netwire | 177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495

General

Target

177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe
Size

280KB
MD5

b6fd2677bf285e0e00e0dd7258488c45
SHA1

861432442555667b049ddaade2d4840753455685
SHA256

177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495
SHA512

1ce6f01a733b239e1e24e569be5c881d3345e3a59973f8556854823233d84e46df1ccfe217339df8706fcdc29a82f97a0c5a22ceaa767fd7f832dcacc64d5129
SSDEEP

6144:VzgYWoC1WkE3fDIb4Uv8vgCY1QoAaAkcl2fm9E:FeoSY3dd1Y+fvR9E

Score

10^/10

netwire botnet rat stealer upx

Malware Config

Signatures

NetWire RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3436-139-0x0000000000400000-0x0000000000421000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3436-135-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3436-136-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3436-137-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3436-139-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops startup file 1 IoCs

Processes:

177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ExcelZ.lnk	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe

description	pid	process	target process
PID 3676 set thread context of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1136 3436 WerFault.exe notepad.exe
5084 3436 WerFault.exe notepad.exe

pid	pid_target	process	target process
1136	3436	WerFault.exe	notepad.exe
5084	3436	WerFault.exe	notepad.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe

pid	process
3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe
3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe
3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe
3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe
3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe
3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe

pid process

3676 177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe

description	pid	process	target process
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe
PID 3676 wrote to memory of 3436	3676	177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe
"C:\Users\Admin\AppData\Local\Temp\177d1b68906872259d131d1614ea022870606df5f851a9eb6f04f08126b29495.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3676

C:\Windows\SysWOW64\notepad.exe
notepad.exe
2⤵
PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 312
3⤵
- Program crash
PID:1136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 312
3⤵
- Program crash
PID:5084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3436 -ip 3436
1⤵
PID:3992

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1136-140-0x0000000000000000-mapping.dmp

Download
memory/3436-134-0x0000000000000000-mapping.dmp

Download
memory/3436-135-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3436-136-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3436-137-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3436-139-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3676-132-0x0000000002210000-0x000000000228B000-memory.dmp

Filesize
492KB

Download
memory/3676-133-0x0000000002210000-0x000000000228B000-memory.dmp

Filesize
492KB

Download
memory/3676-138-0x0000000002210000-0x000000000228B000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads