netwire | 15d996fe436dc316a84767c8672e8164706d44468381eda35988ea4ebee9deb1

General

Target

15d996fe436dc316a84767c8672e8164706d44468381eda35988ea4ebee9deb1.exe
Size

132KB
MD5

800bf6030c855beff04c828405712a71
SHA1

3ace3a76b0d05e3667568997a73ce1264a25fb93
SHA256

15d996fe436dc316a84767c8672e8164706d44468381eda35988ea4ebee9deb1
SHA512

1731114cecbc465b0365d6a1f8f4afc918cd7aa401241f844efbbf3219f54505e1eca53d70d88620c199abbca377e87636666cae608d6cb77fca66bf0d767669
SSDEEP

3072:kDQkrZoosbIfXJvWaZkPZqnCQE4L6AAcMIKAhlz0sjLJFH:kDpoeUdqCQE26A/dKAj7zH

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4276-142-0x0000000000400000-0x0000000000417000-memory.dmp	netwire
behavioral2/memory/4940-152-0x0000000000400000-0x0000000000417000-memory.dmp	netwire
behavioral2/memory/4940-153-0x0000000000400000-0x0000000000417000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

wiki.exewiki.exe

pid process

3872 wiki.exe
4940 wiki.exe

pid	process
3872	wiki.exe
4940	wiki.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wiki.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0K7Q8LQH-HB2E-7PTW-8VM5-0W07716742YI}	wiki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0K7Q8LQH-HB2E-7PTW-8VM5-0W07716742YI}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Wikimedia\\wiki.exe\""	wiki.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

15d996fe436dc316a84767c8672e8164706d44468381eda35988ea4ebee9deb1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	15d996fe436dc316a84767c8672e8164706d44468381eda35988ea4ebee9deb1.exe

Loads dropped DLL 4 IoCs

Processes:

15d996fe436dc316a84767c8672e8164706d44468381eda35988ea4ebee9deb1.exewiki.exe

pid	process
2480	15d996fe436dc316a84767c8672e8164706d44468381eda35988ea4ebee9deb1.exe
2480	15d996fe436dc316a84767c8672e8164706d44468381eda35988ea4ebee9deb1.exe
3872	wiki.exe
3872	wiki.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wiki.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	wiki.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\Wikimedia\\wiki.exe"	wiki.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

15d996fe436dc316a84767c8672e8164706d44468381eda35988ea4ebee9deb1.exewiki.exe

description	pid	process	target process
PID 2480 set thread context of 4276	2480	15d996fe436dc316a84767c8672e8164706d44468381eda35988ea4ebee9deb1.exe	15d996fe436dc316a84767c8672e8164706d44468381eda35988ea4ebee9deb1.exe
PID 3872 set thread context of 4940	3872	wiki.exe	wiki.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Wikimedia\wiki.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\Wikimedia\wiki.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\Wikimedia\wiki.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\Wikimedia\wiki.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\Wikimedia\wiki.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\Wikimedia\wiki.exe	nsis_installer_2

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

15d996fe436dc316a84767c8672e8164706d44468381eda35988ea4ebee9deb1.exe15d996fe436dc316a84767c8672e8164706d44468381eda35988ea4ebee9deb1.exewiki.exe

description	pid	process	target process
PID 2480 wrote to memory of 4276	2480	15d996fe436dc316a84767c8672e8164706d44468381eda35988ea4ebee9deb1.exe	15d996fe436dc316a84767c8672e8164706d44468381eda35988ea4ebee9deb1.exe
PID 2480 wrote to memory of 4276	2480	15d996fe436dc316a84767c8672e8164706d44468381eda35988ea4ebee9deb1.exe	15d996fe436dc316a84767c8672e8164706d44468381eda35988ea4ebee9deb1.exe
PID 2480 wrote to memory of 4276	2480	15d996fe436dc316a84767c8672e8164706d44468381eda35988ea4ebee9deb1.exe	15d996fe436dc316a84767c8672e8164706d44468381eda35988ea4ebee9deb1.exe
PID 2480 wrote to memory of 4276	2480	15d996fe436dc316a84767c8672e8164706d44468381eda35988ea4ebee9deb1.exe	15d996fe436dc316a84767c8672e8164706d44468381eda35988ea4ebee9deb1.exe
PID 2480 wrote to memory of 4276	2480	15d996fe436dc316a84767c8672e8164706d44468381eda35988ea4ebee9deb1.exe	15d996fe436dc316a84767c8672e8164706d44468381eda35988ea4ebee9deb1.exe
PID 2480 wrote to memory of 4276	2480	15d996fe436dc316a84767c8672e8164706d44468381eda35988ea4ebee9deb1.exe	15d996fe436dc316a84767c8672e8164706d44468381eda35988ea4ebee9deb1.exe
PID 2480 wrote to memory of 4276	2480	15d996fe436dc316a84767c8672e8164706d44468381eda35988ea4ebee9deb1.exe	15d996fe436dc316a84767c8672e8164706d44468381eda35988ea4ebee9deb1.exe
PID 2480 wrote to memory of 4276	2480	15d996fe436dc316a84767c8672e8164706d44468381eda35988ea4ebee9deb1.exe	15d996fe436dc316a84767c8672e8164706d44468381eda35988ea4ebee9deb1.exe
PID 2480 wrote to memory of 4276	2480	15d996fe436dc316a84767c8672e8164706d44468381eda35988ea4ebee9deb1.exe	15d996fe436dc316a84767c8672e8164706d44468381eda35988ea4ebee9deb1.exe
PID 4276 wrote to memory of 3872	4276	15d996fe436dc316a84767c8672e8164706d44468381eda35988ea4ebee9deb1.exe	wiki.exe
PID 4276 wrote to memory of 3872	4276	15d996fe436dc316a84767c8672e8164706d44468381eda35988ea4ebee9deb1.exe	wiki.exe
PID 4276 wrote to memory of 3872	4276	15d996fe436dc316a84767c8672e8164706d44468381eda35988ea4ebee9deb1.exe	wiki.exe
PID 3872 wrote to memory of 4940	3872	wiki.exe	wiki.exe
PID 3872 wrote to memory of 4940	3872	wiki.exe	wiki.exe
PID 3872 wrote to memory of 4940	3872	wiki.exe	wiki.exe
PID 3872 wrote to memory of 4940	3872	wiki.exe	wiki.exe
PID 3872 wrote to memory of 4940	3872	wiki.exe	wiki.exe
PID 3872 wrote to memory of 4940	3872	wiki.exe	wiki.exe
PID 3872 wrote to memory of 4940	3872	wiki.exe	wiki.exe
PID 3872 wrote to memory of 4940	3872	wiki.exe	wiki.exe
PID 3872 wrote to memory of 4940	3872	wiki.exe	wiki.exe

C:\Users\Admin\AppData\Local\Temp\15d996fe436dc316a84767c8672e8164706d44468381eda35988ea4ebee9deb1.exe
"C:\Users\Admin\AppData\Local\Temp\15d996fe436dc316a84767c8672e8164706d44468381eda35988ea4ebee9deb1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2480

C:\Users\Admin\AppData\Local\Temp\15d996fe436dc316a84767c8672e8164706d44468381eda35988ea4ebee9deb1.exe
"C:\Users\Admin\AppData\Local\Temp\15d996fe436dc316a84767c8672e8164706d44468381eda35988ea4ebee9deb1.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4276

C:\Users\Admin\AppData\Roaming\Wikimedia\wiki.exe
"C:\Users\Admin\AppData\Roaming\Wikimedia\wiki.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3872

C:\Users\Admin\AppData\Roaming\Wikimedia\wiki.exe
"C:\Users\Admin\AppData\Roaming\Wikimedia\wiki.exe"
4⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:4940

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\love\contacting.qse
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp7E1.tmp\testing.dll
Filesize
51KB

MD5
4563d7119d2e58de0c9aada9c03938fc

SHA1
a038b5f4dc93a0b256c6702c9470f394b6579fa8

SHA256
2fffeee4c47f621b2b90aad074f294d959a9c986d8010b99aebd8e7168c385fc

SHA512
4c0ebadaea096774ac1821091d77c23599d9100478d755e888a990ec0b2e64cf3113ef0a515d05b3e33fd7221593be197c0bdfa95f39fa2daad93d561d7911fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp7E1.tmp\testing.dll
Filesize
51KB

MD5
4563d7119d2e58de0c9aada9c03938fc

SHA1
a038b5f4dc93a0b256c6702c9470f394b6579fa8

SHA256
2fffeee4c47f621b2b90aad074f294d959a9c986d8010b99aebd8e7168c385fc

SHA512
4c0ebadaea096774ac1821091d77c23599d9100478d755e888a990ec0b2e64cf3113ef0a515d05b3e33fd7221593be197c0bdfa95f39fa2daad93d561d7911fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswFDC0.tmp\testing.dll
Filesize
51KB

MD5
4563d7119d2e58de0c9aada9c03938fc

SHA1
a038b5f4dc93a0b256c6702c9470f394b6579fa8

SHA256
2fffeee4c47f621b2b90aad074f294d959a9c986d8010b99aebd8e7168c385fc

SHA512
4c0ebadaea096774ac1821091d77c23599d9100478d755e888a990ec0b2e64cf3113ef0a515d05b3e33fd7221593be197c0bdfa95f39fa2daad93d561d7911fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswFDC0.tmp\testing.dll
Filesize
51KB

MD5
4563d7119d2e58de0c9aada9c03938fc

SHA1
a038b5f4dc93a0b256c6702c9470f394b6579fa8

SHA256
2fffeee4c47f621b2b90aad074f294d959a9c986d8010b99aebd8e7168c385fc

SHA512
4c0ebadaea096774ac1821091d77c23599d9100478d755e888a990ec0b2e64cf3113ef0a515d05b3e33fd7221593be197c0bdfa95f39fa2daad93d561d7911fd

Download Submit
C:\Users\Admin\AppData\Roaming\Wikimedia\wiki.exe
Filesize
132KB

MD5
800bf6030c855beff04c828405712a71

SHA1
3ace3a76b0d05e3667568997a73ce1264a25fb93

SHA256
15d996fe436dc316a84767c8672e8164706d44468381eda35988ea4ebee9deb1

SHA512
1731114cecbc465b0365d6a1f8f4afc918cd7aa401241f844efbbf3219f54505e1eca53d70d88620c199abbca377e87636666cae608d6cb77fca66bf0d767669

Download Submit
C:\Users\Admin\AppData\Roaming\Wikimedia\wiki.exe
Filesize
132KB

MD5
800bf6030c855beff04c828405712a71

SHA1
3ace3a76b0d05e3667568997a73ce1264a25fb93

SHA256
15d996fe436dc316a84767c8672e8164706d44468381eda35988ea4ebee9deb1

SHA512
1731114cecbc465b0365d6a1f8f4afc918cd7aa401241f844efbbf3219f54505e1eca53d70d88620c199abbca377e87636666cae608d6cb77fca66bf0d767669

Download Submit
C:\Users\Admin\AppData\Roaming\Wikimedia\wiki.exe
Filesize
132KB

MD5
800bf6030c855beff04c828405712a71

SHA1
3ace3a76b0d05e3667568997a73ce1264a25fb93

SHA256
15d996fe436dc316a84767c8672e8164706d44468381eda35988ea4ebee9deb1

SHA512
1731114cecbc465b0365d6a1f8f4afc918cd7aa401241f844efbbf3219f54505e1eca53d70d88620c199abbca377e87636666cae608d6cb77fca66bf0d767669

Download Submit
memory/2480-134-0x0000000002140000-0x0000000002155000-memory.dmp

Filesize
84KB

Download
memory/3872-139-0x0000000000000000-mapping.dmp

Download
memory/3872-146-0x0000000002150000-0x0000000002165000-memory.dmp

Filesize
84KB

Download
memory/4276-138-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4276-142-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4276-136-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4276-135-0x0000000000000000-mapping.dmp

Download
memory/4940-147-0x0000000000000000-mapping.dmp

Download
memory/4940-152-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4940-153-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads