netwire | 4a3aa9b1e2726f3f1144f06f6e131c4e39c5590291a3170f2fe4d9ea5d00c2d9

Analysis

max time kernel
190s
max time network
239s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2022 01:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a3aa9b1e2726f3f1144f06f6e131c4e39c5590291a3170f2fe4d9ea5d00c2d9.exe
Size

186KB
MD5

4b68747b9d04586c3e10f451d808a664
SHA1

beac728ebe6b4ed983035c0bd195c92010676b6b
SHA256

4a3aa9b1e2726f3f1144f06f6e131c4e39c5590291a3170f2fe4d9ea5d00c2d9
SHA512

dc6a3aa09206849b7c33b38bcb42bcbdc7a3f4ebb2f3fbecd7be9f52861daf08a74313e13a0ea36cf0abd58126fb5ed1fb125d48fac03280bd2c68384809dbe0
SSDEEP

3072:mAsj8MBX8s0oXJUqmBF36Z3xOaWgvNlsGPewZOwLEpyLVd+nMxyKvCxOyxUvVlUH:mAsBZiqmj6uyvnsGP8TpsCFUv6QL/3RG

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2856-134-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/2856-136-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/2856-137-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/2560-153-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

update.exeupdate.exe

pid process

3616 update.exe
2560 update.exe

pid	process
3616	update.exe
2560	update.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

update.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{NI00PYXL-L032-G3QF-CUJS-F3HQ77458348}	update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{NI00PYXL-L032-G3QF-CUJS-F3HQ77458348}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\update\\update.exe\""	update.exe

Loads dropped DLL 2 IoCs

Processes:

4a3aa9b1e2726f3f1144f06f6e131c4e39c5590291a3170f2fe4d9ea5d00c2d9.exeupdate.exe

pid process

3500 4a3aa9b1e2726f3f1144f06f6e131c4e39c5590291a3170f2fe4d9ea5d00c2d9.exe
3616 update.exe

pid	process
3500	4a3aa9b1e2726f3f1144f06f6e131c4e39c5590291a3170f2fe4d9ea5d00c2d9.exe
3616	update.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

update.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Users\\Admin\\AppData\\Roaming\\update\\update.exe"	update.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

4a3aa9b1e2726f3f1144f06f6e131c4e39c5590291a3170f2fe4d9ea5d00c2d9.exeupdate.exe

description	pid	process	target process
PID 3500 set thread context of 2856	3500	4a3aa9b1e2726f3f1144f06f6e131c4e39c5590291a3170f2fe4d9ea5d00c2d9.exe	4a3aa9b1e2726f3f1144f06f6e131c4e39c5590291a3170f2fe4d9ea5d00c2d9.exe
PID 3616 set thread context of 2560	3616	update.exe	update.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\update\update.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\update\update.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\update\update.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\update\update.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\update\update.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\update\update.exe	nsis_installer_2

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

4a3aa9b1e2726f3f1144f06f6e131c4e39c5590291a3170f2fe4d9ea5d00c2d9.exe4a3aa9b1e2726f3f1144f06f6e131c4e39c5590291a3170f2fe4d9ea5d00c2d9.exeupdate.exe

description	pid	process	target process
PID 3500 wrote to memory of 2856	3500	4a3aa9b1e2726f3f1144f06f6e131c4e39c5590291a3170f2fe4d9ea5d00c2d9.exe	4a3aa9b1e2726f3f1144f06f6e131c4e39c5590291a3170f2fe4d9ea5d00c2d9.exe
PID 3500 wrote to memory of 2856	3500	4a3aa9b1e2726f3f1144f06f6e131c4e39c5590291a3170f2fe4d9ea5d00c2d9.exe	4a3aa9b1e2726f3f1144f06f6e131c4e39c5590291a3170f2fe4d9ea5d00c2d9.exe
PID 3500 wrote to memory of 2856	3500	4a3aa9b1e2726f3f1144f06f6e131c4e39c5590291a3170f2fe4d9ea5d00c2d9.exe	4a3aa9b1e2726f3f1144f06f6e131c4e39c5590291a3170f2fe4d9ea5d00c2d9.exe
PID 3500 wrote to memory of 2856	3500	4a3aa9b1e2726f3f1144f06f6e131c4e39c5590291a3170f2fe4d9ea5d00c2d9.exe	4a3aa9b1e2726f3f1144f06f6e131c4e39c5590291a3170f2fe4d9ea5d00c2d9.exe
PID 3500 wrote to memory of 2856	3500	4a3aa9b1e2726f3f1144f06f6e131c4e39c5590291a3170f2fe4d9ea5d00c2d9.exe	4a3aa9b1e2726f3f1144f06f6e131c4e39c5590291a3170f2fe4d9ea5d00c2d9.exe
PID 3500 wrote to memory of 2856	3500	4a3aa9b1e2726f3f1144f06f6e131c4e39c5590291a3170f2fe4d9ea5d00c2d9.exe	4a3aa9b1e2726f3f1144f06f6e131c4e39c5590291a3170f2fe4d9ea5d00c2d9.exe
PID 3500 wrote to memory of 2856	3500	4a3aa9b1e2726f3f1144f06f6e131c4e39c5590291a3170f2fe4d9ea5d00c2d9.exe	4a3aa9b1e2726f3f1144f06f6e131c4e39c5590291a3170f2fe4d9ea5d00c2d9.exe
PID 3500 wrote to memory of 2856	3500	4a3aa9b1e2726f3f1144f06f6e131c4e39c5590291a3170f2fe4d9ea5d00c2d9.exe	4a3aa9b1e2726f3f1144f06f6e131c4e39c5590291a3170f2fe4d9ea5d00c2d9.exe
PID 3500 wrote to memory of 2856	3500	4a3aa9b1e2726f3f1144f06f6e131c4e39c5590291a3170f2fe4d9ea5d00c2d9.exe	4a3aa9b1e2726f3f1144f06f6e131c4e39c5590291a3170f2fe4d9ea5d00c2d9.exe
PID 2856 wrote to memory of 3616	2856	4a3aa9b1e2726f3f1144f06f6e131c4e39c5590291a3170f2fe4d9ea5d00c2d9.exe	update.exe
PID 2856 wrote to memory of 3616	2856	4a3aa9b1e2726f3f1144f06f6e131c4e39c5590291a3170f2fe4d9ea5d00c2d9.exe	update.exe
PID 2856 wrote to memory of 3616	2856	4a3aa9b1e2726f3f1144f06f6e131c4e39c5590291a3170f2fe4d9ea5d00c2d9.exe	update.exe
PID 3616 wrote to memory of 2560	3616	update.exe	update.exe
PID 3616 wrote to memory of 2560	3616	update.exe	update.exe
PID 3616 wrote to memory of 2560	3616	update.exe	update.exe
PID 3616 wrote to memory of 2560	3616	update.exe	update.exe
PID 3616 wrote to memory of 2560	3616	update.exe	update.exe
PID 3616 wrote to memory of 2560	3616	update.exe	update.exe
PID 3616 wrote to memory of 2560	3616	update.exe	update.exe
PID 3616 wrote to memory of 2560	3616	update.exe	update.exe
PID 3616 wrote to memory of 2560	3616	update.exe	update.exe

C:\Users\Admin\AppData\Local\Temp\4a3aa9b1e2726f3f1144f06f6e131c4e39c5590291a3170f2fe4d9ea5d00c2d9.exe
"C:\Users\Admin\AppData\Local\Temp\4a3aa9b1e2726f3f1144f06f6e131c4e39c5590291a3170f2fe4d9ea5d00c2d9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3500

C:\Users\Admin\AppData\Local\Temp\4a3aa9b1e2726f3f1144f06f6e131c4e39c5590291a3170f2fe4d9ea5d00c2d9.exe
"C:\Users\Admin\AppData\Local\Temp\4a3aa9b1e2726f3f1144f06f6e131c4e39c5590291a3170f2fe4d9ea5d00c2d9.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2856

C:\Users\Admin\AppData\Roaming\update\update.exe
"C:\Users\Admin\AppData\Roaming\update\update.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3616

C:\Users\Admin\AppData\Roaming\update\update.exe
"C:\Users\Admin\AppData\Roaming\update\update.exe"
4⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:2560

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\04-kings_of_leon-mary.mp3
Filesize
84KB

MD5
8d1985749781012b1165682f983f1762

SHA1
732e0db6e137319845c1efd6c245c0e4a9d1dc39

SHA256
5691fcfca836792d5a08f1a692f7495c2db0a71f5a027e611da262df95d46717

SHA512
ca895d789b0f140873cf74f83ae60bacf3283b11dd39ce5938459937099d6e32e4fecd1d1832c55d14c53805bae9d06ec1e7cf3567e1638394e132a07b0b23c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\160x160_auction_tray.jpg
Filesize
15KB

MD5
737fa501fbc01a3bc35fe75d141ec99c

SHA1
7461c993641d26aa81da54e3e5cca6f7d6924e66

SHA256
57181e5c6d74bc48f16ba728b771fc43aca2248d0d2c4d9a672eff222602e8b3

SHA512
b38a5fa3532a54f16c5a85ca31fb58dd7c790c242108009a400ae2096756e1f0c2d7afdd21e6f77af759e1d4620105861517bb355b6ebbd6d3b7a8b119328e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd56f6cb40b1e9b3220a0979aded28f1.cf.jpg
Filesize
3KB

MD5
76c42a48fa55bcdd8bc6e51fa9d79f4a

SHA1
b991129f1e70faeb4f341e0da0b619b38f47565f

SHA256
ff5f3818455df7b9c09ef5346cbf47295a8733efcb7994fc8874fe8f9d3c09e2

SHA512
6781a2ce09a011daa6599ccbfe8a1bbce55509ca6080d3a5ea2cdfdfaae04b69c3117d7a7c228ada0aacacd1603f697b35e3b082b9e7d4a6176f47ee6e68ac22

Download Submit
C:\Users\Admin\AppData\Local\Temp\default(1).jpg
Filesize
4KB

MD5
60056056fdb7d49fe22788b925ed0543

SHA1
65a5267d41e9a60bab88a44443befde816c3b0e9

SHA256
e661747f7a760454df03efbb1f66a86956a2283bf87f67c1d2630dd800e30311

SHA512
51b363df01a1418b4dea73984b93302cbd9ef7aaea62cfb44fc128eefabfe6ab9081cdaca4594aa61003e938dcaf0ce419e71393335334ebfbde8ff090031af4

Download Submit
C:\Users\Admin\AppData\Local\Temp\heap.js
Filesize
13KB

MD5
40bf6fb2de67413254a3aa16331ce8c9

SHA1
a0e3f7be0b96ccc3ac50478007f7c6c5698bb68d

SHA256
a00c9b4e895e35d6d959ebba3ed91018baa3428da5855f342459b34ee83d6d35

SHA512
fd2192d5a9e70d1c3411d6c35da10b8ddd71860ffffe195e67942047f84f32e24ef085b3c5177b3fc3608632d78e2f1b96374e60a363e3e88b319a8d3eaabad4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiCE9C.tmp\geophagists.dll
Filesize
74KB

MD5
ac1ad2137ed977eae5beb9e98e57c357

SHA1
e6cd354e111823e5b25634ad9ee7b180e5256dba

SHA256
e349854af4dd7e2d457218e728e2d0a112445bb3d1d2a2d8081b75962de0d6b3

SHA512
93f7ac81b3aaf973e9448abefc6032423950b89dc97741074a5a239dee149e32835094f452b7998c00ca8f6e902e2f393da89f895371dbd4d71b5c233d9a22e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslADC1.tmp\geophagists.dll
Filesize
74KB

MD5
ac1ad2137ed977eae5beb9e98e57c357

SHA1
e6cd354e111823e5b25634ad9ee7b180e5256dba

SHA256
e349854af4dd7e2d457218e728e2d0a112445bb3d1d2a2d8081b75962de0d6b3

SHA512
93f7ac81b3aaf973e9448abefc6032423950b89dc97741074a5a239dee149e32835094f452b7998c00ca8f6e902e2f393da89f895371dbd4d71b5c233d9a22e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\yauijowiyu1ionaiu
Filesize
400B

MD5
9dd0b8915887ac8d45f86f7c184c786b

SHA1
9076429fcd02a932d108c2bab39bcdda893b65bd

SHA256
b073db3dcb3944a629acf612e42ca7bbd4ef859dfdd43dcee002086f011dd343

SHA512
182b4571e239f0a1d120d6f871cedea36977c913e1b8a59ce5b4bdf6b3f863c7a93a005b5ae98f245f5ec4a462a8c1dc64fccf03ed5a72ffd52874c2314fe1a0

Download Submit
C:\Users\Admin\AppData\Roaming\update\update.exe
Filesize
186KB

MD5
4b68747b9d04586c3e10f451d808a664

SHA1
beac728ebe6b4ed983035c0bd195c92010676b6b

SHA256
4a3aa9b1e2726f3f1144f06f6e131c4e39c5590291a3170f2fe4d9ea5d00c2d9

SHA512
dc6a3aa09206849b7c33b38bcb42bcbdc7a3f4ebb2f3fbecd7be9f52861daf08a74313e13a0ea36cf0abd58126fb5ed1fb125d48fac03280bd2c68384809dbe0

Download Submit
C:\Users\Admin\AppData\Roaming\update\update.exe
Filesize
186KB

MD5
4b68747b9d04586c3e10f451d808a664

SHA1
beac728ebe6b4ed983035c0bd195c92010676b6b

SHA256
4a3aa9b1e2726f3f1144f06f6e131c4e39c5590291a3170f2fe4d9ea5d00c2d9

SHA512
dc6a3aa09206849b7c33b38bcb42bcbdc7a3f4ebb2f3fbecd7be9f52861daf08a74313e13a0ea36cf0abd58126fb5ed1fb125d48fac03280bd2c68384809dbe0

Download Submit
C:\Users\Admin\AppData\Roaming\update\update.exe
Filesize
186KB

MD5
4b68747b9d04586c3e10f451d808a664

SHA1
beac728ebe6b4ed983035c0bd195c92010676b6b

SHA256
4a3aa9b1e2726f3f1144f06f6e131c4e39c5590291a3170f2fe4d9ea5d00c2d9

SHA512
dc6a3aa09206849b7c33b38bcb42bcbdc7a3f4ebb2f3fbecd7be9f52861daf08a74313e13a0ea36cf0abd58126fb5ed1fb125d48fac03280bd2c68384809dbe0

Download Submit
memory/2560-148-0x0000000000000000-mapping.dmp

Download
memory/2560-153-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2856-133-0x0000000000000000-mapping.dmp

Download
memory/2856-136-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2856-134-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2856-137-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3616-138-0x0000000000000000-mapping.dmp

Download