netwire | 448ad90bea1254e5759445568842b73ea15c18385abcfd53a85fcdf4afa90596

General

Target

448ad90bea1254e5759445568842b73ea15c18385abcfd53a85fcdf4afa90596.exe
Size

973KB
MD5

02e2a53027968cb04ed45cbc0c77ba27
SHA1

bf08129c289b00c9e84722071eb191de9e44071e
SHA256

448ad90bea1254e5759445568842b73ea15c18385abcfd53a85fcdf4afa90596
SHA512

a3eb3287285fa353e334b0105327250300a2219c727153fc703e6ac5d41ea3e087ed4432aff5694661aa08ce29d0b208f9091c435ea12fc3698e27bf10229cbd
SSDEEP

12288:lK2mhAMJ/cPlopNHvo8h7UZYE82Y5UKUL4n4y3Xp3SbSlDCnj:k2O/GlopNHv/7g6zwm4m53Sb2Dwj

Score

10^/10

netwire botnet evasion persistence rat stealer trojan

Malware Config

Signatures

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1324-67-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/1324-68-0x0000000000402196-mapping.dmp	netwire
behavioral1/memory/1324-71-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/1324-73-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 1 IoCs

Processes:

jqupjn.exe

pid process

1928 jqupjn.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y5D3T3W7-WEL0-NLI7-04U6-RM20T1YFDIN0}	RegSvcs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y5D3T3W7-WEL0-NLI7-04U6-RM20T1YFDIN0}\StubPath = "\"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe\""	RegSvcs.exe

Loads dropped DLL 4 IoCs

Processes:

448ad90bea1254e5759445568842b73ea15c18385abcfd53a85fcdf4afa90596.exe

pid	process
240	448ad90bea1254e5759445568842b73ea15c18385abcfd53a85fcdf4afa90596.exe
240	448ad90bea1254e5759445568842b73ea15c18385abcfd53a85fcdf4afa90596.exe
240	448ad90bea1254e5759445568842b73ea15c18385abcfd53a85fcdf4afa90596.exe
240	448ad90bea1254e5759445568842b73ea15c18385abcfd53a85fcdf4afa90596.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

jqupjn.exeRegSvcs.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	jqupjn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\C:\Users\Admin\OH9Z1V~1 = "C:\\Users\\Admin\\OH9Z1V~1\\pmxizkozmsc.vbs"	jqupjn.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RUN	jqupjn.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	jqupjn.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RUN	jqupjn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	jqupjn.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	RegSvcs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe"	RegSvcs.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

jqupjn.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jqupjn.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

jqupjn.exe

description pid process target process

PID 1928 set thread context of 1324 1928 jqupjn.exe RegSvcs.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jqupjn.exe

description	pid	process	target process
PID 1928 set thread context of 1324	1928	jqupjn.exe	RegSvcs.exe

Drops file in Windows directory 2 IoCs

Processes:

RegSvcs.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\.Identifier	RegSvcs.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\.Identifier	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

jqupjn.exe

pid	process
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe
1928	jqupjn.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

448ad90bea1254e5759445568842b73ea15c18385abcfd53a85fcdf4afa90596.exejqupjn.exe

description	pid	process	target process
PID 240 wrote to memory of 1928	240	448ad90bea1254e5759445568842b73ea15c18385abcfd53a85fcdf4afa90596.exe	jqupjn.exe
PID 240 wrote to memory of 1928	240	448ad90bea1254e5759445568842b73ea15c18385abcfd53a85fcdf4afa90596.exe	jqupjn.exe
PID 240 wrote to memory of 1928	240	448ad90bea1254e5759445568842b73ea15c18385abcfd53a85fcdf4afa90596.exe	jqupjn.exe
PID 240 wrote to memory of 1928	240	448ad90bea1254e5759445568842b73ea15c18385abcfd53a85fcdf4afa90596.exe	jqupjn.exe
PID 240 wrote to memory of 1928	240	448ad90bea1254e5759445568842b73ea15c18385abcfd53a85fcdf4afa90596.exe	jqupjn.exe
PID 240 wrote to memory of 1928	240	448ad90bea1254e5759445568842b73ea15c18385abcfd53a85fcdf4afa90596.exe	jqupjn.exe
PID 240 wrote to memory of 1928	240	448ad90bea1254e5759445568842b73ea15c18385abcfd53a85fcdf4afa90596.exe	jqupjn.exe
PID 1928 wrote to memory of 1324	1928	jqupjn.exe	RegSvcs.exe
PID 1928 wrote to memory of 1324	1928	jqupjn.exe	RegSvcs.exe
PID 1928 wrote to memory of 1324	1928	jqupjn.exe	RegSvcs.exe
PID 1928 wrote to memory of 1324	1928	jqupjn.exe	RegSvcs.exe
PID 1928 wrote to memory of 1324	1928	jqupjn.exe	RegSvcs.exe
PID 1928 wrote to memory of 1324	1928	jqupjn.exe	RegSvcs.exe
PID 1928 wrote to memory of 1324	1928	jqupjn.exe	RegSvcs.exe
PID 1928 wrote to memory of 1324	1928	jqupjn.exe	RegSvcs.exe
PID 1928 wrote to memory of 1324	1928	jqupjn.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\448ad90bea1254e5759445568842b73ea15c18385abcfd53a85fcdf4afa90596.exe
"C:\Users\Admin\AppData\Local\Temp\448ad90bea1254e5759445568842b73ea15c18385abcfd53a85fcdf4afa90596.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:240

C:\Users\Admin\oh9z1vv32772i\jqupjn.exe
"C:\Users\Admin\oh9z1vv32772i\jqupjn.exe" kqlfqsuvnoil
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in Windows directory
PID:1324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\OH9Z1V~1\kawe.UYJ

Filesize
81KB

MD5
15c6d858c874152a8866644826b4e620

SHA1
d71924a5f93df862656b3fe2a4275caf212f0b7f

SHA256
538c983ae8af5ef1b7fe1b5dc50c8a3321bc310a058f05944c322ec3b0e2f417

SHA512
419584f15f886c9406160e4177af7973a96e402fef30abc7a461f392573f3f680def906d00cfa0003ebe0ea4b87af509dc55ffd67e85fa1abac459874f8bd9bb

Download Submit
C:\Users\Admin\OH9Z1V~1\zvsbyzhb.LPW

Filesize
146B

MD5
fdf32a0a0b1f67838cfc15520531f23d

SHA1
5f9488b8546a4c82f602749698d6d91391a84720

SHA256
0d82cbe8347654a8186e803270279c96948a0fe281563aa7f897d58b68b33e9d

SHA512
f398dfe9b09ae29f23db87327a6c5f1fbac4c02efd15c9f88d913bb7c4613f59bfbc8154dddf0e58ecd9222a0e9f851f6f550194b81a4969e9e4c455974c88cd

Download Submit
C:\Users\Admin\oh9z1vv32772i\jqupjn.exe

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\oh9z1vv32772i\kqlfqsuvnoil

Filesize
646.7MB

MD5
9086db7a54ae22dc3afd391a226f3c82

SHA1
58708c77cd5f5efd33495d00fd83d3d8507210ad

SHA256
b483de9afeef46550d238fb854e1b747bf69bdf7f1a48d098d3662d1f5906162

SHA512
d4304853e6efdb33a08f8e1dff962c17445bed08e971fc030fd798fa90af010cfba22e80b35471e11b96a2424ef8fa909d8937e00c61c856fe7e9c497153dd08

Download Submit
\Users\Admin\oh9z1vv32772i\jqupjn.exe

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
\Users\Admin\oh9z1vv32772i\jqupjn.exe

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
\Users\Admin\oh9z1vv32772i\jqupjn.exe

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
\Users\Admin\oh9z1vv32772i\jqupjn.exe

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
memory/240-54-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download
memory/1324-67-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1324-65-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1324-68-0x0000000000402196-mapping.dmp

Download
memory/1324-71-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1324-73-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1928-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads