9ca5f5b423bb33bda60994f81c6716

SHA1
05bc6d26466acb6a9f0eebe7769a3f475dc0c325

SHA256
6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077

SHA512
3fe410bb4e1b3c39633ac2365147c58921c291d0fb8cd85a5fd6cdd8626c5da594085ff6fe4cc2a8863fd0eb41cdc3b8fbf166860c8dca8d7f3de7c69cf626cd

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
109KB

MD5
7d9ca5f5b423bb33bda60994f81c6716

SHA1
05bc6d26466acb6a9f0eebe7769a3f475dc0c325

SHA256
6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077

SHA512
3fe410bb4e1b3c39633ac2365147c58921c291d0fb8cd85a5fd6cdd8626c5da594085ff6fe4cc2a8863fd0eb41cdc3b8fbf166860c8dca8d7f3de7c69cf626cd

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
109KB

MD5
7d9ca5f5b423bb33bda60994f81c6716

SHA1
05bc6d26466acb6a9f0eebe7769a3f475dc0c325

SHA256
6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077

SHA512
3fe410bb4e1b3c39633ac2365147c58921c291d0fb8cd85a5fd6cdd8626c5da594085ff6fe4cc2a8863fd0eb41cdc3b8fbf166860c8dca8d7f3de7c69cf626cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\QJWuPD4.exe

Filesize
109KB

MD5
7d9ca5f5b423bb33bda60994f81c6716

SHA1
05bc6d26466acb6a9f0eebe7769a3f475dc0c325

SHA256
6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077

SHA512
3fe410bb4e1b3c39633ac2365147c58921c291d0fb8cd85a5fd6cdd8626c5da594085ff6fe4cc2a8863fd0eb41cdc3b8fbf166860c8dca8d7f3de7c69cf626cd

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
109KB

MD5
7d9ca5f5b423bb33bda60994f81c6716

SHA1
05bc6d26466acb6a9f0eebe7769a3f475dc0c325

SHA256
6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077

SHA512
3fe410bb4e1b3c39633ac2365147c58921c291d0fb8cd85a5fd6cdd8626c5da594085ff6fe4cc2a8863fd0eb41cdc3b8fbf166860c8dca8d7f3de7c69cf626cd

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
109KB

MD5
7d9ca5f5b423bb33bda60994f81c6716

SHA1
05bc6d26466acb6a9f0eebe7769a3f475dc0c325

SHA256
6910f1b44a3e1b208f34f96df8e553d7b8bcfe1c75ebd0a4e0407eab3e5f8077

SHA512
3fe410bb4e1b3c39633ac2365147c58921c291d0fb8cd85a5fd6cdd8626c5da594085ff6fe4cc2a8863fd0eb41cdc3b8fbf166860c8dca8d7f3de7c69cf626cd

Download Submit
memory/1416-90-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1416-89-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1416-82-0x0000000000401F8F-mapping.dmp

Download
memory/1584-55-0x0000000074900000-0x0000000074EAB000-memory.dmp

Filesize
5.7MB

Download
memory/1584-54-0x0000000075E61000-0x0000000075E63000-memory.dmp

Filesize
8KB

Download
memory/1584-67-0x0000000074900000-0x0000000074EAB000-memory.dmp

Filesize
5.7MB

Download
memory/1696-70-0x0000000000000000-mapping.dmp

Download
memory/1696-87-0x0000000074350000-0x00000000748FB000-memory.dmp

Filesize
5.7MB

Download
memory/1888-72-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1888-66-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1888-62-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1888-63-0x0000000000401F8F-mapping.dmp

Download
memory/1888-61-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1888-59-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1888-57-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1888-56-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads