netwire | df1f93819545a92ed7acb5a67b3257dcdc4b3904e536fa856d27e7b29cc83053

General

Target

df1f93819545a92ed7acb5a67b3257dcdc4b3904e536fa856d27e7b29cc83053.exe
Size

467KB
MD5

03943957531a9b7ed0eca96e4337b4a2
SHA1

39a4ee1d0f0fed3a81555b52fec030e913cb8563
SHA256

df1f93819545a92ed7acb5a67b3257dcdc4b3904e536fa856d27e7b29cc83053
SHA512

cdf9beaf36313259cb56955bed0d23867e028ef064c00f2c09cfecd56126c8df520be9f4bd019ca61ac3ec03dbf73a9d802a6328ae4187804a16542c0ff451b2
SSDEEP

6144:x32IXVi7TJZeXDUjwE1bYXP/XkwJXa8AkTqTVfQlHKJTJoleclZdmMO2:x3jg8YjwEFQ/XbXLr0NQBElmB

Score

10^/10

netwire botnet rat stealer

Malware Config

Signatures

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\tmp.exe	netwire
C:\Users\Admin\AppData\Local\Temp\tmp.exe	netwire
behavioral2/memory/4812-138-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/4812-140-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 1 IoCs

Processes:

tmp.exe

pid process

2484 tmp.exe

pid	process
2484	tmp.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

df1f93819545a92ed7acb5a67b3257dcdc4b3904e536fa856d27e7b29cc83053.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	df1f93819545a92ed7acb5a67b3257dcdc4b3904e536fa856d27e7b29cc83053.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

df1f93819545a92ed7acb5a67b3257dcdc4b3904e536fa856d27e7b29cc83053.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	df1f93819545a92ed7acb5a67b3257dcdc4b3904e536fa856d27e7b29cc83053.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	df1f93819545a92ed7acb5a67b3257dcdc4b3904e536fa856d27e7b29cc83053.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

df1f93819545a92ed7acb5a67b3257dcdc4b3904e536fa856d27e7b29cc83053.exe

description	pid	process	target process
PID 700 set thread context of 4812	700	df1f93819545a92ed7acb5a67b3257dcdc4b3904e536fa856d27e7b29cc83053.exe	df1f93819545a92ed7acb5a67b3257dcdc4b3904e536fa856d27e7b29cc83053.exe

Drops file in Windows directory 3 IoCs

Processes:

df1f93819545a92ed7acb5a67b3257dcdc4b3904e536fa856d27e7b29cc83053.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	df1f93819545a92ed7acb5a67b3257dcdc4b3904e536fa856d27e7b29cc83053.exe
File created	C:\Windows\assembly\Desktop.ini	df1f93819545a92ed7acb5a67b3257dcdc4b3904e536fa856d27e7b29cc83053.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	df1f93819545a92ed7acb5a67b3257dcdc4b3904e536fa856d27e7b29cc83053.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
1636	4812	WerFault.exe	df1f93819545a92ed7acb5a67b3257dcdc4b3904e536fa856d27e7b29cc83053.exe
4476	4812	WerFault.exe	df1f93819545a92ed7acb5a67b3257dcdc4b3904e536fa856d27e7b29cc83053.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

df1f93819545a92ed7acb5a67b3257dcdc4b3904e536fa856d27e7b29cc83053.exe

pid	process
700	df1f93819545a92ed7acb5a67b3257dcdc4b3904e536fa856d27e7b29cc83053.exe
700	df1f93819545a92ed7acb5a67b3257dcdc4b3904e536fa856d27e7b29cc83053.exe
700	df1f93819545a92ed7acb5a67b3257dcdc4b3904e536fa856d27e7b29cc83053.exe
700	df1f93819545a92ed7acb5a67b3257dcdc4b3904e536fa856d27e7b29cc83053.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

df1f93819545a92ed7acb5a67b3257dcdc4b3904e536fa856d27e7b29cc83053.exe

description pid process

Token: SeDebugPrivilege 700 df1f93819545a92ed7acb5a67b3257dcdc4b3904e536fa856d27e7b29cc83053.exe

description	pid	process
Token: SeDebugPrivilege	700	df1f93819545a92ed7acb5a67b3257dcdc4b3904e536fa856d27e7b29cc83053.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

df1f93819545a92ed7acb5a67b3257dcdc4b3904e536fa856d27e7b29cc83053.exedf1f93819545a92ed7acb5a67b3257dcdc4b3904e536fa856d27e7b29cc83053.exe

C:\Users\Admin\AppData\Local\Temp\df1f93819545a92ed7acb5a67b3257dcdc4b3904e536fa856d27e7b29cc83053.exe
"C:\Users\Admin\AppData\Local\Temp\df1f93819545a92ed7acb5a67b3257dcdc4b3904e536fa856d27e7b29cc83053.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:700

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Executes dropped EXE
PID:2484

C:\Users\Admin\AppData\Local\Temp\df1f93819545a92ed7acb5a67b3257dcdc4b3904e536fa856d27e7b29cc83053.exe
C:\Users\Admin\AppData\Local\Temp\df1f93819545a92ed7acb5a67b3257dcdc4b3904e536fa856d27e7b29cc83053.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 312
3⤵
- Program crash
PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 312
3⤵
- Program crash
PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4812 -ip 4812
1⤵
PID:4668

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
81KB

MD5
fa05a001948f9d0a80c4936988c07826

SHA1
d9ae0aee938285b58983359ba1dda0684f00c96a

SHA256
42e91d228236187781427d929b813b08935ee791c35892803515abd6e04c8ac0

SHA512
1a791b7a2c42b189ee1464690cf0dddb4c7304f4b374506842c338a7eb2d5ebdbf1d020cb687fd29ed6a7ab63333cbcb60741d3142c282c4da852187c2ef05b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
81KB

MD5
fa05a001948f9d0a80c4936988c07826

SHA1
d9ae0aee938285b58983359ba1dda0684f00c96a

SHA256
42e91d228236187781427d929b813b08935ee791c35892803515abd6e04c8ac0

SHA512
1a791b7a2c42b189ee1464690cf0dddb4c7304f4b374506842c338a7eb2d5ebdbf1d020cb687fd29ed6a7ab63333cbcb60741d3142c282c4da852187c2ef05b1

Download Submit
memory/700-132-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/700-133-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/700-142-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/1636-141-0x0000000000000000-mapping.dmp

Download
memory/2484-134-0x0000000000000000-mapping.dmp

Download
memory/4812-137-0x0000000000000000-mapping.dmp

Download
memory/4812-138-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4812-140-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download

description	pid	process	target process
PID 700 wrote to memory of 2484	700	df1f93819545a92ed7acb5a67b3257dcdc4b3904e536fa856d27e7b29cc83053.exe	tmp.exe
PID 700 wrote to memory of 2484	700	df1f93819545a92ed7acb5a67b3257dcdc4b3904e536fa856d27e7b29cc83053.exe	tmp.exe
PID 700 wrote to memory of 2484	700	df1f93819545a92ed7acb5a67b3257dcdc4b3904e536fa856d27e7b29cc83053.exe	tmp.exe
PID 700 wrote to memory of 4812	700	df1f93819545a92ed7acb5a67b3257dcdc4b3904e536fa856d27e7b29cc83053.exe	df1f93819545a92ed7acb5a67b3257dcdc4b3904e536fa856d27e7b29cc83053.exe
PID 700 wrote to memory of 4812	700	df1f93819545a92ed7acb5a67b3257dcdc4b3904e536fa856d27e7b29cc83053.exe	df1f93819545a92ed7acb5a67b3257dcdc4b3904e536fa856d27e7b29cc83053.exe
PID 700 wrote to memory of 4812	700	df1f93819545a92ed7acb5a67b3257dcdc4b3904e536fa856d27e7b29cc83053.exe	df1f93819545a92ed7acb5a67b3257dcdc4b3904e536fa856d27e7b29cc83053.exe
PID 700 wrote to memory of 4812	700	df1f93819545a92ed7acb5a67b3257dcdc4b3904e536fa856d27e7b29cc83053.exe	df1f93819545a92ed7acb5a67b3257dcdc4b3904e536fa856d27e7b29cc83053.exe
PID 700 wrote to memory of 4812	700	df1f93819545a92ed7acb5a67b3257dcdc4b3904e536fa856d27e7b29cc83053.exe	df1f93819545a92ed7acb5a67b3257dcdc4b3904e536fa856d27e7b29cc83053.exe
PID 700 wrote to memory of 4812	700	df1f93819545a92ed7acb5a67b3257dcdc4b3904e536fa856d27e7b29cc83053.exe	df1f93819545a92ed7acb5a67b3257dcdc4b3904e536fa856d27e7b29cc83053.exe
PID 700 wrote to memory of 4812	700	df1f93819545a92ed7acb5a67b3257dcdc4b3904e536fa856d27e7b29cc83053.exe	df1f93819545a92ed7acb5a67b3257dcdc4b3904e536fa856d27e7b29cc83053.exe
PID 700 wrote to memory of 4812	700	df1f93819545a92ed7acb5a67b3257dcdc4b3904e536fa856d27e7b29cc83053.exe	df1f93819545a92ed7acb5a67b3257dcdc4b3904e536fa856d27e7b29cc83053.exe
PID 700 wrote to memory of 4812	700	df1f93819545a92ed7acb5a67b3257dcdc4b3904e536fa856d27e7b29cc83053.exe	df1f93819545a92ed7acb5a67b3257dcdc4b3904e536fa856d27e7b29cc83053.exe
PID 4812 wrote to memory of 1636	4812	df1f93819545a92ed7acb5a67b3257dcdc4b3904e536fa856d27e7b29cc83053.exe	WerFault.exe
PID 4812 wrote to memory of 1636	4812	df1f93819545a92ed7acb5a67b3257dcdc4b3904e536fa856d27e7b29cc83053.exe	WerFault.exe
PID 4812 wrote to memory of 1636	4812	df1f93819545a92ed7acb5a67b3257dcdc4b3904e536fa856d27e7b29cc83053.exe	WerFault.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads