netwire | 10b80ff72381df336d3933cd4506c4d83cce6dc191474aa5a3daf858edc06239

Analysis

max time kernel
141s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 07:21

Target

10b80ff72381df336d3933cd4506c4d83cce6dc191474aa5a3daf858edc06239.exe
Size

132KB
MD5

866cc1dddb4bedb96cf7c36634e7aab6
SHA1

ad5af987f08a013c47735ba5ed384ab8d346e5e4
SHA256

10b80ff72381df336d3933cd4506c4d83cce6dc191474aa5a3daf858edc06239
SHA512

b9b1da4e21d3676d1c4c0785bff7d907997b80445c6a13c1520ba4f0faedcd0468b09128119ccfa577193d7083bd446fb9afa4e7e225efbfec013fdbf394d32d
SSDEEP

3072:BT66HrEhPiRKlU+I/QU5lBiX58nHue9dh6mdao2y:M+Eh60lvQhoErdcmdt2

Score

10^/10

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3616-135-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/3616-137-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/3616-138-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Suspicious use of SetThreadContext 1 IoCs

Processes:

10b80ff72381df336d3933cd4506c4d83cce6dc191474aa5a3daf858edc06239.exe

description	pid	process	target process
PID 404 set thread context of 3616	404	10b80ff72381df336d3933cd4506c4d83cce6dc191474aa5a3daf858edc06239.exe	10b80ff72381df336d3933cd4506c4d83cce6dc191474aa5a3daf858edc06239.exe

Drops file in Windows directory 2 IoCs

Processes:

10b80ff72381df336d3933cd4506c4d83cce6dc191474aa5a3daf858edc06239.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	10b80ff72381df336d3933cd4506c4d83cce6dc191474aa5a3daf858edc06239.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	10b80ff72381df336d3933cd4506c4d83cce6dc191474aa5a3daf858edc06239.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

10b80ff72381df336d3933cd4506c4d83cce6dc191474aa5a3daf858edc06239.exe

description	pid	process	target process
PID 404 wrote to memory of 3616	404	10b80ff72381df336d3933cd4506c4d83cce6dc191474aa5a3daf858edc06239.exe	10b80ff72381df336d3933cd4506c4d83cce6dc191474aa5a3daf858edc06239.exe
PID 404 wrote to memory of 3616	404	10b80ff72381df336d3933cd4506c4d83cce6dc191474aa5a3daf858edc06239.exe	10b80ff72381df336d3933cd4506c4d83cce6dc191474aa5a3daf858edc06239.exe
PID 404 wrote to memory of 3616	404	10b80ff72381df336d3933cd4506c4d83cce6dc191474aa5a3daf858edc06239.exe	10b80ff72381df336d3933cd4506c4d83cce6dc191474aa5a3daf858edc06239.exe
PID 404 wrote to memory of 3616	404	10b80ff72381df336d3933cd4506c4d83cce6dc191474aa5a3daf858edc06239.exe	10b80ff72381df336d3933cd4506c4d83cce6dc191474aa5a3daf858edc06239.exe
PID 404 wrote to memory of 3616	404	10b80ff72381df336d3933cd4506c4d83cce6dc191474aa5a3daf858edc06239.exe	10b80ff72381df336d3933cd4506c4d83cce6dc191474aa5a3daf858edc06239.exe
PID 404 wrote to memory of 3616	404	10b80ff72381df336d3933cd4506c4d83cce6dc191474aa5a3daf858edc06239.exe	10b80ff72381df336d3933cd4506c4d83cce6dc191474aa5a3daf858edc06239.exe
PID 404 wrote to memory of 3616	404	10b80ff72381df336d3933cd4506c4d83cce6dc191474aa5a3daf858edc06239.exe	10b80ff72381df336d3933cd4506c4d83cce6dc191474aa5a3daf858edc06239.exe
PID 404 wrote to memory of 3616	404	10b80ff72381df336d3933cd4506c4d83cce6dc191474aa5a3daf858edc06239.exe	10b80ff72381df336d3933cd4506c4d83cce6dc191474aa5a3daf858edc06239.exe

C:\Users\Admin\AppData\Local\Temp\10b80ff72381df336d3933cd4506c4d83cce6dc191474aa5a3daf858edc06239.exe
"C:\Users\Admin\AppData\Local\Temp\10b80ff72381df336d3933cd4506c4d83cce6dc191474aa5a3daf858edc06239.exe"
2⤵
PID:3616

memory/404-132-0x0000000075270000-0x0000000075821000-memory.dmp

Filesize
5.7MB

Download
memory/404-133-0x0000000075270000-0x0000000075821000-memory.dmp

Filesize
5.7MB

Download
memory/404-139-0x0000000075270000-0x0000000075821000-memory.dmp

Filesize
5.7MB

Download
memory/3616-134-0x0000000000000000-mapping.dmp

Download
memory/3616-135-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3616-137-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3616-138-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download