netwire | e313677635e8643e5cd7acf796f7a421ece27283defcd4626bb37633923834c0

Analysis

max time kernel
136s
max time network
172s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 08:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e313677635e8643e5cd7acf796f7a421ece27283defcd4626bb37633923834c0.exe
Size

81KB
MD5

bb847ec2f128d32e6a1d104d14f95631
SHA1

7a4a5945fac58cce7f201a4b0c99ed18359a98db
SHA256

e313677635e8643e5cd7acf796f7a421ece27283defcd4626bb37633923834c0
SHA512

5d239b9bd1cf263f9e30d960eb041f97be4476f13fb29a9fd7f233461057d1188e144a6b40cb2a040939b9cce8624eab95271f08ee0765661a13426c2f167160
SSDEEP

1536:UfKmS0thdvo9WduQ1zBBn4Nf5dxXDEPchDEBnR1xqQRAp2fAQ/UtCphk:UjS0thdvoaR05dxXDEPwDIn80Ap2XaoW

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Install\Host.exe	netwire
\Users\Admin\AppData\Roaming\Install\Host.exe	netwire
C:\Users\Admin\AppData\Roaming\Install\Host.exe	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 1 IoCs

Processes:

Host.exe

pid process

1900 Host.exe

pid	process
1900	Host.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Host.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4V7V64L3-IF25-U367-HLO5-5WHJX5QFN660}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe\""	Host.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4V7V64L3-IF25-U367-HLO5-5WHJX5QFN660}	Host.exe

Loads dropped DLL 2 IoCs

Processes:

e313677635e8643e5cd7acf796f7a421ece27283defcd4626bb37633923834c0.exe

pid	process
908	e313677635e8643e5cd7acf796f7a421ece27283defcd4626bb37633923834c0.exe
908	e313677635e8643e5cd7acf796f7a421ece27283defcd4626bb37633923834c0.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Host.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Host.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe"	Host.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

e313677635e8643e5cd7acf796f7a421ece27283defcd4626bb37633923834c0.exe

description	pid	process	target process
PID 908 wrote to memory of 1900	908	e313677635e8643e5cd7acf796f7a421ece27283defcd4626bb37633923834c0.exe	Host.exe
PID 908 wrote to memory of 1900	908	e313677635e8643e5cd7acf796f7a421ece27283defcd4626bb37633923834c0.exe	Host.exe
PID 908 wrote to memory of 1900	908	e313677635e8643e5cd7acf796f7a421ece27283defcd4626bb37633923834c0.exe	Host.exe
PID 908 wrote to memory of 1900	908	e313677635e8643e5cd7acf796f7a421ece27283defcd4626bb37633923834c0.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\e313677635e8643e5cd7acf796f7a421ece27283defcd4626bb37633923834c0.exe
"C:\Users\Admin\AppData\Local\Temp\e313677635e8643e5cd7acf796f7a421ece27283defcd4626bb37633923834c0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:908

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
2⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:1900

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
81KB

MD5
bb847ec2f128d32e6a1d104d14f95631

SHA1
7a4a5945fac58cce7f201a4b0c99ed18359a98db

SHA256
e313677635e8643e5cd7acf796f7a421ece27283defcd4626bb37633923834c0

SHA512
5d239b9bd1cf263f9e30d960eb041f97be4476f13fb29a9fd7f233461057d1188e144a6b40cb2a040939b9cce8624eab95271f08ee0765661a13426c2f167160

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
81KB

MD5
bb847ec2f128d32e6a1d104d14f95631

SHA1
7a4a5945fac58cce7f201a4b0c99ed18359a98db

SHA256
e313677635e8643e5cd7acf796f7a421ece27283defcd4626bb37633923834c0

SHA512
5d239b9bd1cf263f9e30d960eb041f97be4476f13fb29a9fd7f233461057d1188e144a6b40cb2a040939b9cce8624eab95271f08ee0765661a13426c2f167160

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
81KB

MD5
bb847ec2f128d32e6a1d104d14f95631

SHA1
7a4a5945fac58cce7f201a4b0c99ed18359a98db

SHA256
e313677635e8643e5cd7acf796f7a421ece27283defcd4626bb37633923834c0

SHA512
5d239b9bd1cf263f9e30d960eb041f97be4476f13fb29a9fd7f233461057d1188e144a6b40cb2a040939b9cce8624eab95271f08ee0765661a13426c2f167160

Download Submit
memory/908-54-0x0000000075131000-0x0000000075133000-memory.dmp

Filesize
8KB

Download
memory/1900-57-0x0000000000000000-mapping.dmp

Download