netwire | 169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b

General

Target

169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
Size

344KB
MD5

9f58ab1ff6fffcd9ebc688400caebb43
SHA1

4d13349bc26eeeda8dd10df5c69afbf5c415776d
SHA256

169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b
SHA512

cce5e3156b8164bbd1ae5f35759f6e3aeb3766a7dcde8b026a0b8ed8140f1ffd777444d2942f856d5d255b7298671c575e6135633eaba37a698b39063f0d242c
SSDEEP

3072:2c0acFibrRuC1OdlyKm9LDKElxLwYnMc1BVrox006FGchraTfvTdr9gpu7GCpuT8:2JlX8LD3scjnkGObTdJoC0l

Score

10^/10

netwire botnet rat stealer

Malware Config

Signatures

NetWire RAT payload 8 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1300-63-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/1300-65-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/1300-66-0x0000000000402196-mapping.dmp	netwire
behavioral1/memory/1300-69-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/1300-75-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/1528-97-0x0000000000402196-mapping.dmp	netwire
behavioral1/memory/1528-102-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/1528-105-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 3 IoCs

Processes:

AppMgmt.exehkmsvc.exeAppMgmt.exe

pid process

568 AppMgmt.exe
1784 hkmsvc.exe
1156 AppMgmt.exe
Loads dropped DLL 2 IoCs

Processes:

169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exeAppMgmt.exe

pid process

1324 169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
568 AppMgmt.exe

pid	process
568	AppMgmt.exe
1784	hkmsvc.exe
1156	AppMgmt.exe

Drops file in System32 directory 3 IoCs

Processes:

svchost.exesvchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\.Identifier	svchost.exe
File opened for modification	C:\Windows\SysWOW64\.Identifier	svchost.exe
File opened for modification	C:\Windows\SysWOW64\.Identifier	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exehkmsvc.exe

description	pid	process	target process
PID 1324 set thread context of 1300	1324	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe	svchost.exe
PID 1784 set thread context of 1528	1784	hkmsvc.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exeAppMgmt.exehkmsvc.exeAppMgmt.exe

pid	process
1324	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
1324	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
1324	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
1324	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
568	AppMgmt.exe
1324	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
1324	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
1324	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
1324	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
1324	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
1324	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
1784	hkmsvc.exe
1324	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
1784	hkmsvc.exe
1156	AppMgmt.exe
1324	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
1784	hkmsvc.exe
1156	AppMgmt.exe
1324	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
1784	hkmsvc.exe
1156	AppMgmt.exe
1324	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
1784	hkmsvc.exe
1156	AppMgmt.exe
1324	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
1784	hkmsvc.exe
1156	AppMgmt.exe
1324	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
1784	hkmsvc.exe
1156	AppMgmt.exe
1324	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
1784	hkmsvc.exe
1156	AppMgmt.exe
1324	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
1784	hkmsvc.exe
1156	AppMgmt.exe
1324	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
1784	hkmsvc.exe
1156	AppMgmt.exe
1324	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
1784	hkmsvc.exe
1156	AppMgmt.exe
1324	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
1784	hkmsvc.exe
1156	AppMgmt.exe
1324	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
1784	hkmsvc.exe
1156	AppMgmt.exe
1324	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
1784	hkmsvc.exe
1156	AppMgmt.exe
1324	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
1784	hkmsvc.exe
1156	AppMgmt.exe
1324	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
1784	hkmsvc.exe
1156	AppMgmt.exe
1324	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
1784	hkmsvc.exe
1156	AppMgmt.exe
1324	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
1784	hkmsvc.exe
1156	AppMgmt.exe
1324	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exeAppMgmt.exehkmsvc.exeAppMgmt.exe

description	pid	process
Token: SeDebugPrivilege	1324	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
Token: SeDebugPrivilege	568	AppMgmt.exe
Token: SeDebugPrivilege	1784	hkmsvc.exe
Token: SeDebugPrivilege	1156	AppMgmt.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exeAppMgmt.exehkmsvc.exe

description	pid	process	target process
PID 1324 wrote to memory of 1300	1324	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe	svchost.exe
PID 1324 wrote to memory of 1300	1324	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe	svchost.exe
PID 1324 wrote to memory of 1300	1324	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe	svchost.exe
PID 1324 wrote to memory of 1300	1324	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe	svchost.exe
PID 1324 wrote to memory of 1300	1324	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe	svchost.exe
PID 1324 wrote to memory of 1300	1324	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe	svchost.exe
PID 1324 wrote to memory of 1300	1324	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe	svchost.exe
PID 1324 wrote to memory of 1300	1324	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe	svchost.exe
PID 1324 wrote to memory of 1300	1324	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe	svchost.exe
PID 1324 wrote to memory of 568	1324	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe	AppMgmt.exe
PID 1324 wrote to memory of 568	1324	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe	AppMgmt.exe
PID 1324 wrote to memory of 568	1324	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe	AppMgmt.exe
PID 1324 wrote to memory of 568	1324	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe	AppMgmt.exe
PID 568 wrote to memory of 1784	568	AppMgmt.exe	hkmsvc.exe
PID 568 wrote to memory of 1784	568	AppMgmt.exe	hkmsvc.exe
PID 568 wrote to memory of 1784	568	AppMgmt.exe	hkmsvc.exe
PID 568 wrote to memory of 1784	568	AppMgmt.exe	hkmsvc.exe
PID 1324 wrote to memory of 1156	1324	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe	AppMgmt.exe
PID 1324 wrote to memory of 1156	1324	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe	AppMgmt.exe
PID 1324 wrote to memory of 1156	1324	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe	AppMgmt.exe
PID 1324 wrote to memory of 1156	1324	169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe	AppMgmt.exe
PID 1784 wrote to memory of 1528	1784	hkmsvc.exe	svchost.exe
PID 1784 wrote to memory of 1528	1784	hkmsvc.exe	svchost.exe
PID 1784 wrote to memory of 1528	1784	hkmsvc.exe	svchost.exe
PID 1784 wrote to memory of 1528	1784	hkmsvc.exe	svchost.exe
PID 1784 wrote to memory of 1528	1784	hkmsvc.exe	svchost.exe
PID 1784 wrote to memory of 1528	1784	hkmsvc.exe	svchost.exe
PID 1784 wrote to memory of 1528	1784	hkmsvc.exe	svchost.exe
PID 1784 wrote to memory of 1528	1784	hkmsvc.exe	svchost.exe
PID 1784 wrote to memory of 1528	1784	hkmsvc.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe
"C:\Users\Admin\AppData\Local\Temp\169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
2⤵
- Drops file in System32 directory
PID:1300

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgmt.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgmt.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:568

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hkmsvc.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hkmsvc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
4⤵
- Drops file in System32 directory
PID:1528

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgmt.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgmt.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1156

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgmt.exe
Filesize
11KB

MD5
767893283ac1bfe94e5a90eb058af81e

SHA1
84e06d1f09172a3e9e880843d4aaad9b3fb1fb9f

SHA256
a09c1d674cbe2b7383b9bf3a17b0ef9ea251e2f4dc8343cf8df78930b624f8f7

SHA512
a9be0214498ffc890d8272de8cf73d3d9b35eeb530dc5e9b34e4da62c3c1027a013c4a8512587e4e9c36f83b00eef7068a387bd748d7bf2c40ce8dc2aa89ac95

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgmt.exe
Filesize
11KB

MD5
767893283ac1bfe94e5a90eb058af81e

SHA1
84e06d1f09172a3e9e880843d4aaad9b3fb1fb9f

SHA256
a09c1d674cbe2b7383b9bf3a17b0ef9ea251e2f4dc8343cf8df78930b624f8f7

SHA512
a9be0214498ffc890d8272de8cf73d3d9b35eeb530dc5e9b34e4da62c3c1027a013c4a8512587e4e9c36f83b00eef7068a387bd748d7bf2c40ce8dc2aa89ac95

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgmt.exe
Filesize
11KB

MD5
767893283ac1bfe94e5a90eb058af81e

SHA1
84e06d1f09172a3e9e880843d4aaad9b3fb1fb9f

SHA256
a09c1d674cbe2b7383b9bf3a17b0ef9ea251e2f4dc8343cf8df78930b624f8f7

SHA512
a9be0214498ffc890d8272de8cf73d3d9b35eeb530dc5e9b34e4da62c3c1027a013c4a8512587e4e9c36f83b00eef7068a387bd748d7bf2c40ce8dc2aa89ac95

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hkmsvc.exe
Filesize
344KB

MD5
9f58ab1ff6fffcd9ebc688400caebb43

SHA1
4d13349bc26eeeda8dd10df5c69afbf5c415776d

SHA256
169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b

SHA512
cce5e3156b8164bbd1ae5f35759f6e3aeb3766a7dcde8b026a0b8ed8140f1ffd777444d2942f856d5d255b7298671c575e6135633eaba37a698b39063f0d242c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hkmsvc.exe
Filesize
344KB

MD5
9f58ab1ff6fffcd9ebc688400caebb43

SHA1
4d13349bc26eeeda8dd10df5c69afbf5c415776d

SHA256
169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b

SHA512
cce5e3156b8164bbd1ae5f35759f6e3aeb3766a7dcde8b026a0b8ed8140f1ffd777444d2942f856d5d255b7298671c575e6135633eaba37a698b39063f0d242c

Download Submit
C:\Windows\SysWOW64\.Identifier
Filesize
68B

MD5
fc2d4b6935ab1e84187659c8e41d2829

SHA1
6120d1801d16262a18f18e6264694b6861515257

SHA256
072eff51acc0eaa91e44725174400e2e29cb71db0d687f300fe5385285cb47a9

SHA512
224e65c8ef1d88a65fe241945a8b801bbb408d2abd810d909469f204576eff6777f225da8be324f2b0936ed5ba564816d0093749ab150c1bc980cafffff63ac0

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgmt.exe
Filesize
11KB

MD5
767893283ac1bfe94e5a90eb058af81e

SHA1
84e06d1f09172a3e9e880843d4aaad9b3fb1fb9f

SHA256
a09c1d674cbe2b7383b9bf3a17b0ef9ea251e2f4dc8343cf8df78930b624f8f7

SHA512
a9be0214498ffc890d8272de8cf73d3d9b35eeb530dc5e9b34e4da62c3c1027a013c4a8512587e4e9c36f83b00eef7068a387bd748d7bf2c40ce8dc2aa89ac95

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\hkmsvc.exe
Filesize
344KB

MD5
9f58ab1ff6fffcd9ebc688400caebb43

SHA1
4d13349bc26eeeda8dd10df5c69afbf5c415776d

SHA256
169fd2b24a57fe74de02ef91c26b1d5e1ef5a55b507ba1c196cce5f957ed243b

SHA512
cce5e3156b8164bbd1ae5f35759f6e3aeb3766a7dcde8b026a0b8ed8140f1ffd777444d2942f856d5d255b7298671c575e6135633eaba37a698b39063f0d242c

Download Submit
memory/568-76-0x00000000748F0000-0x0000000074E9B000-memory.dmp

Filesize
5.7MB

Download
memory/568-83-0x00000000748F0000-0x0000000074E9B000-memory.dmp

Filesize
5.7MB

Download
memory/568-71-0x0000000000000000-mapping.dmp

Download
memory/1156-88-0x00000000748F0000-0x0000000074E9B000-memory.dmp

Filesize
5.7MB

Download
memory/1156-84-0x0000000000000000-mapping.dmp

Download
memory/1156-104-0x00000000748F0000-0x0000000074E9B000-memory.dmp

Filesize
5.7MB

Download
memory/1300-59-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1300-75-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1300-61-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1300-58-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1300-63-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1300-65-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1300-69-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1300-66-0x0000000000402196-mapping.dmp

Download
memory/1324-54-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

Filesize
8KB

Download
memory/1324-57-0x00000000748F0000-0x0000000074E9B000-memory.dmp

Filesize
5.7MB

Download
memory/1324-55-0x00000000748F0000-0x0000000074E9B000-memory.dmp

Filesize
5.7MB

Download
memory/1324-56-0x00000000007ED000-0x0000000000800000-memory.dmp

Filesize
76KB

Download
memory/1528-97-0x0000000000402196-mapping.dmp

Download
memory/1528-102-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1528-105-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1784-87-0x00000000748F0000-0x0000000074E9B000-memory.dmp

Filesize
5.7MB

Download
memory/1784-82-0x00000000005A0000-0x00000000005B3000-memory.dmp

Filesize
76KB

Download
memory/1784-103-0x00000000748F0000-0x0000000074E9B000-memory.dmp

Filesize
5.7MB

Download
memory/1784-79-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads